CEO Fraud: Barriers to Entry Falling, Security Firm WarnsAccess to Valuable Business Email Accounts Starts at $150 on Black Market
Business email compromise isn't the most sophisticated kind of online fraud, but it's shockingly profitable. In July, the FBI estimated that global BEC losses over the last five years had reached at least $12.5 billion (see FBI: Global Business Email Compromise Losses Hit $12.5 Billion).
That's pretty effective for a scam that involves little more than attackers pretending to be a senior company official to trick employees into sending them money.
The BEC scam, aka CEO fraud, is so effective because it exploits trust, inattentiveness to detail and poor controls. By compromising email accounts within a company, attackers learn, for example, how invoices are paid and can seek to defraud victims based on intimate knowledge of how organizations pay their bills.
Security vendor Digital Shadows, which monitors cybercriminal forms and dark web sites, says in a new report that the barriers to getting into the BEC compromise game continue to fall.
The company's recent research found that anyone who wants to buy the credentials for a valuable compromised email account - particularly related to a company's finance department - need pay only $150 to $500. Sometimes credential sellers will instead ask for a percentage of the stolen funds rather than an initial, one-off payment.
This pay-for-access model, Digital Shadows says, mean that it's possible to outsource the acquisition of account credentials, which is an essential part of pulling off a BEC scam.
"Given how lucrative access to the email inboxes of finance departments and CEO/CFOs can be, it's unsurprising that online criminal forums are replete with individuals requesting access to corporate email accounts," Rick Holland, Rafael Amado and Michael Marriott of Digital Shadows write in their report.
Data Breaches: A Springboard For BEC
Digital Shadows' research indicates that some of the hot email addresses sought by purchasers have prefixes such as "accounting@," "invoice@," "payables@," "accountreceivable@" and "receivables@."
During the course of its research, the security vendor began talking, incognito and via Jabber, to a Russian-speaking individual who wanted to buy those types of credentials. Rather than paying cash up front, the would-be buyer offered the security researchers a 20 percent cut of any successful fraud as a result of using the illicit access to the legitimate email accounts.
The individual had a list of 100 targets, mostly in the U.K., Australia and Singapore, in the construction, property and higher education sectors as well as public services.
Open Source Details
Unfortunately, would-be attackers need not always purchase account access. In some cases, Digital Shadows says, enterprising attackers might find that the information they require is already freely circulating online.
For example, Digital Shadows dug through its own repository of breaches, which has data from 280,000 breaches, such as LinkedIn, Adobe and Yahoo, and contains nearly 5 billion sets of stolen credentials. The analysts sought to find out how many finance-related email accounts may have been exposed in previous breaches.
They found 33,568 email addresses for finance departments had been exposed via third-party breaches. For 83 percent of those email addresses, the passwords for the accounts were also exposed.
The finding that so many of these types of email addresses appear in data breaches suggests "finance departments should limit the extent to which they sign up for third-party services with the department email account," Digital Shadows says.
Configuration errors by organizations may also reveal account information. Digital Shadows searched for misconfigured SMB, rsync, FTP and NAS drives across the internet, looking for file suffixes such as EML, mBox and MSG.
It found 12.5 million sensitive email files, according to the report. In one example, "a whole accounting firm's email correspondence with clients was publicly available online, including thousands of invoices and tax returns - a gold mine for a BEC campaign or fraudster looking to sell documents on forums and marketplaces," the report says.
Add BEC to Incident Response Plans
Once a sensitive email account has been compromised, attackers will often lurk inside the network, mapping a company's business processes to get a feel for when the time might be right to perpetrate fraud.
To hide their efforts, attackers may alter the rules for a compromised email account to divert copies of their fraudulent messages - and potentially replies - to other, attacker-controlled accounts, Digital Shadows notes. Such fraud can take the form of false invoices or modifying legitimate ones, but swapping in details for accounts controlled by attackers.
Because BEC scams typically exploit weak corporate controls, organizations can use many actions to better defend themselves, Digital Shadows says. One of the most basic steps is to ensure that email accounts always have two-step verification enabled. That at least prevents an attacker that has the login credentials from accessing the account.
Controls around wire transfers can also be shored up, Digital Shadows says. Fraudsters have had success, for example, by compromising the email account of a CEO and then sending an email to the finance department saying a payment needs to be made. Reluctant to second-guess the CEO, the payment too often gets made, even though it is fraudulent, the researchers say.
One way to block these types of exploits is to always require that several individuals must approve any wire transfer above a certain amount, Digital Shadows says.
From a networking standpoint, Digital Shadows also recommends never exposing email archives publicly and always password-protecting such archives, as well as firewalling all internet-connected ports. Also consider whitelisting any IP addresses that are allowed to access any specific resource, Digital Shadows says.
And although BEC isn't destructive, it is costly, which means it's good to factor in recovering from a BEC attack when crafting an organization's incident response plan, Digital Shadows says.
"Just as you have built ransomware and destructive malware (think Saudi Aramco or Sony Pictures) into your incident response/business continuity planning, you need to build BEC into your contingency plans," the report says.
Europol Traces Evolving Scam
More criminal groups are pursuing BEC scams than ever before. Europol, the EU's law enforcement intelligence agency, says that fraudsters operating out of West Africa who previously ran 419 scams - also known as the Nigerian Prince scam - have also begun running sophisticated BEC schemes.
More advanced criminals may also employ BEC scams as part of even larger attacks. Indeed, after gaining access to a business's network and running a BEC scam, attackers may also use their network access "to monitor and ultimately control internal systems, to, for example, facilitate remote ATM cash withdrawals," Europol says in its latest Internet Organized Crime Threat Assessment, released last month.
"Business process compromise is also an option once the perpetrator has gained access as they can make payments using internally accessed payment platforms such as SWIFT," it adds. "Several member states also report intrusions purely for the purpose of inflicting malicious damage, typically the destruction of business-critical data" (see Cybercrime: 15 Top Threats and Trends).
Executive Editor Mathew Schwartz also contributed to this story.