Everyone responsible for securing organisations today recognises the significant growth in BEC (Business Email Compromise) attacks, also sometimes known as “Whaling” or “CEO fraud”.
BEC scammers trick accounting and finance departments into wiring considerable amounts of money into bank accounts under their control, posing as genuine suppliers invoicing for services delivered, or senior company executives.
Individually, some firms have lost millions through the scam emails, and the FBI has estimated that globally over the past five years firms have lost a jaw-dropping $12 billion as a result of the scams.
There is clearly a lot of money to be made by criminals through business email compromise – and that’s why it’s so important that those tasked with securing organisations against threats are aware of any changing trends in the scammers’ behaviour.
New research has revealed that business email compromise is being made easier for any criminal to add to their arsenal.
Researchers at threat intelligence firm Digital Shadows report that companies don’t even need to be hacked to spill their address books and email archives. Careless backups of email archives on publicly-accessible rsync, FTP, SMB, S3 buckets, and NAS drives have exposed some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information.
The researchers found over 50,000 email files that contained terms such as “invoice”, “payment”, or “purchase order” terms in misconfigured or unauthenticated file stores. In some cases, the email archives have even contained passport scans.
It’s clear that an attacker doesn’t need to perform an account takeover to gain access to the contents of an inbox. As a result, the barrier for entry for a potential BEC scammer is going to be much lower when such sensitive information is available freely on the web, thanks to the careless backup practices of employees and contractors.
But what if a criminal can’t locate a publicly accessible archive of your company’s email? What do they do then?
Well, criminals on the computer underground are prepared to offer their services – offering to compromise corporate email accounts for as little as $150 – to help a budding BEC fraudster make his or her riches. In some of the online adverts, the hackers brag that they will be able to deliver the login credentials within seven days.
In some cases the hacker will offer to go into partnership with the wannabe scammer, offering their services for 20% of the proceeds.
You don’t need access to a corporate email account to successfully pull off a BEC scam (you could, for instance, purchase a lookalike domain name in an attempt to dupe an employee in the finance department that you were a senior member of staff or supplier), but it certainly helps to make an attack more likely to succeed. Not only will you have control over a genuine corporate email address (making any messages you send more convincing) attack, but you will also be able to harvest information about projects and suppliers to make your attack appear more legitimate.
With the stakes so high, organisations need to work hard to reduce the chances of being the victim of a BEC attack. That means training staff to be aware of the threat, and building processes and manual controls to reduce the chances of money being wire transferred to unauthorised parties.
In addition, it is essential that corporate email accounts are protected by multi-factor authentication, and that login credentials are not being carelessly reused or exposed. And, care needs to be taken that email archives are not being left exposed publicly through a lack of security or misconfiguration.
For more tips on how to detect business email compromise, be sure to read this article.