Cyber criminals go spear phishing, harpoon executives

Security vendors set up nets to stop 'business email compromise,' or a BEC attack

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The email sent to a Snapchat pay­roll employ­ee on a Fri­day in Feb­ru­ary looked authen­tic enough. It appeared to be an urgent direc­tive from the CEO of the social media company.

Eager to please the boss, the recip­i­ent pro­vid­ed what the email asked for—some pay­roll infor­ma­tion of Snapchat’s cur­rent and for­mer employ­ees. It was a scam. Snapchat called the FBI and offered the affect­ed employ­ees two years of iden­ti­ty-theft insur­ance and monitoring.

Com­pli­men­ta­ry webi­nar: How iden­ti­ty theft pro­tec­tion has become a must-have employ­ee benefit

A num­ber of our employ­ees have now had their iden­ti­ty com­pro­mised. And for that, we’re just impos­si­bly sor­ry,” Snapchat was com­pelled to dis­close in a blog post­ing.

Thus Snapchat joins the ranks of thou­sands of orga­ni­za­tions hacked by a stun­ning­ly simple—yet dev­as­tat­ing­ly effective—form of spear phish­ing, referred to by the FBI as “busi­ness email com­pro­mise,” or BEC scams.

Unlike gen­er­al­ized phish­ing scams that are wide­ly dis­persed, or spear phish­ing attempts craft­ed to entice the intend­ed vic­tim into click­ing on a viral attach­ment or to a mali­cious web page, BEC scams are 100 per­cent social engi­neer­ing. They involve a one-off mes­sage sent to a spe­cif­ic employ­ee at an oppor­tune moment.

Relat­ed sto­ry: BEC hack­ing fuels faked tax return scams

The attack­er first goes through pains to con­struct a per­sua­sive request for the recip­i­ent to will­ing­ly car­ry out an action, such as trans­fer­ring funds into a “mule account” con­trolled by the crim­i­nals, or for­ward­ing sen­si­tive documents.

Whal­ing’ attacks surface

Also referred to as “whal­ing,” “human hack­ing” and “CEO fraud,” BEC scams piv­ot off abus­ing a trust rela­tion­ship between two indi­vid­u­als, usu­al­ly a supe­ri­or and a sub­or­di­nate. And because there is no viral attach­ment or mali­cious URL involved, there is pre­cious lit­tle for tra­di­tion­al email fil­ter­ing sys­tems to detect.

BEC scam­mers hit the Asia Pacif­ic region hard last year, par­tic­u­lar­ly tar­get­ing com­pa­nies in Aus­tralia and New Zealand, accord­ing to a recent report from secu­ri­ty firm Phish­Labs.

And in the Unit­ed States, more than 7,000 U.S. com­pa­nies have fall­en vic­tim to BEC scams since late 2013, when the FBI’s Inter­net Crime Com­plaint Cen­ter began track­ing them. Total dol­lar loss­es have exceed­ed $740 mil­lion. That doesn’t include vic­tims out­side the U.S. and unre­port­ed losses.

The rise of BEC attacks is, in a way, a byprod­uct of the progress made in thwart­ing oth­er types of virus­es, mal­ware and tra­di­tion­al phish­ing scams. “Cyber crim­i­nals have learned that not using mal­ware is a great way of get­ting into orga­ni­za­tions and enter­pris­es because there’s noth­ing to sig­na­ture,” says Orlan­do Scott-Cow­ley, cyber­se­cu­ri­ty strate­gist for Mime­cast, an IT secu­ri­ty firm that has devel­oped a ser­vice—Imper­son­ation Pro­tect—to address the threat.

There are numer­ous orga­ni­za­tions here that have hor­ror sto­ries of los­ing mil­lions of dol­lars,” Scott-Cow­ley says. “I think the largest sin­gle trans­fer we found was $10 million.”

Hack­ers do their homework

To make their email more cred­i­ble, attack­ers may spend months study­ing tar­get com­pa­ny exec­u­tive bios, their LinkedIn accounts, Face­book pages, Twit­ter time­lines and oth­er pub­lic infor­ma­tion. They then may assem­ble an orga­ni­za­tion­al chart or a func­tion­al depart­ment list to ensure that scam emails are sent to the right peo­ple who are in a posi­tion to com­plete the request­ed task—say, some­one in the finance or accounts payable team who has the sign-off author­i­ty on wire transfers.

