What is Business Email Compromise
Business Email Compromise (BEC) is a type of attack in which the attacker poses as a trusted entity typically a boss, colleague or vendor in order to steal login credentials or have access to company resources. According to the GreenHorn report, BEC attacks have been on the rise in the past year accounting for 50% of cyber-attacks experienced by organizations.
With these statistics, the question now is not whether the malicious actors are going to launch this attack on organizations, but when and how frequent the attacks will be coming? With the increase in sophistication of BEC attack tools and the inherent weakness in humans, it becomes almost impossible to completely have immunity to this attack.
Defending against Attackers TTPs
Malicious actors would often use one of the following attack techniques: Brute-Force Attacks, (Spear) phishing, and Password Spraying
Brute-forcing and Password Spraying are often not so effective in recent times because measures like account lock-out and rate-limiting could limit the number of trials by the attacker. Also, technologies like Captcha and 2FA have helped reduce the impact of password spraying and brute-forcing. Phishing/Spear-phishing leverage on the human weakness which is often through social engineering.
It is more disturbing with our observation of TTP changes and sophistication from the part of the attackers as new phishing tools such as Muraena, Evilginx2, Modlishka which are able to bypass 2FA and steal credentials are being used in recent attacks. This is possible since a lot of the 2FA solutions rely on token submissions through a web form. These tools allow the attackers to phish both the password and the 2FA in real-time using smart reverse proxies to intercept requests.
Although attackers use methods and tools that continue to become more sophisticated, there are techniques that can be used and combined with technologies (implementing technologies like Captcha, MFA, and Email Security Gateway, and some AI/ML promising tech) in order to educate users and prevent BEC attacks.
To properly manage our human risk, we need to continually educate users on best practices. The importance of this cannot be overemphasized as organizations are only as strong as their weakest link. Organizations need to plan for a mature awareness program using proven frameworks in order to change user behaviour on things like carelessly clicking on links and paying close attention to URLs.
Create Honey Users
A honey user is simply a decoy user. Organizations can leverage this technique to set up several honey users that could be used to track the activities of malicious actors. These fake emails can be put on company websites and social media platforms. It is also important to constantly monitor these fake email addresses to know when there is any form of malicious activities. Depending on the perceived threat, controls like blocking emails from the malicious domain could be implemented. Sometimes, it is advised to implement soft blocking on the malicious domain just to better understand the attacker’s goal.
Organizations could also be one step ahead of the malicious actors by constantly monitoring the registration status of their domain. This can also help them identify similar domain names and dates of creation. They could also be able to tell if those similar domain names are able to send email addresses or not.
Our conclusion is that in every Business Email Compromise (BEC) scheme, people are no longer the weakest link – they are the primary attack vector, and new tactics are been develop to break through them. Our goal is to keep our clients ahead of attackers by implementing proactive defense, using combinations of the above-listed approach, and aligning risk with security awareness projects, strategy and vision.