Cybercriminals are getting less technical and focusing on exploiting human trust
Malware may sound sexy but, for today’s cybercriminal, a simple email can suffice in making the best bang for the buck with little risk of getting caught red-handed.
Social engineering and the human elements of cybersecurity – typically seen as the attack vector used to get a foot in at the door – are increasing playing an integral role in cyber-enabled attacks.
The shift, which according to the California-based security firm Proofpoint saw web-based social engineering attacks jump 233% between Q2 and Q3 last year, is likely due to criminals focusing on less technical means of infiltration, as users and organizations become more mindful of digital security.
But defenses for these types of attacks – say, a fraudster posing as someone legitimate – are still yet to make their way into security awareness training on a mass scale, leaving even the biggest companies vulnerable to exploitation as a result.
Google and Facebook get pwned
In March, a Lithuanian man pleaded guilty to wire fraud over his attempt to steal over $100 million from Google and Facebook using a scam technique known as business email compromise (BEC), which involves tricking a victim with a phony or spoofed email.
Evaldas Rimasauskas, 50, and his unnamed conspirators, crafted a carefully calculated email scheme between 2013 to 2015, sending fraudulent messages posing as a Taiwanese hardware company in order to solicit funds from the two tech giants. He now faces 30 years in prison.
While BEC scams, sometimes called man-in-the-email (MITE) scams, are by no means new – think of that email sent to from a “Nigerian Prince” – the threat to businesses around the world appears to be on the rise.
From 2013 to 2018, the FBI’s Internet Crime Complaint Center (IC3), which receive regular reports from online victims both domestically and internationally, recorded more than $12 billion dollars in losses to BEC scams alone – a 136% increase in global exposed losses, as stated in a 2018 public service announcement made by the bureau.
Criminal behavior analysis
Crane Hassold, a 11-year veteran of the FBI and current senior director of threat research at cybersecurity firm Agari, has been tracking digital fraud attacks such as BEC in his new role, focusing on the behavioral element that makes them so successful.
“Eighty per cent of all cyber email-based attacks are now purely social engineering,” he told The Daily Swig.
“Phishing, for example, is essentially exploiting components of human behavior that are too engrained in all of us.”
Human trust, and arguably fear, play a significant role in the BEC attack, as fraudsters typically impersonate a CEO or CFO of a company, often providing fake documents, to get the victim to transfer their funds.
This sort of deception, one that Agari says has been tried on 96% of businesses, notably does not require any malicious link or attachment to cause the damage – very much like an extortion email.
By conducting passive and active intelligence gathering, a combination open source information gathering and actual engagement with threat actors, Hassold and his team are able to extract information about various cybercrime groups in order to help produce better defenses.
“When you ask questions like ‘Why am I receiving this email?’ and ‘How is my information out there?’, we’re getting an intimate look into how [the threat actors] are actually doing this,” he said.
“We’re looking at this from an identity and relationship perspective between the [email] sender and receiver, and looking at that behavior to see if that behavior makes sense,” he said.
“This has sort of evolved into the BEC problem.”
Last December Agari released a report illustrating the movements of a particularly organized BEC gang, London Blue. The Nigerian group had amalgamated more than 50,000 high profile potential targets, including those from large international banks.
“They [London Blue] use legitimate sales leads services, which businesses everywhere use for sales purposes, in a malicious way in order to identify potential leads to go after,” Hassold said.
“And instead of using internal accounts to launch these [BEC] campaigns, they are using display name tactics because it’s easier.”
He added: “Throwaway accounts are much easier to use than buying a phishing kit or taking over accounts.”
Agari has been able to follow the group’s tactics since 2011, when Craigslist scams, and then credential phishing through Dropbox and Office 365, were the weapons of choice.
“They have been doing BEC for about two and a half years now,” Hassold said.
“And Asia [is] not a geographical region that they’ve ever targeted before.”
Hassold’s comments come in line with an update from Agari on London Blue’s operations, having turned its focus on Asia – Malaysia, Singapore, and Hong Kong – expanding on its, predominately UK and Western Europe, database of potential victims, now totaling 8,500 financial executives from nearly 7,800 companies.
“It’s notable that they’re broadening their attack surface a little bit to go after individuals in different places,” he said.
Another change has been the move away from throwaway email addresses.
“Starting in late February they started spoofing target email addresses, or the CEOs email address,” Hassold said.
“That’s not uncommon in the BEC attack, but a notable shift for London Blue who, for two and a half years, have relied on simply using display name deception techniques with a throwaway paper email address.”
While businesses may now be well aware of London Blue’s existence, the most worrying thing Agari found was that no company within the cybercrime group’s target list had appropriate security protocols in place.
“I think one of the best prevention mechanisms to have in place for BEC one is [having] a DMARC [Domain-based Message Authentication, Reporting and Conformance] policy in place,” he said.
“So having a DMARC record that links up to a minimum quarantine so if something comes out spoofing someone’s domain it will not reach the recipient.”
In addition to technical controls, such as DMARC, someone needs to think ‘should we be paying this person?’
“From the other side of that, if someone receives a request to make a payment from anyone, having a check and structured process in place, so that if something deviants from that process, a red flag will be raised and make the attack fail,” he said.