Business Email Compromise (BEC) attacks are increasing, posing significant threats to organizations globally. In the realm of cybercrime, BEC attacks stand out as a highly sophisticated and rapidly evolving threat. These attacks mainly rely on cleverly crafted emails to trick people within a company into doing things that can harm the company. The primary goals of these attacks are financial gain and access to sensitive information. Therefore, it's important for businesses to understand the different aspects of this threat.
BEC attacks are multifaceted, encompassing a range of tactics and techniques. They exploit the psychology of trust and authority to deceive employees into transferring funds to attacker-controlled accounts or disclosing sensitive company information. In the world of cybersecurity, there are many different kinds of people and groups trying to carry out these attacks, from individual hackers to organized criminal organizations. To protect themselves effectively, organizations need to dive deep into how these attacks work, understand the methods these attackers use, and put strong defenses in place.
In today's digital landscape, cyber threats are constantly evolving, and one that's been making waves is Business Email Compromise (BEC). This type of email-based cybercrime has been causing significant problems for businesses, regardless of their size or industry. The potential financial losses associated with BEC run into the billions of dollars.
At its core, BEC is a form of social engineering conducted through email. In a BEC attack, the attacker crafts an email message with the aim of convincing the recipient to take specific actions, typically involving fraudulent fund transfers. Here are some distinctive features that set BEC apart from other email-based attacks:
What makes BEC attacks particularly concerning is its ability to slip past typical email security filters. These emails typically consist of plain text, making them blend seamlessly with legitimate email traffic. Furthermore, BEC emails are carefully designed to deceive recipients into taking action based on the message content.
Attackers often go to great lengths to impersonate known contacts within the organization (IT staff, CEO, human resources, etc.), sometimes even inserting themselves into ongoing email threads. In many cases, the attacker assumes the identity of a high-ranking executive within the organization, compelling the victim to comply with their fraudulent request.
In October 2021, Avertium published a Threat Intelligence Report regarding the top five cyber threats in healthcare, one of which was BEC. Unfortunately, that fact remains true as recent findings in a report by Abnormal Security have sent shockwaves through the healthcare sector, revealing a staggering 279% increase in BEC attacks this year. Alongside this alarming rise, advanced email threats, encompassing BEC, credential phishing, malware, and extortion, have surged by 167%.
To put these numbers into perspective, the average number of advanced email attacks per 1000 mailboxes within the healthcare industry embarked on an unsettling journey. Starting the year at 55.66 in January 2023, it skyrocketed to over 100 in March. Though there has been a degree of stabilization, with approximately 61.16 attacks per 1000 mailboxes for the remainder of the year, historical patterns signal a potential uptick during the upcoming holiday season.
While BEC attacks might not flood inboxes at the same volume as some other email threats, they have the most financial risks. The Federal Bureau of Investigation (FBI) reports an average financial loss of $125,000 per BEC attack. These attacks are on the rise, posing an escalating danger because they often rely on text-based deception, emanate from legitimate domains, and lack typical indicators of compromise.
Let's break down a real-life scenario from the Abnormal Security report to better understand the danger of these threats. In this case, there was an attacker pretending to be the top executive (the president and CEO) of a healthcare network. This attacker cleverly asked for updated aging statements for customers and requested email addresses for the account payables department.
Now, here's the important part: If someone from the healthcare network had responded to this seemingly harmless email, it could have given the attacker access to very important financial information. They could have redirected payments, causing the healthcare network to lose a lot of money. So, even though the email appeared innocent, falling for it could have serious consequences for the healthcare organization. It's a reminder of how careful we all need to be when dealing with emails, especially in sensitive industries like healthcare.
In 2020, researchers observed the North Korean threat actor, Lazarus, engaging in BEC scams. The threat actors were targeting European aerospace and military organizations by using LinkedIn job recruiter profiles to send private messages to targets. The campaign was named “Operation In(ter)caption its goal was cyber espionage as well as financial theft. The campaign also includes the use of malicious tools designed for Windows.
After the threat actors gathered their intelligence and company data, they attempted to scam the company’s business partners – combing through their target’s email boxes, looking for unpaid invoices. The threat actors then tried to pressure the customer for payment on the invoice while directing the payments to an alternate bank account.
