Understanding Business Email Compromise (BEC) - A Guide

executive summary

Business Email Compromise (BEC) attacks are increasing, posing significant threats to organizations globally. In the realm of cybercrime, BEC attacks stand out as a highly sophisticated and rapidly evolving threat. These attacks mainly rely on cleverly crafted emails to trick people within a company into doing things that can harm the company. The primary goals of these attacks are financial gain and access to sensitive information. Therefore, it's important for businesses to understand the different aspects of this threat.

BEC attacks are multifaceted, encompassing a range of tactics and techniques. They exploit the psychology of trust and authority to deceive employees into transferring funds to attacker-controlled accounts or disclosing sensitive company information. In the world of cybersecurity, there are many different kinds of people and groups trying to carry out these attacks, from individual hackers to organized criminal organizations. To protect themselves effectively, organizations need to dive deep into how these attacks work, understand the methods these attackers use, and put strong defenses in place.

what is business email compromise (BEC)?

In today's digital landscape, cyber threats are constantly evolving, and one that's been making waves is Business Email Compromise (BEC). This type of email-based cybercrime has been causing significant problems for businesses, regardless of their size or industry. The potential financial losses associated with BEC run into the billions of dollars.

At its core, BEC is a form of social engineering conducted through email. In a BEC attack, the attacker crafts an email message with the aim of convincing the recipient to take specific actions, typically involving fraudulent fund transfers. Here are some distinctive features that set BEC apart from other email-based attacks:

1. No Malicious Components: Unlike many email threats, BEC emails typically don't contain malware, malicious links, or attachments. This lack of traditional red flags challenges conventional email security filters.
   • However, there are exceptions to this point that we will discuss below.
2. Laser-Focused Targeting: BEC attacks hone in on specific individuals within an organization, leveraging their roles and responsibilities.
3. Tailored Personalization: These attacks involve an extraordinary level of personalization. Attackers conduct extensive research on the targeted organization, enabling them to craft messages that are incredibly convincing and tailored to the recipient's unique context.

What makes BEC attacks particularly concerning is its ability to slip past typical email security filters. These emails typically consist of plain text, making them blend seamlessly with legitimate email traffic. Furthermore, BEC emails are carefully designed to deceive recipients into taking action based on the message content.

Attackers often go to great lengths to impersonate known contacts within the organization (IT staff, CEO, human resources, etc.), sometimes even inserting themselves into ongoing email threads. In many cases, the attacker assumes the identity of a high-ranking executive within the organization, compelling the victim to comply with their fraudulent request.

bec and healthcare

In October 2021, Avertium published a Threat Intelligence Report regarding the top five cyber threats in healthcare, one of which was BEC. Unfortunately, that fact remains true as recent findings in a report by Abnormal Security have sent shockwaves through the healthcare sector, revealing a staggering 279% increase in BEC attacks this year. Alongside this alarming rise, advanced email threats, encompassing BEC, credential phishing, malware, and extortion, have surged by 167%.

To put these numbers into perspective, the average number of advanced email attacks per 1000 mailboxes within the healthcare industry embarked on an unsettling journey. Starting the year at 55.66 in January 2023, it skyrocketed to over 100 in March. Though there has been a degree of stabilization, with approximately 61.16 attacks per 1000 mailboxes for the remainder of the year, historical patterns signal a potential uptick during the upcoming holiday season.

While BEC attacks might not flood inboxes at the same volume as some other email threats, they have the most financial risks. The Federal Bureau of Investigation (FBI) reports an average financial loss of $125,000 per BEC attack. These attacks are on the rise, posing an escalating danger because they often rely on text-based deception, emanate from legitimate domains, and lack typical indicators of compromise.

Let's break down a real-life scenario from the Abnormal Security report to better understand the danger of these threats. In this case, there was an attacker pretending to be the top executive (the president and CEO) of a healthcare network. This attacker cleverly asked for updated aging statements for customers and requested email addresses for the account payables department.

Now, here's the important part: If someone from the healthcare network had responded to this seemingly harmless email, it could have given the attacker access to very important financial information. They could have redirected payments, causing the healthcare network to lose a lot of money. So, even though the email appeared innocent, falling for it could have serious consequences for the healthcare organization. It's a reminder of how careful we all need to be when dealing with emails, especially in sensitive industries like healthcare.

threat actors using bec

LAZARUS

In 2020, researchers observed the North Korean threat actor, Lazarus, engaging in BEC scams. The threat actors were targeting European aerospace and military organizations by using LinkedIn job recruiter profiles to send private messages to targets. The campaign was named “Operation In(ter)caption its goal was cyber espionage as well as financial theft. The campaign also includes the use of malicious tools designed for Windows.

After the threat actors gathered their intelligence and company data, they attempted to scam the company’s business partners – combing through their target’s email boxes, looking for unpaid invoices. The threat actors then tried to pressure the customer for payment on the invoice while directing the payments to an alternate bank account.

The attempt to deceive the victim's business partners was foiled, according to ESET. This was because business associates detected something suspicious in the threat actor’s follow-up emails.

APT29

In April 2023, APT29 carried out an espionage campaign targeting NATO and EU member states' diplomatic and foreign ministries. This ongoing operation introduced previously undocumented malware payloads. Poland's Military Counterintelligence Service and CERT Polska (CERT.PL) uncovered and probed the campaign, which involved APT29 hackers dispatching spear-phishing emails to specific diplomatic personnel.

