The Business Email Compromise (BEC) Surge
The incidence of business email fraud is on the rise, as reported by the Federal Bureau of Investigation (FBI), with over 21,000 complaints and adjusted losses exceeding a staggering $2.7 billion. Notably, Microsoft has detected a surge in the sophistication and tactics employed by threat actors who specialise in business email compromise (BEC). These malicious actors are now using residential internet protocol (IP) addresses to give the impression that their attack campaigns originate locally.
This novel approach has provided criminals with a means to further profit from Cybercrime-as-a-Service (CaaS). It has also garnered the attention of federal law enforcement agencies due to its ability to circumvent impossible travel alerts. These alerts are typically used to identify and block suspicious login attempts and other anomalous account activity, making the tactic a significant concern in the cybersecurity landscape.
Cybercriminal activity around BEC is accelerating
Cybercriminal activity related to business email compromise (BEC) is on the rise, and Microsoft has identified a notable trend in the tactics employed by attackers. These malicious actors are increasingly turning to platforms like BulletProftLink, a well-known service for orchestrating large-scale malicious email campaigns. BulletProftLink offers a comprehensive suite of tools, including templates, hosting, and automation services for BEC. Those who utilise this Cybercrime-as-a-Service (CaaS) gain access to victims’ credentials and IP addresses.
In a further twist, BEC threat actors acquire IP addresses from residential IP services that match the geographical location of their victims. This enables them to create residential IP proxies, effectively concealing their true origins. Armed with this localised address space, alongside stolen usernames and passwords, BEC attackers can obscure their movements, bypass impossible travel flags, and establish a pathway for conducting additional malicious activities. Microsoft has observed that threat actors in Asia and an Eastern European nation are most frequently employing this tactic.
The concept of impossible travel serves as a detection method to signal potential compromises of user accounts. These alerts trigger when there are indications that a task is being executed in two separate locations without allowing for a reasonable amount of time to travel between them.
The specialisation and consolidation of this cybercrime sector may intensify the use of residential IP addresses as a means to evade detection. When scaled up, residential IP addresses tied to specific locations provide cybercriminals with the opportunity to amass a substantial volume of compromised credentials and gain access to various accounts. Threat actors are exploiting IP/proxy services, which are often used by marketers and researchers, to amplify their attacks. For instance, one IP service provider boasts a vast pool of 100 million IP addresses that can be switched or changed rapidly.
While some threat actors utilise phishing-as-a-service offerings like Evil Proxy, Naked Pages, and Caffeine to execute phishing campaigns and obtain compromised credentials, BulletProftLink takes a more sophisticated approach. It employs a decentralised gateway design that leverages Internet Computer public blockchain nodes to host phishing and BEC sites. This decentralised infrastructure complicates efforts to identify and take down these sites. Removing a phishing link is just one part of the equation, as the content remains accessible online, and cybercriminals frequently return to create new links to existing CaaS content.
Successful BEC attacks inflict significant financial damage on organisations, costing them hundreds of millions of dollars annually. In 2022, the FBI’s Recovery Asset Team initiated the Financial Fraud Kill Chain in response to 2,838 BEC complaints involving domestic transactions, with potential losses exceeding $590 million.
Beyond the immediate financial ramifications, BEC attacks can lead to broader long-term consequences. These may include identity theft if personally identifiable information (PII) is compromised or the loss of confidential data if sensitive communications or intellectual property are exposed in malicious email and message traffic.
Who are the top targets for BEC?
Certain individuals are especially coveted targets for BEC. This includes top-tier executives, senior leaders, finance managers, and human resources staff who have access to sensitive employee records, such as Social Security numbers and tax statements, containing personally identifiable information (PII). Additionally, new employees, who may be less inclined to verify unfamiliar email requests, are frequently singled out as targets. It’s worth noting that BEC attacks, in all their various forms, are on the rise.
BEC attacks distinguish themselves in the cybercrime landscape through their heavy reliance on social engineering and the craft of deception. Instead of exploiting vulnerabilities in unpatched devices, BEC operators leverage the vast volume of daily email traffic and other forms of communication to entice victims into divulging financial information or unwittingly engaging in actions like transferring funds to money mule accounts, which facilitate fraudulent money transfers.
Unlike the noisy and disruptive nature of ransomware attacks, where extortion messages are prominently displayed, BEC operators employ a quieter, more subtle confidence game. They employ fabricated deadlines and a sense of urgency to prompt recipients, who may be distracted or accustomed to such urgent requests, to comply. Rather than focusing on novel malware, BEC adversaries adapt their tactics to enhance the scale, plausibility, and success rate of their malicious messages.
