Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/8/2020
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Keeping Vigilant for BEC Amid COVID-19 Chaos

FBI and security experts warn that attackers are particularly targeting cloud-based email systems at the moment.

This week the US Federal Bureau of Investigations (FBI) urged businesses and remote workers to be extra wary of business email compromise (BEC) scams through cloud-based email, warning that attackers have redoubled their efforts to carry out BEC attacks in the wake of the COVID-19. 

In a public service announcement released by the FBI's Internet Crime Complaint Center (IC3) on Monday, the feds warned that cybercriminals are specifically going after organizations that use cloud-based email systems with BEC attempts, cashing in on the fact that many victims will not have taken the care to turn on the security features on these platforms that need to be manually configured and enabled.

FBI's IC3 calculates that between January 2014 and October 2019 alone it has recorded $2.1 billion in actual losses from BEC scams targeting just two popular cloud-based email services.  

Meanwhile, the FBI National Press Office on Monday also sent out a release that warned that the agency anticipates a general rise in BEC schemes to profit off of the chaos, urgency, and user distraction wrought by the global pandemic. For example, officials noticed that "there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19."

BEC scams vary based on the creativity of the attacker, but the general jist is that they seek out well-placed individuals who control financial accounts at their organization. Using tactics like email account takeover or spoofing, the bad guys will impersonate a colleague or boss — sometimes the CEO, sometimes a vendor, sometimes a highly ranked individual in another department —and try to convince their mark via email to make a very expensive mistake. In some instances they will try to trick the person to transfer money to the fraudster for fictionally "legitimate" purposes or to make last-minute changes in details in an existing financial transaction to benefit the criminal.

These kinds of technology-enhanced cons have cost organizations millions of dollars at a time. 

"It is important for leaders to recognize that BEC email fraud and email account compromise have grown to become probably the most expensive problem in all of cybersecurity," says Sherrod DeGrippo, senior director of threat research and detection for Proofpoint.

In fact, FBI IC3 recently noted in its 2019 Internet Crime Report that BEC scams accounted for 40% of the losses for cybercrime last year. That number is likely to spike even further as criminals see BEC in the pandemic as low-lying fruit. The rapid distribution of employees to makeshift work-from-home situations, the use of unfamiliar devices, the distractions and anxiety created by illness and business disruption, have all combined to create an ideal BEC hunting ground for the bad guys.

"Employees working from home are likely to be even more distracted than usual, with children, household chores, and coronavirus anxieties all competing for their attention," explains Seth Blank, vice president of standards and new technologies at Valimail. "That will make them even less attentive to the subtle clues that an email is a phishing attack. And, when working from home, they're also more likely to be using a small screen or even their cellphones to manage email, which can make some of these phish attempts — which used bogus sender identities — nearly impossible to detect."

Phishy Cloud-Based Email 

They're also more likely to be communicating cloud-based email services, sometimes for the first time in an official business setting. According to the FBI, criminals have particularly been ramping up on opportunistic phishing campaigns using kits that impersonate popular cloud-based email services. 

"Cloud services are particularly appealing for cybercriminals because users are typically familiar with these tools and are likely to click on messages associated with them," says DeGrippo. "Users also typically use cloud accounts outside of the security protection of their organization, opening them up to potential compromise."

Once the criminals get access into a victim's cloud account, FBI officials say they will often analyze the content of email stores to look for evidence of financial transactions. If they find it, sometimes they'll configure mailbox rules of that person to delete messages about transactions or automatically forward relevant messages to the attacker's outside email account. That gives them free reign to insert themselves in the communication chain between the victim and third parties like vendors or customers to try and get pending or future payments redirected to fraudulent accounts. 

From a technical perspective, the FBI recommends that organizations head these cloud-based email BEC scams off at the pass by prohibiting automatic forwarding to external addresses, using multifactor authentication and prohibiting legacy protocols that can circumvent MFA, monitoring email settings changes, and configuring Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and validate email.

Meanwhile, according to the FBI, be on the lookout for these red flags for a BEC amid the COVID-19 lockdown:

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via telephone or online voice or video platforms
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

Ultimately, it is going to be up to organizations to pass this knowledge on to workers who are already shooting from the hip in very unusual working circumstances. 

"Working remotely 100 percent of the time is different than working from home once or twice a week," DeGrippo says. "Extra vigilance is required especially regarding the links you are clicking on, and the funds you wire, because remote working often means you aren't protected by the same safeguards your office has in place; nor is it easy to check with colleagues or partners to verify the authenticity of a payment request."

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...