Business Email Compromise (BEC) attacks have expanded tremendously over the past few years, with a projected growth of over $9 billion in 2018. The combination of simplicity and effectiveness have ensured that BEC will continue to be one of the most popular attacks, especially for those who lack special tools and knowledge to pull off more complicated schemes.
We looked at BEC-related incidents over a period of nine months (from January to September 2017) to see emerging and present trends from BEC incidents, examine the tools and techniques cybercriminals use, and analyze the data to give us an overall picture of what BEC looks like today.
Credential-grabbing – Involves the use of keyloggers and phishing kits to steal credentials and access the webmail of target organizations.
Email-only – Involves an email sent to someone in the finance department (usually the CFO) of the target company. The attackers design the email to make it look as if a company executive sent it, typically instructing the target to transfer money. The transfer request is usually for payment to a supplier or contractor, or as a personal favor.
Credential grabbing-techniques can further be categorized into those that use malware and those that use phishing.
By examining malicious attachment samples that had filenames that could be clearly categorized, we were able to determine the most prominent ones:
Most popular filename categories used in malicious attachments (based on VirusTotal samples)
We also examined the malicious attachments for phishing-related BEC attacks, of which the following were the most common filename categories:
Most popular filename categories used in the attachments of phishing-related BEC attacks (based on Trend Micro Smart Protection Network™ feedback)
Our research into malware-related BEC attacks also revealed two key players that emerged on the scene: Ardamax, which is US$50 software that provides a BEC actor basic features that they would need to operate; and LokiBot, a known malware family that is increasingly being used in BEC attacks.
Email-only BEC attacks, on the other hand, use social engineering techniques. While social engineering is a common aspect of most BEC attacks, an email-only attack uses more sophisticated methods to exploit the human psyche. Simply put, these attacks use email designed to look as believable as possible. These kinds of BEC attacks typically involve the clever use of the Subject field, the “Reply-to” portion of the email, as well as where the email comes from.
BEC actors will also create legitimate-looking email addresses designed to impersonate company executives, either by using dodgy free webmail providers or by registering a copycat domain that resembles or references the target company.
The distribution of email-only BEC attacks according to the techniques used can be seen in the chart below:
Distribution of methods used for email-only attacks based on the techniques used
In addition, we also looked at how BEC actors acquire their tools, particularly the phishing websites they used in their attacks. One of the most common methods used by BEC actors involve the use of phishing kits—scampages—as the main source of attacks. Examining these websites allowed us to identify a BEC actor and learn how this individual sourced and utilized his tools.
We found traces of this individual in multiple phishing sites, providing us with clues on how many BEC actors use multiple sites to perform their attacks. They will also typically interact with and have access to underground markets that can provide them the tools they need to pull off effective BEC attacks. Resources are even available to inexperienced BEC actors, as spamming tutorials exist that can help them start their operation. This means that for BEC actors, tools and techniques are easily accessible without having to jump through hoops. This research effort aims to paint a clearer picture of the emerging trends in BEC, the tools and techniques they use, and how individuals and organizations can protect themselves from these types of attacks.