Customer Story: How SOCRadar Stopped a BEC Attack on Track?

“Hello Alice,

ABC company is one of our new business partners. The invoice attached needs to be taken care of today. This is high priority.

Regards, 

Bob, 

CFO, XYZ”

This email could be perfectly normal and innocent in most cases, but it could also mean Bob’s account is compromised, and Alice was targeted by a Business Email Compromise (BEC) attack. 

In the BEC attack, threat actors aim to trick and persuade employees of the victim company to take a specific action, such as making a wire transfer, providing funds to pay for an allegedly new project, or providing confidential information.

To make this type of attack work, hackers compromise corporate email accounts or create new accounts almost identical to the legitimate ones. Then attackers impersonate the owners of the email accounts and send messages to the victims. Common themes in these messages are a sense of urgency and importance since the criminals often impersonate high-level directors or executives, such as CEOs and CFOs.

Almost anyone could fall victim to these attacks. For example, at some point, Facebook, Google, Toyota, Ubiquiti Networks, the Government of Puerto Rico, and the City of Saskatoon were all victims of BEC attacks. According to FBI Internet Crime Report 2022, the Internet Crime Complaint Center received almost 22,000 BEC complaints with adjusted losses of over $2.7 billion.

In the case we will discuss here, we will see how SOCRadar stopped a BEC attack before it even started. 

One of the things SOCRadar does perfectly is constantly scanning and monitoring of open internet for your brand and for the keywords our clients provide. We found a URL with our client’s brand name in one of these scans. 

Further investigation made us realize that this is a fake landing page for the Microsoft Outlook email page for a spear phishing attempt. Our analysts realized the targeted person should be a C-level executive. However, our customer’s list of VIP protection was not very extensive and not up-to-date. VIP protection is one SOCRadar’s services to provide extra protection to high-level directors or executives and warn them if their name or any kind of PII is detected on the open or dark web.

If we get back to our case, our analysts found out that the target was the CFO of the client. Our analyst team and Technical Account Manager contacted the client’s security team, reported the findings, and warned the customer against spear phishing and BEC attack attempts. Of course, we also took action to takedown the fake landing page.

BEC Attacks Cost About $150K

Business Email Compromise attacks refer to fraudulent schemes that exploit business email systems to gain unauthorized access to a company’s internal systems. This type of cybercrime can be classified as a form of phishing, in which an attacker attempts to trick an employee into divulging confidential information or initiating financial transactions that result in theft. These scams use various tactics to breach email accounts and can cause significant financial losses, particularly by targeting high-level executives and employees. On average, firms worldwide have suffered financial damages of around $140,000 due to BEC attacks.

The pandemic has brought about radical changes in business models. Alongside digital transformation, the increased efficiency and profitability have also altered the landscape of potential threats that organizations may face. Today, with over 60% of businesses worldwide adopting remote or hybrid work models, most internal and external communications rely on the trust relationship of digital channels, particularly corporate email addresses.

Business Email Compromise (BEC) attacks exploit this trust relationship, allowing attackers to gain financial benefits or initiate malicious activities as the first step of initial access. Attackers leverage basic information about a company’s hierarchy gathered from open sources prior to BEC attacks. These attacks can take the form of a message resembling an email sent by the company’s CEO, requesting urgent fund transfers from employees. Alternatively, they may involve requests for purchasing gift cards from executive assistants to reward diligent employees, as we will discuss further in the information below.

BEC attacks can also target the relationships between organizations and vendors in their supply chain. By impersonating an email from a participant in the supply chain, attackers can request the modification of invoice details in your company’s finance department, replacing them with the attacker’s account information. They can also demand transfers of funds to accounts under their control using fake invoices. Furthermore, as we will elaborate on in the following information, BEC attacks can lead to the introduction of malicious software into your organization’s information system through email attachments.

An alarming example demonstrating that BEC attacks can target any type of organization is the case of Puerto Rico’s government, which suffered millions of dollars in financial losses. As a result of an attacker gaining control over an email address associated with the Puerto Rico Retirement System, many victims, including the Puerto Rico Department of Industry and Development and Puerto Rico Tourism Companies, were persuaded by the attackers to make multimillion-dollar transfers. Numerous institutions fell into the trap set by emails sent on behalf of the Puerto Rico Retirement System, requesting changes to account numbers for future premium payments.

A Rising Trend: BEC Attacks 

According to the FBI’s annual cybercrime reports, BEC attacks accounted for 20,373 complaints in 2018, which increased to 23,775 in 2019, then decreased to 19,369 in 2020, and rose again to 21,832 in 2022. These data indicate a 7.2% increase in BEC attacks over the past four years.

Despite the lack of an astronomical increase in reported BEC attack cases, the techniques employed by attackers have become more sophisticated, and the demanded amounts have significantly increased in parallel with the post-pandemic digitalization and adoption of remote work models. The losses due to BEC attacks rose from $1.2 billion in 2018 to $1.7 billion in 2019, $1.8 billion in 2020, and $2.7 billion in 2022. These figures show a 125% increase in BEC attacks over the past four years.

The Weakest Link in the Chain: Humans

While many sophisticated security solutions focus on email attachments and malicious file extensions, company employees can fall victim to plain text emails written in simple language.

According to the 2023 Email Security Report by Abnormal Security, over 98% of employees fail to report BEC email attacks. The same study reveals that entry-level employees respond to text-based BEC emails in 78% of reported incidents, particularly in sales and marketing departments.

Another noteworthy finding from Verizon’s 2023 DBIR report is that BEC attacks stand out in over 67% of all cases where data breaches occur after an initial compromise.

