Everyone responsible for securing organisations today recognises the significant growth in BEC (Business Email Compromise) attacks, also sometimes known as “Whaling” or “CEO fraud”.

BEC scammers trick accounting and finance departments into wiring considerable amounts of money into bank accounts under their control, posing as genuine suppliers invoicing for services delivered, or senior executives.

Individually, some firms have lost millions through the scam emails, and the FBI has estimated that globally over the past five years firms have lost a jaw-dropping $12 billion as a result of the scams.

There is clearly a lot of money to be made by criminals through business email compromise – and that’s why it’s so important that those tasked with securing organisations against threats are aware of any changing trends in the scammers’ behaviour.

New research has revealed that business email compromise is being made easier for any criminal to add to their arsenal.

Researchers at intelligence firm Digital Shadows report that companies don’t even need to be hacked to spill their address books and email archives. Careless backups of email archives on publicly-accessible rsync, FTP, SMB, S3 buckets, and NAS drives have exposed some 12. million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information.

The researchers found over 50,000 email files that contained terms such as “invoice”, “payment”, or “purchase order” terms in misconfigured or unauthenticated file stores. In some cases, the email archives have even contained passport scans.

- 1x1 - BEC-as-a-service offers hacked business accounts for as little as $150

It’s clear that an attacker doesn’t need to perform an account takeover to gain access to the contents of an inbox. As a result, the barrier for entry for a potential BEC scammer is going to be much lower when such sensitive information is available freely on the web, thanks to the careless backup practices of employees and contractors.

But what if a criminal can’t locate a publicly accessible archive of your company’s email? What do they do then?

Well, criminals on the computer underground are prepared to offer their services – offering to compromise corporate email accounts for as little as $150 – to help a budding BEC fraudster make his or her riches. In some of the online adverts, the hackers brag that they will be able to deliver the login credentials within seven days.

- 1x1 - BEC-as-a-service offers hacked business accounts for as little as $150

In some cases the hacker will offer to go into partnership with the wannabe scammer, offering their services for 20% of the proceeds.

- 1x1 - BEC-as-a-service offers hacked business accounts for as little as $150

You don’t need access to a corporate email account to successfully pull off a BEC scam (you could, for instance, purchase a lookalike domain name in an attempt to dupe an employee in the finance department that you were a senior member of staff or supplier), but it certainly helps to make an attack more likely to succeed. Not only will you have control over a genuine corporate email address (making any messages you send more convincing) attack, but you will also be able to harvest information about projects and suppliers to make your attack appear more legitimate.

With the stakes so high, organisations need to work hard to reduce the chances of being the of a BEC attack. That training staff to be aware of the threat, and building processes and manual controls to reduce the chances of money being wire transferred to unauthorised parties.

In addition, it is essential that corporate email accounts are protected by multi-factor authentication, and that login credentials are not being carelessly reused or exposed. And, care needs to be taken that email archives are not being left exposed publicly through a lack of or misconfiguration.

For more tips on how to detect business email compromise, be sure to read this article.



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here