Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
While this article was primarily discussing a new product offering, I found two interesting points.
- One of the greatest truths in cybersecurity is that defenders need to be right all the time, while cybercriminals only need to be right once.
- …security professionals are faced with a widening attack surface to monitor…
These thoughts can be applied to any number of scenarios in the business world or even the realm of home networks, but let’s look at just one aspect; BEC (Business Email Compromise). While the name says it all, let’s make sure we are on the same page. BEC is an effort to get access to an entire business network, as opposed to compromising a single user account.
A successful BEC operation allows the bad guys access to an abundance of resources. They have access to many email accounts, as well as company data, potential connections to other networks, potential extortion victims via ransomware, and data exfiltration. Truly a bounty for those with criminal intent.
A Google search for ‘damage from BEC’ yields many pages of results. A few of them are:
- The 2019 FBI cybercrime report indicates that losses from Business Email Compromise attacks are approximately $1.7 billion, which accounts for almost half of all losses due to cybercrime. (Link to Microsoft article)
- If the “least cost avoider” approach takes hold, it seems plausible that payors will have a tough time of it. Courts could well reason that it is generally easier for a payor to spot and reject a fraudulent instruction than it is for the payee to avoid being hacked in the first place. (Translation- If you get compromised, you take the loss) (Link to Bloomberg Law article)
- Abnormal Security, a leader in protecting large enterprises from Business Email Compromise (BEC) attacks, today published research data that shows a 200 percent increase in BEC attacks focused on invoice or payment fraud from April to May 2020. (Link to Business Wire article )
- The Nigerian Police Force apprehended the three suspects. Its cybercrime unit analyzing electronic devices belonging to the three suspects determined their involvement in cybercriminal activity and identified data stolen from at least 50,000 victims. (Link to Bleeping Computer article)
Note some key points from the above:
- $7 BILLION in losses
- If you succumb, you are at fault
- Attacks are rising fast
- There are tens of thousands of victims, being vicitmized from afar.
Targeted Attacks Are Higher Quality
BEC threats are becoming more sophisticated. In reference to the widening attack surface, this article was enlightening:
Since the beginning of 2020, researchers at Barracuda have identified 6,170 malicious accounts that use Gmail, AOL, and other email services and were responsible for more than 100,000 BEC attacks on nearly 6,600 organizations. In fact, since April 1, malicious accounts have been behind 45 percent of the BEC attacks detected.
So the protectors of the realm are tasked with an increasingly difficult task. You used to be able to say “We don’t accept email from a .RU domain or with an originating IP address in China”. Now, you cannot generalize because of the subterfuge employed by the bad guys.
Another tactic that makes BEC difficult to defend against is mentioned in the article:
By nature, business email compromise is a highly targeted attack. After an initial research period, cybercriminals will impersonate an employee or trusted partner in an email attack. Usually, email is used first to establish contact and trust. Attackers will expect replies to their BEC attacks. Therefore, these attacks are usually very low volume and highly personalized to ensure a higher chance of a reply. The number of email attacks sent by a malicious account ranged from one to over 600 emails, with the average being only 19.
So you cannot rely on volume to signal a BEC attack. Keep in mind these are spear-phishing attacks. The attackers will have gotten employee names and positions to make any emails seem more authentic. They want to establish a relationship with someone on the inside. Once they do the results are not good. This article is another example.
While arrests have been made, the attackers were able to divert almost $1 million to their accounts. The victims were in New Zealand and Australia, while the bad guys were in the US. These days, distance is not an issue.
Security Awareness Training is Key
Over and over again, one of the conclusions in many of the articles is users need the training to recognize bad emails. From another article come these points.
- BEC emails often are written with a sense of urgency in order to rush the recipient into doing the attacker’s bidding, with 85% marked as urgent, 59% requesting help, and 26% inquiring about availability, according to Barracuda’s findings.
- BEC emails are three times more likely to be opened.
- They typically land in no more than 25 inboxes in an organization — on a weekday first thing in the morning, posing as an urgent or time-sensitive email from a co-worker or executive
- 91% of BEC attacks occur on weekdays
- The best way to beat back BECs:
- multifactor authentication to protect user credentials that get stolen
- the usual mantra of educating users about the scams and how to spot one, including confirming an email address
Remember, you only get one chance to be right about identifying a BEC email. The bad guy only needs to get it right once to win. To learn more about multifactor authentication, security awareness training, or properly securing your Microsoft 365 email accounts, call Ashton Technology Solutions at 216 397-4080.