The attempt to deceive the victim's business partners was foiled, according to ESET. This was because business associates detected something suspicious in the threat actor’s follow-up emails.
In April 2023, APT29 carried out an espionage campaign targeting NATO and EU member states' diplomatic and foreign ministries. This ongoing operation introduced previously undocumented malware payloads. Poland's Military Counterintelligence Service and CERT Polska (CERT.PL) uncovered and probed the campaign, which involved APT29 hackers dispatching spear-phishing emails to specific diplomatic personnel.
Image 1: Email from APT29
Source: CERT.pl
Generally, BEC scams don’t include malware and instead focus on social engineering and manipulation. However, this particular campaign involved both manipulation and malicious documents. These deceptive emails were disguised as messages from European embassies, inviting recipients to meetings or collaborative document work. Enclosed in these emails were PDF attachments featuring links to external-looking calendars, meeting specifics, or work documents. Clicking on these links directed individuals to web pages utilizing JavaScript code to decrypt a payload, making it available for download. The script employed HTML Smuggling, streamlining the transfer of files attached as .ISO, .ZIP, or .IMG formats.
FIN7 is another threat actor that uses BEC in its attacks. The group has been around for a long time and is one of the most prolific threat actors of all time. The threat actor is known for its persistence. Even if their initial BEC attempts are unsuccessful, they may continue to target the organization using different tactics and approaches, adapting to security measures.
FIN7's primary mission revolves around two key objectives. Firstly, they have placed significant emphasis on BEC attacks and infiltrating point-of-sale (POS) systems. Their goal is to extract sensitive data, particularly credit card information and financial data. Secondly, this group has had established connections with ransomware gangs like REvil and Dark Matter.
FIN7 typically begins cyberattacks by sending emails to employees of the targeted companies. These emails often contain an attached file, often disguised as a harmless Microsoft Word document, but it has hidden malware inside (again, a combination of manipulation and malicious documents). The email messages look like legitimate business-related communications, tricking the employees into opening the attachment and unintentionally infecting their computers with malware.
In numerous instances, FIN7 would complement their emails with a phone call to the targeted company's employee, discussing the same subject matter. This tactic was aimed at lending credibility to the email. The caller would frequently guide the employee to the recently received email, encouraging them to open the attached file and inadvertently trigger the malware.
FIN7 predominantly targets industries such as fast-food and casual dining restaurants, hotels, casinos, and establishments conducting frequent point-of-sale transactions. Across their various victims, FIN7’s goal is to steal credit, debit, and occasionally gift card information utilized in customer transactions. Additionally, the group established a counterfeit computer security company named "Combi Security." They have used this front not only to enlist fresh members but also to provide a superficial appearance of legitimacy to their cybercriminal activity.
Protecting against Business Email Compromise (BEC) schemes requires a combination of technology, policies, and employee awareness. Here are essential steps organizations can take:
Security solutions like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) play a crucial role in accelerating the detection and prevention of BEC attacks.
These tools aid security teams in swiftly recognizing BEC attempts, including those targeting network vulnerabilities, and highlighting suspicious activities across endpoints, email accounts, and other areas that may indicate hackers conducting reconnaissance.
Healthcare Organizations Experience 279% Increase in… | Abnormal (abnormalsecurity.com)
BEC Attacks Increase By 279% in Healthcare - Infosecurity Magazine (infosecurity-magazine.com)
North Korea's state hackers caught engaging in BEC scams | ZDNET
Microsoft Word - fact_sheet_how_fin7_attacked_and_stole_data_0 (justice.gov)
Businesses Are Doomed If They Don't Do This - FIN7 Beefs Up Their Hacking Arsenal (xitx.com)
What Is BEC? - Business Email Compromise Defined | Proofpoint US
Business Email Compromise — FBI
Understanding the Evolution of Modern Business Email Compromise Attacks - SentinelOne
Healthcare Organizations Experience 279% Increase in… | Abnormal (abnormalsecurity.com)
BEC Attacks Increase By 279% in Healthcare - Infosecurity Magazine (infosecurity-magazine.com)
What is Business Email Compromise (BEC)? | Microsoft Security
What is business email compromise (BEC)? | Cloudflare
What is business email compromise? | IBM
BEC groups are using Google Translate to target high value victims | CSO Online
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.