BEC attacks on the rise


In a year dominated by COVID, elections, and ransomware, there are plenty of cybersecurity experts looking to other emerging threats as we begin to wind down the year.

“I think the biggest cybersecurity threat facing businesses today are user account takeovers,” says David Rippel, an independent cybersecurity analyst in Tampa, Florida. 

Rippel advises that while phishing and ransomware are persistent and ongoing threats, they aren’t necessarily the top challenge faced by organizations in 2020.Other influential voices in cybersecurity have also recently sounded alarm bells about account takeover (ATO) attacks.

If a bad actor can seize control of an account, then the amount of damage inflicted becomes incalculable. Account compromise is similar to giving Bonnie and Clyde the keys to a bank vault. There’s no need for brute force if one already has the keys. And a Business Email Compromise (BEC) is the cyber equivalent to those keys.

Once an account is compromised, a bad actor can send emails from it to associates who are far less likely to view a well-crafted email suspiciously if it is from a known contact. Dark Reading this week said: “The reality is, hundreds of emails like this trick not only humans but traditional security tools every day.”

Further, Infosecurity Magazine published the following:

“An emerging trend is the exploitation of compromised legitimate email account to carry out BEC attacks. These attacks (also known as CEO or CFO frauds) target high-profile company executives to issue fake payment instructions. Using a legitimate email address to issue the wiring instructions is a fundamental aspect to trick the victim into sending funds to the wrong account.”

In mid-August, New York-based trading firm Virtu Financial said that it had lost $6.9 million in a BEC scam in May as high ranking company officials had accounts compromised.

The effectiveness of ATO from a cybersecurity perspective is that it is challenging to tell – barring a camera – who is using an account. Even if you have cameras everywhere, there are cases where there are legitimate account takeovers from IT professionals doing troubleshooting.

Too many companies cannot quickly and accurately answer the question, “who is logged in from where, and is that normal?”

Conflicting data privacy priorities

“In the spirit of data privacy, most Internet communication lacks nonrepudiation, creating an opportunity for bad actors to freely impersonate compromised digital identities without the worry of being detected by security controls,” Rippel says.

Rippel cited the most recent Verizon Data Breach Investigation Report (DBIR), pointing out that the average damage from a compromised account breach is $24,439. But, the DBIR states that costs can run higher, with one breach affecting a US company estimated at $100 million. The DBIR found that the median breach of a single computer was $7,611. While these figures seem low, according to the report, the bad news is that the scale ranges from $0 to $100 million, accounting for all breaches worldwide. Nobody wants to be one of those statistics, particularly $100 million one.

MFA isn’t the end

Many cybersecurity professionals implement MFA among their client’s users and then assume that everything safe. “The reality is that MFA simply shifts the attacker’s focus to a different target – session cookies,” Rippel says.

Readily available tools like Evilginx2 and Modlishka, Rippel adds, make circumventing MFA easy for bad actors to leverage in account takeover attacks. The key to stopping and preventing ATO is first to spot these types of attacks, which can be very difficult at times.   potting a BEC is like spotting an elusive feral hog, once you see them, they can already be doing damage.

“Catching an account takeover attack requires contextualizing security events to users, not just endpoints like traditional Security Information and Event Management focuses on,” Rippel advises. “Collecting security event data to one storage location for analysis is trivial. However, giving security event data meaningful context and making this data immediately actionable is challenging.”

Some experts say that robust AI must be part of the long-term plan to attack the problem of compromised accounts.

Rippel, though, believes that fortunately, cybersecurity vendors have acknowledged the cost and technical barriers preventing Security Information and Event Management (SIEM) from detecting ATO events, which has led to the formation of the ATO prevention solutions niche.

Rippel says that ATO prevention tools (like Barracuda Sentinel) have the edge over SIEM and legacy email security solutions in a BEC attack scenario. This edge is because ATO prevention uses APIs to detect and take immediate action in response to suspicious user activity, versus old-fashioned security solutions, which require a (costly) security analyst or Security Orchestration Automation and Response (SOAR) solution to identify and automate the appropriate incident response.

MSPs can take the lead in educating users about the possibility of BECs. In today’s cyber-environment, no one should send funds anywhere based on an email. An old-fashioned phone call can, ironically, can do a lot to bring down the most cutting edge cybercriminals.

Photo: Minerva Studio / Shutterstock