Image 1: Email from APT29

Source: CERT.pl

Generally, BEC scams don’t include malware and instead focus on social engineering and manipulation. However, this particular campaign involved both manipulation and malicious documents. These deceptive emails were disguised as messages from European embassies, inviting recipients to meetings or collaborative document work. Enclosed in these emails were PDF attachments featuring links to external-looking calendars, meeting specifics, or work documents. Clicking on these links directed individuals to web pages utilizing JavaScript code to decrypt a payload, making it available for download. The script employed HTML Smuggling, streamlining the transfer of files attached as .ISO, .ZIP, or .IMG formats.

FIN7

FIN7 is another threat actor that uses BEC in its attacks. The group has been around for a long time and is one of the most prolific threat actors of all time. The threat actor is known for its persistence. Even if their initial BEC attempts are unsuccessful, they may continue to target the organization using different tactics and approaches, adapting to security measures.

FIN7's primary mission revolves around two key objectives. Firstly, they have placed significant emphasis on BEC attacks and infiltrating point-of-sale (POS) systems. Their goal is to extract sensitive data, particularly credit card information and financial data. Secondly, this group has had established connections with ransomware gangs like REvil and Dark Matter.

FIN7 typically begins cyberattacks by sending emails to employees of the targeted companies. These emails often contain an attached file, often disguised as a harmless Microsoft Word document, but it has hidden malware inside (again, a combination of manipulation and malicious documents). The email messages look like legitimate business-related communications, tricking the employees into opening the attachment and unintentionally infecting their computers with malware.

In numerous instances, FIN7 would complement their emails with a phone call to the targeted company's employee, discussing the same subject matter. This tactic was aimed at lending credibility to the email. The caller would frequently guide the employee to the recently received email, encouraging them to open the attached file and inadvertently trigger the malware.

FIN7 predominantly targets industries such as fast-food and casual dining restaurants, hotels, casinos, and establishments conducting frequent point-of-sale transactions. Across their various victims, FIN7’s goal is to steal credit, debit, and occasionally gift card information utilized in customer transactions. Additionally, the group established a counterfeit computer security company named "Combi Security." They have used this front not only to enlist fresh members but also to provide a superficial appearance of legitimacy to their cybercriminal activity.

defense

Protecting against Business Email Compromise (BEC) schemes requires a combination of technology, policies, and employee awareness. Here are essential steps organizations can take:

• Employee Training: Educate employees about the dangers of BEC and train them to recognize common BEC tactics, such as email spoofing, impersonation, and unusual payment requests. Conduct regular phishing awareness training to enhance their ability to spot suspicious emails.
• Multi-Factor Authentication (MFA): Enforce MFA for email accounts and sensitive systems. Even if attackers gain access to credentials, MFA adds an extra layer of security.
• Email Authentication: Implement email authentication protocols like SPF, DKIM, and DMARC to verify the legitimacy of incoming emails. These measures help prevent email spoofing and domain impersonation.
• Email Filtering: Use advanced email filtering and anti-phishing solutions to detect and block malicious emails before they reach employees' inboxes. These tools can identify known phishing patterns and malicious attachments.
• Payment Verification Protocols: Implement a rigorous payment verification process, especially for large transactions. This could involve confirmation from multiple authorized personnel or the use of predetermined, secure contact methods.
• Regular Software Updates: Keep all software, including email servers and client applications, up to date to patch vulnerabilities that attackers might exploit.
• Vendor and Customer Communication: Educate vendors and customers about the organization's cybersecurity practices and encourage them to follow similar security measures.
• Continuous Monitoring: Implement continuous monitoring of email traffic and network activity to detect unusual patterns or signs of compromise.

How Avertium is Protecting Our Customers

Security solutions like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) play a crucial role in accelerating the detection and prevention of BEC attacks.

These tools aid security teams in swiftly recognizing BEC attempts, including those targeting network vulnerabilities, and highlighting suspicious activities across endpoints, email accounts, and other areas that may indicate hackers conducting reconnaissance.

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  
  
• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
   
  • Risk Assessments
  • Pen Testing and Social Engineering
  • Infrastructure Architecture and Integration
  • Zero Trust Network Architecture
  • Vulnerability Management

• Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.

Supporting Documentation

Healthcare Organizations Experience 279% Increase in… | Abnormal (abnormalsecurity.com)

BEC Attacks Increase By 279% in Healthcare - Infosecurity Magazine (infosecurity-magazine.com)

North Korea's state hackers caught engaging in BEC scams | ZDNET

Microsoft Word - fact_sheet_how_fin7_attacked_and_stole_data_0 (justice.gov)

Businesses Are Doomed If They Don't Do This - FIN7 Beefs Up Their Hacking Arsenal (xitx.com)

What Is BEC? - Business Email Compromise Defined | Proofpoint US

Business Email Compromise — FBI

Understanding the Evolution of Modern Business Email Compromise Attacks - SentinelOne

Healthcare Organizations Experience 279% Increase in… | Abnormal (abnormalsecurity.com)

BEC Attacks Increase By 279% in Healthcare - Infosecurity Magazine (infosecurity-magazine.com)

What is Business Email Compromise (BEC)? | Microsoft Security

What is business email compromise (BEC)? | Cloudflare

What is business email compromise? | IBM

BEC groups are using Google Translate to target high value victims | CSO Online

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.