While there have been instances of high-profile attacks leveraging residential IP addresses, Microsoft and law enforcement agencies share concerns that this trend can rapidly proliferate. This proliferation poses a challenge for traditional alarm and notification systems to detect malicious activity effectively.
It’s important to note that variances in login locations are not inherently malicious. For example, a user may access business applications via a laptop using local Wi-Fi while simultaneously being logged into the same work apps on their smartphone via a cellular network. For this reason, organisations can tailor their “impossible travel” flag thresholds based on their risk tolerance. Nevertheless, the industrial-scale use of localised IP addresses in BEC attacks introduces new risks for enterprises, as adaptive BEC attackers and other threat actors increasingly choose to route malicious activities through address spaces close to their intended targets.
How to protect yourself from BEC
While threat actors have developed specialised tools to facilitate Business Email Compromise (BEC), including phishing kits and meticulously curated lists of verified email addresses targeting roles like C-Suite leaders and accounts payable leads, enterprises have the means to proactively counter these threats and reduce their risk exposure.
One effective countermeasure, for instance, is the adoption of a domain-based message authentication, reporting, and conformance (DMARC) policy set to REJECT. This represents the most robust protection against email spoofing, as it ensures that unauthenticated messages are summarily rejected at the mail server, even before reaching the recipient’s Inbox. Additionally, DMARC reports furnish organisations with valuable insights into the origins of apparent email forgeries, information that would otherwise remain concealed.
Despite organisations having spent some years adapting to fully remote or hybrid workforces, it remains essential to re-evaluate security awareness in this evolving hybrid work era. The proliferation of vendor and contractor interactions, resulting in a higher volume of first-seen emails, necessitates a heightened awareness of what these shifts in work patterns and communications entail for an organisation’s attack surface.
BEC attempts by threat actors can manifest in various forms, encompassing phone calls, text messages, emails, and even social media messages. The impersonation of individuals and companies, along with the spoofing of authentication request messages, are prevalent tactics employed in such schemes.
One of the initial defensive steps organisations should consider is the fortification of policies within departments like accounting, internal controls, payroll, and human resources. These policies should outline procedures for responding to requests or notifications regarding changes related to payment instruments, banking, or wire transfers. By scrutinising and potentially picking-out requests that deviate from established policies, or by verifying such requests through legitimate channels and representatives, organisations can safeguard themselves from significant financial losses.
BEC attacks serve as a compelling example of why cyber risk should be addressed as a cross-functional concern. Key stakeholders, including executives, leaders, finance personnel, human resource managers, and anyone with access to sensitive employee data such as Social Security numbers, tax statements, contact information, and schedules, should collaborate alongside IT, compliance, and cyber risk officers. This collaborative approach ensures a comprehensive and coordinated response to the multifaceted challenges posed by cyber threats like BEC.
Top Tips for Defending Against BEC Attacks
- Optimise security settings protecting your Inbox
- Organisations should configure their mail systems to flag messages sent from external parties. Enable notifications for when mail senders are not verified. Block senders with identities you cannot independently confirm and report their mails as phishing or spam in email apps.
- Set up robust authentication
- Ensure email is harder to compromise by turning on multifactor authentication, which requires a code, PIN, or fingerprint to log in as well as your password. MFA-enabled accounts are more resistant to the risk of compromised credentials and brute-force login attempts, regardless of address space attackers use.
- Educate employees to spot warning signs
- Train staff to spot fraudulent and other malicious emails, such as a mismatch in domain and email addresses, and the risk and cost associated with successful BEC attacks.
- Use a secure e-mail solution
- Today’s email cloud platforms use AI capabilities like machine learning to enhance defences, adding advanced phishing protection and suspicious forwarding detection. Cloud apps for email and productivity also offer the advantages of continuous, automatic software updates and centralised management of security policies.
- Secure identities to prohibit lateral movement
- Protecting identities is a key pillar to combating BEC. Control access to apps and data with Zero Trust and automated identity governance.
- Adopt a secure payment platform
- Consider switching from emailed invoices to a system specifically designed to authenticate payments.
- Hit pause and use a phone call to verify financial transactions
- A quick phone conversation to confirm something is legitimate is well worth the time, instead of assuming with a quick reply or click, which could lead to theft. Establish policies and expectations reminding employees it’s important to contact organisations or individuals directly—and not use information supplied in suspect messages—to double-check financial and other requests.
Do you feel exposed due to the content of the above article? If so, please give Fusion a call and will be happy to advise and implement solutions to provide peace of mind.
Thanks
Richard