What are BEC scams and how to avoid them

Read Time:8 Minute, 19 Second

This blog was written by an independent guest blogger.

To carry out business email compromise (BEC) fraud, a con artist impersonates an organization’s senior manager, business partner, or supplier and tries to manipulate an employee into transferring money to the wrong destination. The rogue message typically comes from a spoofed or previously hacked email address, which makes the foul play highly persuasive. Essentially, BEC is a type of phishing focused on the enterprise.

As the general fraud awareness in the corporate sector grows, malicious actors are constantly refining their tactics to make sure their scams bypass secure email gateways and slip below a vigilant recipient’s radar. Furthermore, the use of untraceable cash-out mechanisms involving gift cards and cryptocurrencies takes their operations security (OPSEC) practices a step further. Combined with clever social engineering tricks that make victims act impulsively, these rogue strategies can be incredibly effective.

The FBI reported more than $1.8 billion in losses over this cybercrime technique in 2020 alone. Companies around the world should interpret these staggering stats as a call to action in terms of hardening their defenses against the threat.

The forms of business email compromise

Whereas the common denominator in all BEC hoaxes is to make money and get away with it, the methods of achieving this goal vary. There are three top scenarios of this exploitation.

Knock-off invoices

When this classic ploy is underway, an attacker requests a wire transfer on behalf of an entity the target organization cooperates with, such as a managed service provider (MSP) or supplier. The narrative often involves an alleged change of the mimicked company’s banking credentials.

Whaling

To perpetrate this stratagem, which is also known as CEO fraud, a crook passes himself off as a person who holds an executive-level position in a company. It is usually preceded by a spear-phishing attack that results in the takeover of the victim’s email account. Sometimes felons use credentials exposed in a data breach to access the account. The impostor then contacts personnel from the finance department with a request to make an urgent payment for fictitious services.

Reaching out to business contacts

Fraudsters may try to expand the attack area by targeting a victim’s partners and contractors whose contact details and additional sensitive information were obtained in the course of the original assault. In this case, a sure-shot way to feign legitimacy is to send a dodgy wire transfer request from a real email account used by an employee of the primary victim.

Newsmaking BEC examples

Counterintuitively, this vector of cybercrime isn’t focused on big-name companies only. Nonprofits, schools, and small municipalities are frequent targets as well due to their low preparedness for such incursions. The following incidents show how intricate these attacks can get.

U.S. town ripped off

The Town of Peterborough, New Hampshire, found itself in the epicenter of a BEC scam in July 2021. Crooks used a number of spoofed email accounts and forged invoices to dupe town employees into submitting a total of $2.3 million to wrong destinations.

The attack took place in three stages. The first transfer amounted to $1.2 million and was intended for the local school district. Two more payments were supposed to go to companies constructing a local bridge. By the time the scam was discovered, the funds had been converted to cryptocurrency in a series of untraceable transactions.

One Treasure Island BEC attack

In late December 2020, scammers sucker-punched One Treasure Island, a San Francisco nonprofit that helps low-income and homeless people. The organization was hoodwinked into sending $650,000 to a party that portrayed itself as a contractor hired to implement affordable housing projects in the San Francisco Bay area.

The hoax was unearthed in January 2021 when it turned out that the intended recipient never got the funds. Investigation showed that the fraud had started with a hack of a third-party accountant’s email system. Then, criminals mishandled this access to gain a foothold in the nonprofit’s communication chains. This allowed them to change the details on the original invoices from the partnering firm, which resulted in several fraudulent transfers to accounts under crooks’ control.

The jaw-dropping Toyota swindle

A European supplier of interior parts for Toyota vehicles fell victim to a massive BEC attack in August 2019. Con artists were able to manipulate the company’s employees into sending out 4 billion Japanese yen (approximately $37 million) to the wrong bank account. There have since been no reports of whether the victim’s efforts to recover these funds were successful.

Oregon school district in the crosshairs of phishers

In August 2019, another attack was executed against Portland Public Schools, the largest school district in Oregon. The fraudster pretended to be a representative of a construction firm the institution cooperated with. The scam zeroed in on two district employees who ended up authorizing a $2.9 million payment to malefactors. The silver lining was that the crook hadn’t moved these funds out of their account by the time the incident was uncovered. The whole sum was frozen and subsequently recovered.

