Sophisticated zero-day attacks may be a cyber-criminal’s first weapon of choice in the movies, but in real life, an email or a phone call can often be enough to get the information you need. Social engineering, the art of manipulating people to achieve your goals, has long been a mainstay in the hacker’s arsenal. Now, cyber-criminals are applying the concept to surgically extract money from companies as part of a technique called business email compromise (BEC).
In a BEC attack, a criminal sends an email impersonating a senior company executive. The mail, sent to someone with access to a company’s financial accounts, demands that they solve an urgent business problem by sending a third party payment. When the panicked employee sends the payment, supposedly to a supplier or service company, it actually goes straight into the attacker’s account.
“One of the primary reasons BEC attacks have become such a growing problem is because the skill level needed to execute them is low and the return for successful attacks is significant,” says Crane Hassold, senior director of threat research at Agari, which sells AI-based email protection solutions.
Just how successful are these attacks? The FBI counted global losses exceeding $12.5bn between October 2013 and May 2018, from nearly 80,000 reported cases worldwide.
“One of the primary reasons BEC attacks have become such a growing problem is because the skill level needed to execute them is low and the return for successful attacks is significant”
Why Now?
BECs may have grown over the last few years, but the first email was sent in 1971 and most people were using emails to do business by the early 2000s. So why has it become a phenomenon now?
“Social media has played a big part,” says Dr Jessica Barker, co-founder of UK security consulting firm Cygenta. Sites like LinkedIn, Twitter and Facebook have enabled attackers to research their targets and understand their relationships and the way that they communicate, she adds.
The rise in cryptocurrency has also made money laundering and fast international transfer far easier, according to Justin Forbes, penetration testing lead in the CERT division of Carnegie Mellon University’s Software Engineering Institute. “Wire transfer is still what I’m seeing as the primary vector to get money out,” he says. “Cryptocurrency has enabled the ability to move things a lot faster afterwards.”
There are several levels of BEC attack. The least sophisticated is a simple email impersonation attack, in which criminals send emails impersonating a C-suite executive from the wrong address. In many cases, these addresses can use a common consumer domain such as Gmail, but they can be highly effective, because the attacker can pretend that they are an executive sending from a personal email address, says Lance Spitzner, director of the Securing the Human awareness training operation at SANS.
“There’s a tremendous sense of urgency, and the bad guys are trying to pressure or intimidate you, and rush you into making some kind of mistake,” he says.
“They will usually keep the email message short and to the point, to avoid making any mistakes and to heighten the sense that the executive is rushed for time,” he adds. If someone queries the request, “the person will email back and say ‘I’m sorry, but I’m getting on the train – you have to process this right now.’”
Hot States & Impulsive Acts
Using psychological tricks to manipulate someone’s behavior is a key technique in social engineering. Barker draws on a behavioral economics theory when describing two sides to the brain; the cognitive side that thinks things through carefully before acting, and the impulsive side which is driven by feelings and mood. The social engineer uses a series of techniques to trigger that latter behavioral mechanism.
“If you flatter someone, if you tempt someone, if you make someone curious or angry, if someone is tired or stressed, they’re more likely to be in that hot state where they act rather than think,” she explains.
The likelihood of a successful attack increases when combining that hot state with a convincing story. Forbes identifies a more sophisticated attack which compromises the victim’s business email account.
Attackers often use credential stuffing techniques here, trawling publicly available dumps of compromised emails and passwords. When they find a match with a business email address, they will try logging into the executive’s email account using the dumped password. If the executive reused their passwords, they may score a hit. “Then they’ll compromise that user’s email account and send a request to transfer money to a bank account that they control,” he says. As the request arrives from the executive’s legitimate email address, it won’t trigger any phishing alerts.
Then, there are malware infections that also happen to include a BEC attack as part of their payload. These infections, delivered via conventional methods such as spear phishing and infected attachments, can launch a range of attacks including remote access tools and keyboard loggers. Forbes has also seen them include a particularly sneaky attack that uses malware to set automatic rules in a victim’s email account.