Preventing BEC Attacks: A Multilayered Approach 

To counter BEC attacks effectively, organizations can implement multiple layers of protection. Here are some recommended measures:

1. Email Authentication Protocols: Implement Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) protocols to authenticate email senders and prevent spoofing.
2. Brand Indicators for Message Identification (BIMI): Incorporate BIMI policies to enhance email security and validate the authenticity of emails using verified logos and indicators.
3. Employee Awareness Training: Conduct regular training sessions to educate employees about BEC attacks, including the recognition of common red flags, such as urgent requests for fund transfers, unusual sender addresses, and grammatical errors in email messages. In the context of BEC attacks, if you are not a very specific target for the attacker, the attackers’ rushed style, language, and spelling errors can draw attention as details that give away the attempted attack. With the proliferation of artificial intelligence language models, it should not be forgotten that attackers can prepare emails of professional quality that are indistinguishable from reality in any language and for any organization. Moreover, advanced AI language models can mimic the person, tone, and writing style to be used in the attack based on publicly available writing samples and speech patterns, enabling them to craft more convincing email messages.
4. Robust Password Policies: Encourage employees to use strong, unique passwords for their email accounts and enable two-factor authentication (2FA) and use password managers whenever possible.
5. Vendor and Supplier Due Diligence: Implement a rigorous vetting process for suppliers and vendors, verifying their security measures and ensuring their adherence to industry standards.
6. Policy, procedure and Incident Response Plan: Develop a comprehensive incident response plan that includes specific procedures for handling suspected BEC attacks, including reporting incidents, communicating with financial institutions, and involving law enforcement if necessary. Having a secure email policy and procedure is essential for organizations to combat BEC attacks effectively. It establishes guidelines for employees to follow, emphasizing the importance of caution and verification when dealing with suspicious emails. The policy outlines steps to handle suspected BEC attacks, including reporting incidents, preserving evidence, and escalating to the appropriate channels. It also addresses secure communication practices, such as email encryption and strong passwords. By incorporating these measures into a comprehensive incident response plan, organizations can mitigate the impact of BEC attacks and reduce the risk of future occurrences.

By implementing these measures, organizations can significantly reduce their vulnerability to BEC attacks and strengthen their overall cybersecurity posture. Remember, maintaining a high level of vigilance and continuously educating employees about emerging threats are crucial for staying one step ahead of attackers.

How Threat Intelligence Helps Organizations to Tackle BEC Attacks?

Threat intelligence plays a vital role in helping organizations tackle BEC attacks effectively. By incorporating threat intelligence into their cybersecurity strategies, organizations gain valuable insights into the latest tactics, techniques, and indicators of compromise (IoCs) used by attackers in BEC attacks. Here’s how threat intelligence can assist organizations in countering BEC attacks:

1. Early Detection: Threat intelligence sources, such as cybersecurity research firms, government agencies, and information sharing platforms, continuously monitor and analyze emerging threats, including BEC attack trends. By subscribing to these intelligence feeds, organizations can receive timely alerts and updates about new attack vectors, compromised email addresses, or phishing campaigns related to BEC attacks. This early warning enables organizations to proactively identify and respond to potential threats before they can cause significant damage.
2. Behavioral Analysis: Threat intelligence can provide behavioral analysis of BEC attacks, helping organizations understand the techniques employed by attackers. This analysis includes identifying patterns in email content, metadata, sender behavior, and social engineering tactics commonly used in BEC attacks. Armed with this knowledge, organizations can train employees to recognize these behavioral patterns and respond appropriately, such as verifying requests through alternative communication channels or double-checking email addresses before initiating any financial transactions.
3. Collaboration and Information Sharing: Threat intelligence promotes collaboration and information sharing among organizations facing similar threats. Industry-specific forums, cybersecurity communities, and threat intelligence platforms enable organizations to share insights, experiences, and best practices for countering BEC attacks. By participating in these collaborative efforts, organizations can enhance their understanding of the threat landscape, receive real-time updates, and benefit from collective defense strategies.

Power Your Organization’s Security Posture with SOCRadar

The AI-powered Digital Risk Protection service provided by SOCRadar analyzes millions of domain names to detect phishing domains created for your brand and entire business network. It identifies domain registrations that mimic your organization’s name or owned brands and instantly notifies users. With SOCRadar, security teams can initiate the takedown process of domain names impersonating the organization or its brands with just one click, without additional legal or procedural obligations.

SOCRadar closely monitors domain names taken by phishing attackers in the DNS records of these emails, particularly changes in MX records, and instantly notifies you of any modifications.

With the SOCRadar Breach Database module, you can check if any of your employees or business partners’ information is exposed in disclosure lists through the platform and quickly initiate password changes in case of exposure.

Through SOCRadar’s Supply Chain Intelligence module, you can monitor and alert your employees to be cautious of emails from suppliers that have been hacked or subjected to data breaches.

Threat actors primarily target your organization’s CEO, CFO, and other key executives. SOCRadar closely monitors and instantly notifies you of any personal data disclosures related to your organization’s key personnel. You can check if the information of your critical employees is present in disclosure lists through the SOCRadar platform, enabling you to stay one step ahead of attackers.

SOCRadar, “AttackMapper” module performs SPF and DMARC validation on your MX-registered domains, mitigating email spoofing techniques and enhancing email security measures.

In summary, threat intelligence serves as a critical resource for organizations to stay ahead of BEC attacks. By leveraging timely and relevant information, organizations can enhance their detection capabilities, fortify their defenses, and empower employees to make informed decisions when encountering suspicious emails or requests.