Palo Alto’s Unit 42 just dropped a new report on BEC scams – business email compromise is one of the most common ways scammers ravage organizations, with an average wire fraud attempt of $567,000 with an uptick of $6 million.
A new report from Palo Alto’s threat research team Unit 42 shows that BEC (business email compromise) keeps scamming victims out of thousands (and sometimes millions) of dollars.
BEC Scams Caused $1.87 Billion Losses in 2020
The research team analyzed hundreds of BEC cases and found that the average wire transfer fraud attempt was $567,000, with the highest shooting up to $6 million. In addition, since the beginning of 2020, Unit 42 experts discovered that a crushing 89% of business email compromise victims had multi-factor authentication disabled.
The FBI often refers to this type of fraud as one of the most profitable and reported that it caused damages worth $1.87 billion last year. However, researchers also found that victims often avoid going public about such attacks, as this can damage their reputation, making BEC scams a silent, dangerous threat.
Bombarding Employees With Phishing Emails
Palo Alto said that its researchers spend thousands of hours investigating BEC scams, “combing through logs to identify unauthorized activity, determine how unauthorized access occurred and find security gaps that need to be addressed.”
“Attackers targeted hundreds of employees at an insurance company with phishing emails. These emails led to an attempt to get login credentials through spoofed Microsoft 365 email login pages that looked identical to legitimate ones set up by that firm. The attackers succeeded in gaining access to a few of those accounts, which belonged to employees who hadn’t set up MFA, which led in turn to gaining access to sensitive data on an internal Sharepoint site,” wrote Unit 42 researchers Jenna Garbett and Sama Manchanda.
“Attackers gained access to the email accounts of two employees at one client organization that failed to disable legacy authentication for synchronizing email boxes via IMAP4 and POP3. That gave the threat actors access to everything in both mailboxes for over a month, enabling them to collect personally identifiable information (PII) from the victims’ contacts. This is one of the most common ways of bypassing MFA, especially in hybrid environments that have legitimate use for legacy protocols.”
Unit 42 provided other examples, one of which included scammers who “compromised multiple users at a job placement agency, then used those accounts to circulate job postings that asked recipients to provide personal data.”
Researchers said that they put in place protocols that moved all responses to hidden folders and forwarded them to an external account. The blog post writes that most email services offer many options for implementing multi-factor authentication.
Sometimes, MFA Is Not enough
Unit 42 used the story of a US financial services firm CEO as a cautionary tale.
“His iPhone kept pinging him with MFA requests to access his email, interrupting him on a day packed with customer meetings. He was annoyed by the intrusion, figuring it was some kind of system error, and rejected each request so he could focus on work. He thought it was over when the requests stopped,” Garbett and Manchanda wrote.
“Months later, however, he learned he had mistakenly authorized one of those many requests, unknowingly granting an attacker unfettered access to his email. He learned about the compromise when his bank flagged suspicious wire transfers totaling nearly $1 million, and our investigation uncovered the exposure of data belonging to the company, its employees, and clients.”
The report says that the organization recovered the stolen money. However, incidents like this one are still costly from a reputational point of view and the resources needed to remediate the problem.
BEC – Costlier Than Ransomware?
Jen Miller-Osborn, deputy director of threat intelligence for Unit 42, said their initial intention was to investigate the rise of ransomware, which eventually led them to dig deeper into BEC scams, as the damages are “orders of magnitude higher than ransomware.”
“Similar to ransomware, we’re seeing an increasing number of attackers getting into BEC, and we’re also seeing it mature into — like Ransomware-as-a-service — BEC-as-a-service. They’re becoming more tech-savvy. They’ve been in the commodity space and are starting to include publicly disclosed vulnerabilities. They’re becoming more professional.”
Attackers are actively exploiting LinkedIn and other websites to gather data for BEC scams.
She explained that companies can prevent BEC scams with proper security awareness training, enforced MFA, legacy authentication controls, account permissions, audit logging, and event supervision.
“With everyone working remotely, there are people who may not have gotten into BEC before who now, just like ransomware, they decided to shift into to make money. And I think the issues that we see with how difficult it is to stop these ransomware campaigns effectively also points to how difficult it is for BEC, or even harder because BEC involves a lot of social engineering components that you don’t typically see with other attacks,” she said.
“They’ll actually get on the phone and call people and try to get them to do things. They have money mules in other countries to help them move the money around. It’s a lot more people-based, and in many cases, a lot of BEC scams don’t involve any malware, so there’s nothing that you could have seen. Nothing malicious attached to phishing emails. There was nothing a firewall or endpoint could have detected.”