Cyber criminals go spear phishing, harpoon executives
Security vendors set up nets to stop 'business email compromise,' or a BEC attack
By Roger Yu, ThirdCertainty
The email sent to a Snapchat payroll employee on a Friday in February looked authentic enough. It appeared to be an urgent directive from the CEO of the social media company.
Eager to please the boss, the recipient provided what the email asked for—some payroll information of Snapchat’s current and former employees. It was a scam. Snapchat called the FBI and offered the affected employees two years of identity-theft insurance and monitoring.
Complimentary webinar: How identity theft protection has become a must-have employee benefit
“A number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry,” Snapchat was compelled to disclose in a blog posting.
Thus Snapchat joins the ranks of thousands of organizations hacked by a stunningly simple—yet devastatingly effective—form of spear phishing, referred to by the FBI as “business email compromise,” or BEC scams.
Unlike generalized phishing scams that are widely dispersed, or spear phishing attempts crafted to entice the intended victim into clicking on a viral attachment or to a malicious web page, BEC scams are 100 percent social engineering. They involve a one-off message sent to a specific employee at an opportune moment.
Related story: BEC hacking fuels faked tax return scams
The attacker first goes through pains to construct a persuasive request for the recipient to willingly carry out an action, such as transferring funds into a “mule account” controlled by the criminals, or forwarding sensitive documents.
‘Whaling’ attacks surface
Also referred to as “whaling,” “human hacking” and “CEO fraud,” BEC scams pivot off abusing a trust relationship between two individuals, usually a superior and a subordinate. And because there is no viral attachment or malicious URL involved, there is precious little for traditional email filtering systems to detect.
BEC scammers hit the Asia Pacific region hard last year, particularly targeting companies in Australia and New Zealand, according to a recent report from security firm PhishLabs.
And in the United States, more than 7,000 U.S. companies have fallen victim to BEC scams since late 2013, when the FBI’s Internet Crime Complaint Center began tracking them. Total dollar losses have exceeded $740 million. That doesn’t include victims outside the U.S. and unreported losses.
The rise of BEC attacks is, in a way, a byproduct of the progress made in thwarting other types of viruses, malware and traditional phishing scams. “Cyber criminals have learned that not using malware is a great way of getting into organizations and enterprises because there’s nothing to signature,” says Orlando Scott-Cowley, cybersecurity strategist for Mimecast, an IT security firm that has developed a service—Impersonation Protect—to address the threat.
“There are numerous organizations here that have horror stories of losing millions of dollars,” Scott-Cowley says. “I think the largest single transfer we found was $10 million.”
Hackers do their homework
To make their email more credible, attackers may spend months studying target company executive bios, their LinkedIn accounts, Facebook pages, Twitter timelines and other public information. They then may assemble an organizational chart or a functional department list to ensure that scam emails are sent to the right people who are in a position to complete the requested task—say, someone in the finance or accounts payable team who has the sign-off authority on wire transfers.
“What they want to know is who’s the CEO, who are the senior finance managers in the organization, who’s HR, who’s IT,” Scott-Cowley says. “When they’re ready to strike, they will send an email that looks as though it has come from the CEO, generally, or the CFO.
Such attacks also frequently target “smaller, more nimble organizations, where exceptions to standard accounting processes are more likely to be made based on personal requests from members of the executive team,” the PhishLabs report says.
Cyber criminals hone tactics
Having tasted early success, attackers are experimenting with new methods. The pretext of mergers or acquisitions is now more common, PhishLabs says. An email from the CEO or a senior executive tells a company accountant to wire funds needed to close an acquisition negotiation and demands confidentiality pending the deal announcement.
“Some of these M&A-themed BEC attacks make more use of faked pretext in the form of things like quoted conversations with lawyers,” PhishLabs’ report says.
Whereas attackers often relied on free cloud email services in recent years, they also are increasingly using paid webmail services from GoDaddy, it says.
Attackers are more emboldened to carry on conversations in multiple messages vs. single messages more commonly found in the past.
Tips to avoid BEC scams
In a public service announcement, the FBI recommended several steps for preventing BEC attacks:
Companies should register all domains that are slightly different than the actual domain.
The vendor payment process should have two-factor authentication, including an additional person who’s authorized to sign off.
Fund transfer requests should be double-confirmed. If they’re confirmed by phone, only the known numbers should be used.
With global losses from BEC attacks soaring into the hundreds of millions of dollars and not yet showing any signs of easing, the good guys are responding. Several IT security vendors, including PhishLabs, Mimecast and email security vendor Agari, are moving aggressively to adapt their detection and filtering services to this emerging threat.
Putting up defenses
Last week, Agari introduced a new service, Enterprise Protect, designed to very precisely identify and halt emails carrying BEC scams into their customers’ networks. Agari does this by applying machine-learning analytics to large data sets showing daily email-sending patterns across the internet.
PhishLabs, meanwhile, has been working closely with law enforcement to help authorities identify mule accounts as part of BEC threat disruption operations.
Mimecast’s technology is designed to detect fraudulent emails that may look similar to the company domain—xyz_company.com vs. xyz-company.com, for example—and scours through other information about the fake domain, including when it was registered.
It also then mines the message content to detect trigger keywords—like “wire transfer.”
“I’ve yet to find a real business reason for a newly registered domain emailing you straight away,” Scott-Cowley says.
More stories related to phishing and security:
Sophisticated spear phishing attacks becoming more common
ZapFraud fights back at email scammers, phishers
Study finds C-Suite overconfident about network security