Shifting Tactics Fuel Surge in Business Email Compromise

Cyber Security Threat Summary:
“Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated. This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade “impossible travel” alerts used to identify and block anomalous login attempts and other suspicious account activity” (Microsoft, 2023). Microsoft has noticed a significant increase in threat actors leveraging business email compromise. Attackers are using platforms like BulletProftLink to carry out “industrial-scale malicious mail campaigns.” BulletProftLink sells an end-to-end service including templates, hosting, and automated services for BEC. Adversaries using this CaaS receive credentials and the IP address of the victim. Security Officer Comments:
BEC threat actors are known to purchase IP addresses from residential IP services that match the victim’s location. By creating residential IP proxies, threat actors can mask their true origins, and can circumvent security mechanisms like impossible travel flags. They can also open a gateway to conduct further attacks. Microsoft has observed threat actors in Asia and an Eastern European nation most frequently deploying this tactic. Microsoft says the specialization and consolidation of the cybercrime economy could escalate the use of residential IP addresses to evade detection. “Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts. Threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks. One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second” (Microsoft, 2023). In the past, threat actors have heavily relied on phishing-as-a-service offerings like Evil Proxy, Naked Pages, and Caffeine to deploy their campaigns. BulletProftLink takes things a step further by offering a decentralized gateway design. The service includes Internet Computer public blockchain nodes to host phishing and BEC sites, and creates a sophisticated decentralized web offering that is hard to detect and disrupt via takedowns. While you can remove a phishing link, the content remains online, and cybercriminals return to create a new link to existing CaaS content. Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBI’s Recovery Asset Team initiated the Financial Fraud Kill Chain on 2,838 BEC complaints involving domestic transactions with potential losses of over $590 million. “Although the financial implications are significant, wider long-term damages can include identity theft if personally identifiable information (PII) is compromised, or loss of confidential data if sensitive correspondence or intellectual property are exposed in malicious email and message traffic. Top targets for BEC are executives and other senior leaders, finance managers, human resources staff with access to employee records like Social Security numbers, tax statements, or other PII. New employees perhaps less likely to verify unfamiliar email requests are also targeted. Nearly all forms of BEC attacks are on the rise. Top trends for targeted BEC include lure, payroll, invoice, gift card, and business information (Microsoft, 2023). Suggested Correction(s):
Typical phishing best practices can still help prevent BEC attacks, but because emails are coming from trusted and often expected sources, defending against and spotting them can be more difficult. Microsoft has listed their best practices to avoid falling victim to BEC attacks. Maximize security settings protecting your inbox: Enterprises can configure their mail systems to flag messages sent from external parties. Enable notifications for when mail senders are not verified. Block senders with identities you cannot independently confirm and report their mails as phishing or spam in email apps. Set up strong authentication: Make email harder to compromise by turning on multifactor authentication, which requires a code, PIN, or fingerprint to log in as well as your password. MFA-enabled accounts are more resistant to the risk of compromised credentials and brute-force login attempts, regardless of address space attackers use. Train employees to spot warning signs: Educate employees to spot fraudulent and other malicious emails, such as a mismatch in domain and email addresses, and the risk and cost associated with successful BEC attacks. Link(s):
https://www.microsoft.com/en-us/