Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/8/2020
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Keeping Vigilant for BEC Amid COVID-19 Chaos

FBI and security experts warn that attackers are particularly targeting cloud-based email systems at the moment.

This week the US Federal Bureau of Investigations (FBI) urged businesses and remote workers to be extra wary of business email compromise (BEC) scams through cloud-based email, warning that attackers have redoubled their efforts to carry out BEC attacks in the wake of the COVID-19. 

In a public service announcement released by the FBI's Internet Crime Complaint Center (IC3) on Monday, the feds warned that cybercriminals are specifically going after organizations that use cloud-based email systems with BEC attempts, cashing in on the fact that many victims will not have taken the care to turn on the security features on these platforms that need to be manually configured and enabled.

FBI's IC3 calculates that between January 2014 and October 2019 alone it has recorded $2.1 billion in actual losses from BEC scams targeting just two popular cloud-based email services.  

Meanwhile, the FBI National Press Office on Monday also sent out a release that warned that the agency anticipates a general rise in BEC schemes to profit off of the chaos, urgency, and user distraction wrought by the global pandemic. For example, officials noticed that "there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19."

BEC scams vary based on the creativity of the attacker, but the general jist is that they seek out well-placed individuals who control financial accounts at their organization. Using tactics like email account takeover or spoofing, the bad guys will impersonate a colleague or boss — sometimes the CEO, sometimes a vendor, sometimes a highly ranked individual in another department —and try to convince their mark via email to make a very expensive mistake. In some instances they will try to trick the person to transfer money to the fraudster for fictionally "legitimate" purposes or to make last-minute changes in details in an existing financial transaction to benefit the criminal.

These kinds of technology-enhanced cons have cost organizations millions of dollars at a time. 

"It is important for leaders to recognize that BEC email fraud and email account compromise have grown to become probably the most expensive problem in all of cybersecurity," says Sherrod DeGrippo, senior director of threat research and detection for Proofpoint.

In fact, FBI IC3 recently noted in its 2019 Internet Crime Report that BEC scams accounted for 40% of the losses for cybercrime last year. That number is likely to spike even further as criminals see BEC in the pandemic as low-lying fruit. The rapid distribution of employees to makeshift work-from-home situations, the use of unfamiliar devices, the distractions and anxiety created by illness and business disruption, have all combined to create an ideal BEC hunting ground for the bad guys.

"Employees working from home are likely to be even more distracted than usual, with children, household chores, and coronavirus anxieties all competing for their attention," explains Seth Blank, vice president of standards and new technologies at Valimail. "That will make them even less attentive to the subtle clues that an email is a phishing attack. And, when working from home, they're also more likely to be using a small screen or even their cellphones to manage email, which can make some of these phish attempts — which used bogus sender identities — nearly impossible to detect."

Phishy Cloud-Based Email 

They're also more likely to be communicating cloud-based email services, sometimes for the first time in an official business setting. According to the FBI, criminals have particularly been ramping up on opportunistic phishing campaigns using kits that impersonate popular cloud-based email services. 

"Cloud services are particularly appealing for cybercriminals because users are typically familiar with these tools and are likely to click on messages associated with them," says DeGrippo. "Users also typically use cloud accounts outside of the security protection of their organization, opening them up to potential compromise."

Once the criminals get access into a victim's cloud account, FBI officials say they will often analyze the content of email stores to look for evidence of financial transactions. If they find it, sometimes they'll configure mailbox rules of that person to delete messages about transactions or automatically forward relevant messages to the attacker's outside email account. That gives them free reign to insert themselves in the communication chain between the victim and third parties like vendors or customers to try and get pending or future payments redirected to fraudulent accounts. 

From a technical perspective, the FBI recommends that organizations head these cloud-based email BEC scams off at the pass by prohibiting automatic forwarding to external addresses, using multifactor authentication and prohibiting legacy protocols that can circumvent MFA, monitoring email settings changes, and configuring Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and validate email.

Meanwhile, according to the FBI, be on the lookout for these red flags for a BEC amid the COVID-19 lockdown:

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via telephone or online voice or video platforms
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

Ultimately, it is going to be up to organizations to pass this knowledge on to workers who are already shooting from the hip in very unusual working circumstances. 

"Working remotely 100 percent of the time is different than working from home once or twice a week," DeGrippo says. "Extra vigilance is required especially regarding the links you are clicking on, and the funds you wire, because remote working often means you aren't protected by the same safeguards your office has in place; nor is it easy to check with colleagues or partners to verify the authenticity of a payment request."

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...