City in Georgia deceived by MSP copycat

A malicious party claiming to be an operator of water treatment facilities bilked the City of Griffin, Georgia, out of $802,000 in June 2019. The self-proclaimed contractor sent an email that informed city authorities about an alleged update of the bank account information. The message also requested two payments for services actually provided to the city.

Investigators found that the criminals had compromised the contractor’s computer system shortly before the raid occurred. This allowed them to concoct a legitimate-looking invoice in which the amounts of money that the firm was expecting to receive were accurate.

Make sure your organization isn’t low-hanging fruit for BEC scammers

Since this type of exploitation largely hinges on social engineering, security awareness is paramount when it comes to avoiding the worst-case scenario. Safe online practices of your employees, combined with automatic protection tools, such as Internet security software, spam filters, and secure email gateways, can forestall most of these scams. Let’s now get into detail on these precautions.

Say no to web-based email. Such services are a lure because they are free to use, but there is a serious caveat. These email addresses are easy for cybercriminals to spoof. Hosting corporate accounts on your company’s domain is a much more reasonable approach. In addition to complicating this type of foul play, it is one of the building blocks of a reputable brand and an element of business communication done right.
Be careful with messages from unknown parties. If an email received from a stranger instructs you to click a link or download an enclosed file, delete it without a second thought and go about your day.
Examine the sender’s address. When trying to impersonate a trusted individual or company, a phisher may use an email address that has minor differences from the genuine one. Pay attention to spelling inaccuracies and redundant characters to identify a hoax.
Cultivate your team’s prudence. Setting up a security awareness program is an investment that pays off.  It will teach your colleagues to pinpoint red flags when working with public Wi-Fi, websites, emails, and documents.
Use the “Reply” option wisely. If you are discussing a sensitive matter over email, consider using the “Forward” button instead. It presupposes that you have to type the correct address or pick it from the address book, which eliminates the risk of engaging with a charlatan who pretends to be someone you trust.
Make the most of two-factor authentication (2FA). This awesome feature pulls the plug on unauthorized attempts to sign in to your corporate email account. If it is enabled, the password alone is not enough. Access is impossible without an extra identifier, such as biometric data or a secret code sent to your smartphone.
Monitor your email server settings. Ask your IT team to keep abreast of changes in the server’s configuration and the email exchange rules that apply to critical accounts.
Be a little paranoid about money transfer requests. Don’t hesitate to verify the legitimacy of any email that tells you to send out funds to a third party, even if it appears to come from your boss. A quick phone call can dot the i’s and cross the t’s. If you work under the same roof, there is no harm in coming up and asking.
Raise the bar for green-lighting big payments. It is a good idea to involve an extra party in the process of authorizing wire transfers where the amount exceeds a certain threshold. This will minimize the odds of a blunder.
Adjust your enterprise policies. Necessitate a thorough verification of any changes in the banking credentials and contact information of contractors, business partners, and other parties your company cooperates with.
Make external emails easy to discern. Configure your email exchange server to display a warning banner in messages that come from outside the organization. This should encourage users to look closer.
Don’t post too much personal data online. Crooks tend to do a good deal of reconnaissance before orchestrating BEC scams. For example, they may collect information about their targets on publicly available sources like social networks and personal blogs. That said, it is in your best interest to restrict the range of sensitive details you share on these services.
Know the peculiarities of your business niche. This will help you distinguish between legitimate emails and sketchy ones that don’t fit the context of your day-to-day activities.
Leverage technology. Modern Internet security applications come with anti-fraud features powered by a comprehensive database of phishing templates that are currently circulating. The use of such tools can undoubtedly add an extra layer of protection to your BEC prevention efforts.

Read More

3 authentication-level protections for remote users and devices

Read Time:50 Second

Do the traditional techniques of protection still work in the age of work from home? Yes, but you need to use different rules and products. Traditional networks have been set up in the same fashion: a traditional Active Directory domain, a variety of domain controllers, workstations under the control of that domain, and all tucked behind a firewall.