“If they know they’re commonly sending a specific routing number and bank ID, they’ll set a rule to auto-replace that,” he says. When the user enters the details of a legitimate payment transfer, it will switch them to the attacker’s account details, effectively rerouting payments at the source.
“There’s a tremendous sense of urgency, and the bad guys are trying to pressure or intimidate you, and rush you into making some kind of mistake”
The Power of Voice
Not all attacks start with email: Barker points to voice phishing (vishing) as a case in point. She explains this attack, which predates email, uses voice persuasion and can be especially powerful in building relationships to manipulate victims.
“Especially in the last year we’ve seen a growth in voice phishing attacks to warm up a target to then launch a BEC,” she explains. The attacker will call posing as a supplier explaining that an urgent payment hasn’t gone through, and ask if they can send the payment request via email for a quick resolution.
“That’s very clever because the target feels like they’ve spoken to the real person and they’ve built up a rapport,” she says. “They’ve been asked to do this favor, so when the email comes in they won’t look at it as carefully and they’ll maybe bypass whatever processes they’re meant to go through.”
What kinds of companies fall victim to these attacks? Barker notices a lot of clients in the financial sector, and news articles bear this out. In a 2013 attack, hedge fund Fortelus Capital Management lost £740,000 to voice phishers who didn’t use email at all. Instead, they called an employee on a Friday afternoon pretending to be security staff from Coutts, the company’s bank. They warned of a security compromise and asked the employee to use the two-factor authentication hardware that Coutts had given him to generate codes that would let them access the company’s account. When he obliged, they quickly transferred the money, and he lost his job.
SANS’ Spitzner says that another increasing target are real estate customers. Criminals will compromise a realtor’s email and use it to tell house buyers to transfer funds to a fraudulent account.
“Real estate transactions are the perfect place to do electronic transaction fraud because people are prepared to transfer very large sums of money. Real estate transactions are complicated, you only do it once or twice in your life. It’s the perfect time to interject yourself in that communication,” he says.
The most difficult part of the whole process for criminals may be handling the money once it leaves a company. “Most of the costs of running money laundering goes on mules: the people who are setting up accounts, going to ATMs and removing money,” says Barker’s partner, a longtime ethical hacker who only goes by the name ‘FC’. The attackers would set up a bank account under a fake or stolen ID, and then route the money to that. Often, the accounts will be international, which makes it harder for authorities in the victim’s country to enforce the law.
Layered Protection
Protecting a company against social engineering and BEC attacks involves a range of complementary measures. The obvious answer is training, but not all education is the same, warns Barker. Forget dull courses that replicate a classroom setting, she says: “you want training that shows that this is a real problem, ideally with a demonstration of the attack that is engaging, interesting and relevant to the people in the room.”
Companies can layer different technology measures atop each other to increase their protection. Domain-based Message Authentication, Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are all protocols that can help to prevent spoof emails from coming in, and should be combined with mandatory two-factor authentication to thwart account compromise, warns Forbes.
He also advises using rules in corporate email systems to label emails according to origin. “If every email you got was green when it came from inside the organization and pink when it came from outside, it would be easier for a user to see at a glance whether this was a phishing email or not,” he says.
The other winning strategy is process change. Companies should make staff follow processes that prevent fraud, say experts. “A potential victim can reach out to the supposed sender of an email to confirm that they were not the one who sent it,” says Agari’s Hassold.
Spitzner adds: “If you’re doing financial transactions you also need a two-person rule where two people must verify that a transaction goes through.” Following this strictly can eliminate a single point of weakness among employees.
These process changes are important, but they must be supported by a shift in organizational culture, points out Cygenta’s FC. If management imposes extra steps in a process and then doesn’t give staff the time and resources to follow them, then employees will cut corners. That’s why a simple-sounding set of fixes often needs a deeper management focus to implement well.
For those companies that don’t invest in those changes? Beware the unexpected email or phone call – it could be your downfall