SoS Musings #74 - Cybercriminals Ramping Up Business Email Compromise (BEC) Attacks

SoS Musings #74 -

Cybercriminals Ramping Up Business Email Compromise (BEC) Attacks

BEC attacks are one of today's most effective and costly types of phishing. According to the Federal Bureau of Investigation (FBI), Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is one of the most economically destructive online offenses, taking advantage of the fact that so many people rely on email to conduct personal and professional affairs. In this type of cybercrime, attackers send an email that appears to originate from a reputable source and make a valid request. The firm Abnormal Security revealed that BEC attacks increased by 81 percent in 2022 and by 175 percent over the past two years, but 98 percent of employees failed to report the threat. The H1 2023 Email Threat Report highlights that during the second half of 2022, the median open rate for text-based BEC emails reached 28 percent, with 15 percent of employees responding to malicious content due to the significant increase in BEC attacks. In regard to email attacks, human risk cannot be disregarded, as attackers are creating or adopting new social engineering techniques to convince employees to open malicious emails and reveal sensitive information, such as login credentials and bank account information. According to a report from the cloud email security platform IRONSCALES, more than 93 percent of organizations have encountered one or more types of BEC attacks, with 62 percent encountering three or more attack variants. In addition, 43.3 percent of respondents from major organizations expect an increase in BEC attacks. The report also reveals that finance employees and C-level executives are the two groups most commonly targeted by BEC attacks. About half of all groups report daily, weekly, or monthly BEC attacks. Armorblox pointed out that with tools such as the Artificial Intelligence (AI)-driven chatbot ChatGPT, the total number of BEC emails flooding user mailboxes within organizations will increase significantly in 2023.

BEC continues to evolve, targeting local small businesses, large organizations, and personal transactions. Between July 2019 and December 2021, global BEC scam losses increased by 65 percent. The number, which corresponds to a potential $43 billion in losses, is based on financial data reported to the FBI's IC3 and includes dollars that were actually lost and dollars from BEC attempts. This increase can be partially attributed to the restrictions imposed on normal business practices during the COVID-19 pandemic, which led to an increase in the number of workplaces and individuals conducting routine business online. Between December 2021 and December 2022, identified global exposed losses increased by 17 percent. Researchers at Abnormal Security identified two groups using executive impersonation to carry out BEC attacks in at least 13 different languages. Although attacking targets in multiple regions and using multiple languages are not new tactics, in the past, these operations were typically performed by sophisticated groups with large budgets and resources. Due to the rise of automated translation tools such as Google Translate, threat actors can translate emails into any language they need, with greater ease. Abnormal Security discovered two groups: Midnight Hedgehog, which engages in payment fraud, and Mandarin Capybara, a group that conducts payroll diversion attacks. The two groups launched BEC attack campaigns in Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish. Microsoft recently brought further attention to the rapid adoption of platforms such as BulletProftLink, highlighting that the tools are widely used to conduct highly sophisticated BEC attacks. These platforms provide cybercriminals with a toolkit for performing BEC attacks, including email templates that appear legitimate, hosting, and automated attack launch services. According to Microsoft's report, Cybercrime-as-a-Service (CaaS) platforms like BulletProftLink and others in this class provide new avenues for the underground industry to effectively monetize cybercrime.

Research efforts have been made to bring further attention to and combat BEC attacks. For example, a paper written by Shadrack Awah Buo, a researcher at Bournemouth University, titled "An Application of Cyberpsychology in Business Email Compromise (BEC)" presents an analysis of the psychological and sociotechnical effects of BEC on the organization and its employees, as well as potential risk mitigation strategies and recommendations for preventing future BEC attacks. Instead of focusing on programs that do not guarantee full compliance, Buo proposes that BEC attack mitigation efforts transfer attention to altering the employee behavior patterns. They add that changing their behavior requires more than merely educating them about reactive and risky behaviors as employees must understand the information and be motivated to implement it in their daily work. It is essential to identify employee behavioral patterns, such as impulsiveness. According to the paper, there are two ways to alter a person's behavior: "changing what people consciously think or shaping behavior from automatic processes of judgment and influence without changing their thinking." Buo talks about applying the Easy, Attractive, Social and Timely (EAST) framework that reflects the second behavior-changing method. The EAST framework is based on the Nudge theory, which emphasizes the use of positive reinforcements to affect behavior. The framework can be used to improve employee behavior by increasing awareness and reporting suspicious emails. The "Easy" component of the framework can be practiced by providing employees with frequent reminders about BEC attacks and examples of fraudulent emails, so they know what to look for. For instance, when the CFO logs into their email account, they should be reminded to remain on the lookout for fraudulent emails. This step is not intended to turn employees into experts, but rather to help them remain alert and avoid phishing emails.

In the fight against BEC attacks, technical defenses have also entered the ring. Last year, Microsoft announced automatic attack disruption capabilities for Microsoft 365 Defender, its enterprise defense product. Earlier this year, it was announced that these capabilities will now help organizations in thwarting common attack scenarios, one of which are BEC. Automatic attack disruption in Microsoft 365 Defender aims to contain ongoing attacks by automatically disabling or restricting devices and user accounts involved in an attack. Disabling the credentials available to the attacker and their ability to use devices communicating over the network limits the ability to further impact assets as well as gives Security Operations (SOC) teams additional time to remediate attacks. Unlike traditional protection methods such as prevention and blocking based on a single Indicator of Compromise (IOC), automatic attack disruption in Microsoft 365 Defender acts at the incident level and considers the entire attack. The capability helps detect BEC attacks and remove the attacker's access to the environment by disabling the compromised account, restricting the attacker's ability to send fraudulent emails, and preventing money transfers and financial losses.

BEC attacks present an ongoing challenge for businesses, as increasingly sophisticated methods inflict major financial losses. In order to prevent such attacks, technological solutions and human-centered approaches must be further explored and implemented.