Ongoing Global Threat: Business Email Compromise groups

January 18, 2021

BEC scammer groups are growing more brazen. The average sum that a BEC group will try to steal from a targeted company is now around $80,000 (USD) per attack. In this Gridware Insight, we explore why leaders in all sectors need to be aware of the methods used by BECs and how to better prepare their organisations for their attacks.

Share:

Share on facebook
Share on twitter
Share on linkedin

Business Email compromise groups (BECs) are an ongoing threat globally to businesses. Their overarching objective is to siphon employee credentials, business intellectual property and persuade employees to complete transactions to fraudulent accounts unknowingly.

These BECs can covertly enter a company’s network, not through their technical expertise but through heavy reliance on malware purchased from threat groups and developers (Malware as a Service). This malware purchased by the BECs forms their methodology for breaching businesses. Combined with social engineering, this provides the perfect recipe to infect a company’s network. BECs often select their targets by using search engines and email scraping tools to find email listings.

BECs’ methodology differs depending on the end objective. For example, BECs can install malware such as a keylogger on an unsuspecting employee device via a phishing email. A keylogger will track the input made by an employee on their device over an extended period. This information is sent to the BEC’s command-and-control (CnC) server, which provides them with insights into four key components:

Text Logs

Usernames & Passwords

Clipboard Data (Ctrl+C, Ctrl+V)

Screenshots

The capture of this data can be detrimental to the business’ privileged and confidential information. This information will often give the BECs access to other systems or accounts such as the email server/system. This type of attack allows the BECs to write fraudulent emails that appear to come from inside the business. 

For example, an email from a company’s CEO may request the accounts payable team to urgently transfer funds to an off-shore account for an invoice, and insist that approval over the phone is unnecessary. A similar attack targeted Sydney-based hedge fund Levitas Capital that saw the fraudulent transfer of $8.7 million AUD to a threat actor’s (TA) account. A fake Zoom invite sent to an employee gave the TA access to the company’s email server, enabling the TA to create fraudulent emails that appeared legitimate and complete the transfers.

This impersonation can spread through an organisation as the BEC may broadcast a phishing email to a compromised account’s contact list. 

Mailbox security settings can be activated to prevent this, such as setting a maximum number of participants to an email. To avoid discovery, a BEC may send a phishing email from a compromised account to <500 accounts to ensure that IT managers are not notified of a possible phishing attempt. 

Additionally, when mailboxes are breached, BECs may set up mailbox rules to automatically forward emails and then delete the outbox record to have complete visibility of the mailbox without the user knowing.

Spoofing

Spoofing is another form of attack where the BECs impersonate the email account of a business when contacting clients. This is often not noticed as the BECs make the spoof email address appear near identical to the legitimate account by either:

If this is not picked up on, the BEC will continue the communication chain without the client knowing they are not communicating with the business. 

Once the chain is established, a message generally follows that the payment and bank details have changed and the BEC will be extraordinarily pushy and urgent until the client ultimately sends the payment to the BEC’s account.

Thread Hijacking

A more complex method that BECs use is thread hijacking. 

Once BECs access a company’s email system, they will inject themselves into conversations that present transactional value. For example: a chain between a business and a client finalising a sale. The BEC will spawn off two fake conversations by spoofing both the business and client email address to each respective party.

Once the BEC has completed the thread hijacking without either party noticing – an attempt will be made to change the transaction details. This includes updating payment details or the transaction quantity.

Protecting yourself from BECs is simply about being vigilant and ready for an attempted breach that will inevitably occur. If one piece of information is taken from this article, it is that Multi-Factor-Authentication (MFA) must be turned on for all accounts.

With MFA, you can ensure that no unauthorised access occurs without notification – generally via text message containing a unique code to gain access. 

If a code is received without attempted access, this can be perceived as an appropriate time to change the account’s password. Additionally, when a change occurs to a transaction with a supplier or customer, verifying these changes over the phone can quickly validate or settle any suspicions.

Utilising security training for employees to learn about phishing and other attacks can be another preventative method. 

Teaching employees to check spelling and grammar in emails and the email address can be a simple measure that can save a company from a cyber incident. 

In implementing the above strategies, an organisation can significantly minimise the risk of exposure to BECs.

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Nicholas Pockl-Deen

Nicholas is a Digital Forensics & Incident Response Manager at Gridware, having previously been a Senior Digital Forensics and Incident Response Analyst at KordaMentha. He has extensive experience in digital forensics and incident response services, as well as in large scale investigations and litigation. Prior to KordaMentha, Nicholas worked as a consultant at KPMG.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.