Orlando Scott-Cowley, Mimecast cybersecurity strategist
Orlan­do Scott-Cow­ley, Mime­cast cyber­se­cu­ri­ty strategist

What they want to know is who’s the CEO, who are the senior finance man­agers in the orga­ni­za­tion, who’s HR, who’s IT,” Scott-Cow­ley says. “When they’re ready to strike, they will send an email that looks as though it has come from the CEO, gen­er­al­ly, or the CFO.

Such attacks also fre­quent­ly tar­get “small­er, more nim­ble orga­ni­za­tions, where excep­tions to stan­dard account­ing process­es are more like­ly to be made based on per­son­al requests from mem­bers of the exec­u­tive team,” the Phish­Labs report says.

Cyber crim­i­nals hone tactics

Hav­ing tast­ed ear­ly suc­cess, attack­ers are exper­i­ment­ing with new meth­ods. The pre­text of merg­ers or acqui­si­tions is now more com­mon, Phish­Labs says. An email from the CEO or a senior exec­u­tive tells a com­pa­ny accoun­tant to wire funds need­ed to close an acqui­si­tion nego­ti­a­tion and demands con­fi­den­tial­i­ty pend­ing the deal announcement.

Some of these M&A-themed BEC attacks make more use of faked pre­text in the form of things like quot­ed con­ver­sa­tions with lawyers,” Phish­Labs’ report says.

Where­as attack­ers often relied on free cloud email ser­vices in recent years, they also are increas­ing­ly using paid web­mail ser­vices from GoDad­dy, it says.

Attack­ers are more embold­ened to car­ry on con­ver­sa­tions in mul­ti­ple mes­sages vs. sin­gle mes­sages more com­mon­ly found in the past.

Tips to avoid BEC scams

In a pub­lic ser­vice announce­ment, the FBI rec­om­mend­ed sev­er­al steps for pre­vent­ing BEC attacks:

Com­pa­nies should reg­is­ter all domains that are slight­ly dif­fer­ent than the actu­al domain.

The ven­dor pay­ment process should have two-fac­tor authen­ti­ca­tion, includ­ing an addi­tion­al per­son who’s autho­rized to sign off.

Fund trans­fer requests should be dou­ble-con­firmed. If they’re con­firmed by phone, only the known num­bers should be used.

With glob­al loss­es from BEC attacks soar­ing into the hun­dreds of mil­lions of dol­lars and not yet show­ing any signs of eas­ing, the good guys are respond­ing. Sev­er­al IT secu­ri­ty ven­dors, includ­ing Phish­Labs, Mime­cast and email secu­ri­ty ven­dor Agari, are mov­ing aggres­sive­ly to adapt their detec­tion and fil­ter­ing ser­vices to this emerg­ing threat.

Putting up defenses

Last week, Agari intro­duced a new ser­vice, Enter­prise Pro­tect, designed to very pre­cise­ly iden­ti­fy and halt emails car­ry­ing BEC scams into their cus­tomers’ net­works. Agari does this by apply­ing machine-learn­ing ana­lyt­ics to large data sets show­ing dai­ly email-send­ing pat­terns across the internet.

Phish­Labs, mean­while, has been work­ing close­ly with law enforce­ment to help author­i­ties iden­ti­fy mule accounts as part of BEC threat dis­rup­tion operations.

Mimecast’s tech­nol­o­gy is designed to detect fraud­u­lent emails that may look sim­i­lar to the com­pa­ny domain—xyz_company.com vs. xyz-company.com, for example—and scours through oth­er infor­ma­tion about the fake domain, includ­ing when it was registered.

It also then mines the mes­sage con­tent to detect trig­ger keywords—like “wire transfer.”

I’ve yet to find a real busi­ness rea­son for a new­ly reg­is­tered domain email­ing you straight away,” Scott-Cow­ley says.

More sto­ries relat­ed to phish­ing and security:
Sophis­ti­cat­ed spear phish­ing attacks becom­ing more common
ZapFraud fights back at email scam­mers, phishers
Study finds C-Suite over­con­fi­dent about net­work security