Before the pandemic we had roaming laptops or users that gave us the headaches of user profiles and group policies targeted to those who stayed in the network versus those who roamed our domains. The pandemic hit and our workstations are now anywhere and everywhere. Instead of a somewhat nice and tidy domain tucked behind a series of firewalls and defenses, it is now connected to the same network as Alexa devices. The response is often to throw scanning engines and antivirus products at workstations, but all that does is delay boot up times and logging into the network.

To read this article in full, please click here

Read More

Multiple Vulnerabilities in Mozilla Firefox and Firefox Extended Support Release (ESR) Could Allow for Arbitrary Code Execution

Read Time:36 Second

Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

Microsoft Patch Tuesday, February 2022 Edition

Read Time:4 Minute, 9 Second

Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month’s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.

While none of the patches address bugs that earned Microsoft’s most dire “critical” rating, there are multiple “remote code execution” vulnerabilities that Redmond believes are ripe for exploitation. Among those is CVE-2022-22005, a weakness in Microsoft’s Sharepoint Server versions 2013-2019 that could be exploited by any authenticated user.

“The vulnerability does require an attacker to be authenticated in order to exploit it, which is likely why Microsoft only labeled it ‘Important,’” said Allan Liska, senior security architect at Recorded Future. “However, given the number of stolen credentials readily available on underground markets, getting authenticated could be trivial. Organizations that have public-facing SharePoint Servers should prioritize implementing this patch.”

Kevin Breen at Immersive Labs called attention to CVE-2022-21996, an elevation of privilege vulnerability in the core Windows component “Win32k.”

“In January we saw CVE-2022-21882, a vulnerability in Win32k that was being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied,” Breen said. “February sees more patches for the same style of vulnerability in this same component. It’s not clear from the release notes whether this is a brand new vulnerability or if it is related to the previous month’s update. Either way, we have seen attackers leverage this vulnerability so it’s safer to err on the side of caution and update this one quickly.”

Another elevation of privilege flaw CVE-2022-21989 — in the Windows Kernel — was the only vulnerability fixed this month that was publicly disclosed prior to today.

“Despite the lack of critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month,” said Greg Wiseman, product manager at Rapid7. “Remote code execution vulnerabilities are also important to patch, even if they may not be considered ‘wormable.’ In terms of prioritization, defenders should first focus on patching server systems.”

February’s Patch Tuesday is once again brought to you by Print Spooler, the Windows component responsible for handling printing jobs. Four of the bugs quashed in this release relate to our friend Mr. Print Spooler. In July 2021, Microsoft issued an emergency fix for a Print Spooler flaw dubbed “PrintNightmare” that was actively being exploited to remotely compromise Windows PCs. Redmond has been steadily spooling out patches for this service ever since.

One important item to note this week is that Microsoft announced it will start blocking Internet macros by default in Office. This is a big deal because malicious macros hidden in Office documents have become a huge source of intrusions for organizations, and they are often the initial vector for ransomware attacks.

As Andrew Cunningham writes for Ars Technica, under the new regime when files that use macros are downloaded from the Internet, those macros will now be disabled entirely by default. The change will also be enabled for all currently supported standalone versions of Office, including versions 2021, 2019, 2016, and 2013.

“Current versions of the software offer an alert banner on these kinds of files that can be clicked through, but the new version of the banner offers no way to enable the macros,” Cunningham wrote. “The change will be previewed starting in April before being rolled out to all users of the continuously updated Microsoft 365 version of Office starting in June.”

January’s patch release was a tad heavier and rockier than most, with Microsoft forced to re-issue several patches to address unexpected issues caused by the updates. Breen said while February’s comparatively light burden should give system administrators some breathing room, it shouldn’t be viewed as an excuse to skip updates.

“But it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy,” Breen said.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

Read More

[R1] Nessus Versions 8.15.3 and 10.1.1 Fix Multiple Third-Party Vulnerabilities

Read Time:24 Second
Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (Expat) was found to contain vulnerabilities, and an updated version has been made available by the provider.

Out of caution and in line with best practice, Tenable has opted to upgrade the Expat component to address the potential impact of the issue. Nessus 10.1.1 and Nessus 8.15.3 update Expat to version 2.4.4 to address the identified vulnerability.

Read More

News, Advisories and much more

Exit mobile version