URGENT, ACT. RQD: Navigating Business Email Compromise

Simon Tame | 12 April 2016

Call me phishmail.

Whaling ­– also known as CEO fraud and business email compromise (BEC) – is a type of scam whereby attackers spoof company executives, either by the compromise of that executive’s email account or through the use of typo-squatting (domains registered that look similar to legitimate company domains) in order to socially engineer their targets. Last year we observed an uptick in reports of the use of BEC by threat actors and, more recently, the use of this method has evolved to open up new avenues for cybercriminals to exploit.

At first, BEC was repeatedly used in order to persuade employees in financial teams to conduct “urgent” wire transfers to bank accounts controller by the attackers or their associates. A few examples of this were reported publicy, including the $47 million loss suffered by Ubiquiti Networks and the $1.8 million by Samson Resources Corporation – but there is an obvious caveat here: not all companies will admit  – at least publicly – that they were the victim of this type of scam. Turning to the Federal Bureau of Investigation’s statistics shows that, between October 2013 and August 2015, BEC was accountable for $747 million (both attempted and actual losses) stemming from 8,179 businesses.

Aside from socially engineering company employees to send them large sums of money, cybercriminals have used BEC to extract information from their targets. Take, for example, the tax season in the United States. Figure 1 shows us that, about a month before the tax return deadline in the United States, reporting started emerging of companies being targeted for details on their employees, including social security numbers and W-2 forms (tax forms). This information was likely to have been targeted by cybercriminals for use in fraudulent tax returns.  

On March 16, 2016, it was reported that BEC was used to deliver emails that contained malicious attachments. Specifically, a keylogger – capable of recording keystrokes on an infected machine – was delivered to recipients.

The reporting can show us a few things. Firstly, it shows us that cybercriminals use tried and tested methods with substle shifts in tactics in order to achieve their ends. From financial transactions, to information theft and then to the delivery of malware, BEC has provided a bountiful catch for cybercriminals trawling the high seas of the internet. Secondly, the reporting shows us that there are certainly more use cases for BEC. For example, there are almost no limitations for a cybercriminal that wishes to use BEC in order to extract other sensitive, confidential or proprietary information. Finally, the reporting shows us that we need to be aware of these methods and act accordingly.

 

Whaling Timeline 

Some BEC attempts rely on the use of typosquatted domains in order to trick recipients into believing they received an email from someone within the company. These emails can be difficult to spot and require awareness on the part of both the employer and the employee. However, by monitoring threat actor activity, organizations can be made aware of such methods. Organizations can use this awareness to make better informed decisions about their security and provide awareness to their employees.