BEC Campaign via Israel Spotted Targeting Large Multinational Companies
Cyber Security Threat Summary:
Abnormal Security researchers have identified a threat group based in Israel that is responsible for a series of business email compromise (BEC) campaigns. The group's primary targets are large and multinational corporations with annual revenue exceeding $10 billion. Since February 2021, the group has launched approximately 350 BEC campaigns, with email attacks directed at employees in 61 countries spanning six continents. The attackers impersonate the targeted employee's CEO and subsequently redirect the communication to a second external persona, typically a mergers and acquisitions attorney who oversees the payment process. In certain cases, when the attack advances to the second state, the perpetrators may ask to switch from email communications to a WhatsApp voice call to expedite the attack and minimize the chances of leaving behind any traceable evidence.
Historically, West Africa, and specifically Nigeria, has been the hub for BEC scams. Out of all the analyzed attacks since the start of 2022. 74% originated in Nigeria. The United Kingdom follows as the next most common country associated with BEC attackers, where 5.8% of BEC actors are based, trailed by South Africa (5.7%) and the United States (3.6%). "Comparatively, countries in Asian and Middle Eastern regions, where Israel sits, are at the very bottom of the list, serving as the home base for 1.2% and 0.5% of BEC actors, respectively. "Unfortunately, our research cannot definitively say the threat actors are Israeli — just that we have confidence they are operating out of Israel," says Mike Britton, CISO at Abnormal Security. Cybercriminals used to be able to get their paydays through distributing generic phishing campaigns, but as organizations have strengthened their defenses and improved security awareness among employees, criminals have adapted accordingly, becoming even more savvy in their attack techniques. "Now, instead of generic phishing emails, we're seeing the rise of highly sophisticated, socially engineered BEC attacks that can evade detection at many organizations," Britton says. "The Israel-based group's attack method is a good example of this." They implemented several tactics to give their emails a sense of legitimacy, improving their ability to evade detection by the human eye or by traditional email security solutions, including the targeting of senior leaders, who could reasonably be involved in a financial transaction such as the one the criminals used as their pretext. In addition to their use of two personas — a CEO and an external attorney — they spoofed email addresses using real domains. If the target organization had a DMARC policy in place that would prevent email spoofing, the BEC group updated the sending display name to still make it look as though emails were coming from the CEO. The group also translate emails into the language mainly used by the targeted organization" (DarkReading, 2023).
Security Officer Comments:
The report highlights the growing prevalence, global reach, and increased sophistication of BEC attacks, exemplified by Abnormal Security's discovery of multi-phase attacks. Victims of BEC attacks are also facing more severe financial losses, as evidenced by the higher-than-average $700,000 requested in this Israel-based group's attacks. The continued use of email as an attack vector, coupled with the rise of communication and collaboration tools like Slack, Zoom, and Microsoft Teams, poses a significant threat to organizations worldwide, with cybercriminals seeking other avenues to penetrate organizations.
Suggested Corrections:
BEC attacks are harder to defend against than traditional phishing because common indicators like bad domains are not used. Because communications are coming from trusted and expected partners, employees will be more likely to fall victim to attacks.
The only real prevention is to train employees to spot BEC attacks. Employees should understand that every email received could be malicious. If you receive a strange invoice, wire transfer request, or unexpected email from a trusted user, verification via phone is recommended. Never use email communications to verify a payment request, because the account may still be compromised by the threat actor.
Avoid requests that prey on emotions, have a sense of urgency, or just feel off. While emails may be coming from a trusted sender, spelling mistakes and bad grammar seen in normal phishing emails may still be present.
To avoid falling victim to BEC yourself, multifactor authentication is recommended on all email accounts. Users should monitor leak websites and leverage security tools that monitor for stolen or leaked credentials.
Link(s):
https://www.darkreading.com/