Every enterprise has unique operational processes in place, and most are specifically designed for the distinct needs of each business. Even commonplace tasks like product shipping or managing suppliers are handled differently within each enterprise—and the bigger the business is, the more complicated these processes get.
Business Process Compromise (BPC) is a type of attack that has come into focus recently. It particularly targets the unique processes or machines facilitating these processes to quietly manipulate them for the attacker’s benefit. Attackers infiltrate the enterprise and look for vulnerable practices, susceptible systems, or operational loopholes. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. The victims believe the process is proceeding as normal, but in
These attacks are possible because many employees simply go through the motions of business processes, trusting policies that have always worked and are expected to continue working without any problems.
In 2013, we saw a characteristic example of BPC when shipping companies operating in the Belgian port of Antwerp were hacked. Drug traffickers recruited hackers to infiltrate IT systems that controlled the movement and location of containers, making it possible to retrieve illegal substances from the port facility. Reportedly, they used simple software and hardware hacks, from keyloggers to physical devices attached to the computers of the targeted companies.
The 2016 Bangladesh Bank incident is another notable BPC attack, where attackers managed to install multiple layers of malware into the bank’s system and exploit the communications process between the bank and SWIFT. The hackers sent requests from Bangladesh to the Federal Reserve Bank of New York, asking for millions to be transferred to accounts across Asia. They timed it to coincide with the end of the work week, and also tampered with the printing system used by the bank to avoid discovery. A total of US $81 million was lost, and it was only because of a spelling error that the attack was discovered and further loss was prevented.
After the Bangladesh Bank heist, two more banks reported that they were compromised through SWIFT-related processes as well. Vietnam’s Tien Phong Bank identified fraudulent SWIFT messages that requested a transfer of US $1.3 million—
Attackers infiltrate the target organization and move laterally from the point of compromise. Over time they manage to get a clear view of the structure of the organization from internal reconnaissance and monitoring communications. As they become familiar with the processes used by the enterprise, vulnerabilities are identified. The attackers pinpoint specific processes that can be changed or manipulated and then deploy their specific tools. Their main strategy is to covertly alter the targeted business process, benefit financially from that change, and leave the victim unaware of the situation.
In the case of the Vietnamese bank, the attackers had intimate knowledge of the processes that the bank used to coordinate SWIFT transfer requests through a third-party vendor. According to news reports, the hackers tried to compromise a PDF reader used by customers to summarize transactions over SWIFT.
To get this level of detail about an organization, cybercriminals have to remain in an enterprise system undetected for a lengthy period of time. Unfortunately, detection is a critical issue for most enterprises. Research establishes the average dwell time—time between infection and detection of a breach—is 146 days, which means that it takes most enterprises almost five months to identify a compromise. That is ample time for criminals to discover vulnerabilities and create ways to exploit them.
The lengthy time-frame and narrow scope of BPC
Business Email Compromise (BEC) is another popular type of online scheme—one that cost enterprises at least US $3.1billion from 2013-2015. BEC also infiltrates enterprises with the aim of making fraudulent money transfers, except that it targets people, not processes. BECs require in-depth research, as hackers have to determine who initiates and executes money transfers. Once they have the necessary information, the hackers usually compromise or spoof the email of a company executive to initiate a
Currently, BPC attacks are focused on financial transactions, but they have the potential to break into different areas of enterprise operations. Attackers could begin to target purchase order systems to manipulate money transfers from that end, or they could infiltrate the
Enterprises across all industries are vulnerable to BPC attacks. Each enterprise has unique business
Trend Micro helps protect medium and large enterprises from this threat. Malware in malicious emails
The InterScan Messaging Security Virtual Appliance with enhanced social engineering attack protection can defend against socially-engineered emails that are common entry avenues for attackers. The Deep Discovery Analyzer found in the Trend Micro Network Defense family of solutions helps detect advanced malware and other threats.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.