Categories
Security

Kaseya ransomware strike reveals a disturbing new trend in cyberattacks

Over the same weekend America celebrated its independence, Kaseya, an IT solutions developer for managed service providers (MSPs) and enterprise clients, announced it had become the victim of a cyberattack. But this wasn’t your garden variety ransomware assault. Those days appear to be behind us now.

Once again striking the now-endangered supply chain, cybercriminals leveraged a vulnerability in Kaseya’s VSA software against multiple MSPs and their hundreds of small business customers. Where SolarWinds had only recently gained infamy as the country’s largest supply chain attack, Kaseya is eerily reminiscent—and likely not to be the last.

Kaseya ransomware attack: The new normal

On July 2, MSP solutions provider Kaseya started receiving reports of “suspicious things happening” with its VSA software program, a remote-monitoring and management tool for networks and endpoints. Within an hour, the company had shut down its VSA service.

Kaseya CEO Fred Voccola said that less than 0.1 percent of its roughly 40,000 clients were affected by the breach. However, as a provider of technology to MSPs, which in turn provide services to other companies, Kaseya is at the center of a wider software supply chain. Current estimates are that about 1,500 businesses were impacted downstream.

So how did cybercriminals pull off their attack within an attack? This was no ordinary, broad ransomware campaign sweeping up any enterprise fish it might catch in its net. The attack on VSA customers was delivered through an automatic, malicious update of the platform, which pushed the REvil ransomware variant, also known as Sodinokibi.

In order to access the VSA platform and the MSPs using it, cybercriminals first had to breach Kaseya itself. They did so by exploiting a known vulnerability in Kaseya software that the company was actively working to correct. Kaseya had thankfully already rolled out patches to its SaaS VSA clients. But before on-premise customers could receive their fix, threat actors made their move.

During the attack, cybercriminals shut off administrative access to VSA and disabled several protections within Microsoft Defender. If clients didn’t take their VSA servers offline, they were served the malicious update. And if they didn’t have another security vendor layered on top of Defender, they were treated with a ransom note and all of their files were encrypted. Customers of Malwarebytes were shielded from this attack — and, with features such as tamper protection and uninstall protection enabled, any future such attacks.

On July 4, the criminals behind REvil staked claim to the attack and demanded $70 million from Kaseya in return for a universal key, later amended to $50 million. They asserted that more than a million systems were impacted, yet their key could restore all in less than an hour — both controversial and dubious allegations, at best. Still, there’s no doubt they pulled off one of the largest ransomware attacks in history.

In fact, you know you’ve “made it” as a cybercriminal when your attack is used as bait for other phishing scams. In the wake of Kaseya, Malwarebytes researchers discovered opportunistic carrion fish had launched a malspam campaign to exploit companies eagerly awaiting the VSA patch so they could bring the platform back online. The email contained both a malicious link and attachments that dropped the Cobalt Strike RAT.

By July 12, Kaseya had released its patches, disclosed its vulnerabilities, and brought the majority of its VSA servers back online. However, the company remained mum on whether or not it would pay the ransom. The REvil affiliates behind the attack could go around Kaseya to negotiate with each of the 1,500 businesses affected. However, threat actors may be wary of creating thousands of “paper trails” on the Bitcoin blockchain now that law enforcement have trained their eye on cryptocurrency as a means of attribution.

Unfortunately, these more aggressive efforts by authorities don’t appear to be slowing or scaling down cyberattacks — at least, not yet. Assaults against organizations have increased steadily in frequency, volume, and sophistication over the last five years — from exploiting vulnerabilities to breach a single enterprise to using such vulnerabilities to gain administrative access to software used by tens of thousands of companies and their millions of customers.

These cascading attacks on supply chain software like SolarWinds and Kaseya are two data points in a greater, more worrying trend: Organizations are increasingly dependent on Internet-connected remote administration tools, and those tools are rife with flaws. Threat actors are aware of both, and we can expect them to continue to target and exploit those flaws, all while creating chaos in the supply chain, disrupting operations, and raking in the Bitcoin.

Security administrators can no longer look away from a problem that impacts the very tools they rely on to do their jobs. They must identify and ensure all known vulnerabilities for software products used in their organization are patched as soon as possible, and vet new software with an eagle eye. Consistent testing, communicating with employees and customers, and updating IT tools and servers — as well as implementing multiple layers of security — is the type of vigilance required to stave off massive breaches. And even then, it’s no failsafe unless the rest of the security community steps up to meet the challenge of cascading cyberattacks.

We need more security researchers and security-conscious developers to devote time and effort to combatting today’s vulnerabilities and preventing future, similarly-flawed products from entering the market. Software engineers must take greater care with borrowing outdated code from online repositories without testing for errors, such as weak encryption or default passwords. Vendors should also invite third-party reviewers to analyze source code created in-house before providing clients with a software bill of materials itemizing components and vulnerabilities.

The cooperation doesn’t stop there. Countries should better incentivize independent security research so analysts aren’t afraid to report their findings. Bug bounty programs are well and fine, but often their payments aren’t substantial enough to subvert dealings on the gray or black market. This $10 million reward offered by the US government for information leading to the identification or location of a nation-state threat actor is a healthy start, though.

What’s clear is that individuals — and even well-stacked IT departments — can no longer be solely responsible for their own cyber protection. To truly combat these increasingly sophisticated cascading attacks in the future, it will require an institutional shift in thinking that brings the top security minds together in lockstep.

We’ll need international cooperation and aggressive action from government and law enforcement. 360-degree security up and down the supply chain, branching out to fourth- and fifth-tier parties. Smart and secure development of Internet-connected software, as well as layers of security to stop breakthrough breaches. And a collective awareness by all that cybercrime has evolved and we can no longer turn the other cheek.

To learn more about the technical details of the Kaseya attack, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/

Categories
Security

Shore up supply chain security (now say that 5x fast)

Supply chain security was once a backburner issue, if an issue at all. But for the last 15 months, the security industry has had to face the music on supply chain risk—and it’s not going away soon.

From extended shipping delays to empty store shelves, we’ve collectively experienced firsthand what happens when the supply chain breaks down (panic, at best). As more and more industries digitize, having a strong cybersecurity posture becomes a pivotal link in that chain.

How to protect against supply chain security risk

Supply chains have been pelted over the last 15 months with an ongoing barrage of volatility. The COVID-19 pandemic dramatically shifted demand while pushing employees out of traditional offices and into their homes. Growing trade conflicts rendered supply chain hardware and software at risk of weaponization. And significant changes in industrial regulation heaped expensive penalties and restrictions on already-stressed businesses.

In other words, conditions were ripe for cybercriminals to wreak havoc. While consumers and organizations worried about disruptions to actual supplies, security teams around the world—including those at SolarWinds—missed the big red flag of data access risk by adversaries all-too-happy to compromise sub-tier suppliers to get to the big game. Meanwhile, for organizations dependent on suppliers (all of them), the hurricane of uncertain market forces and economic turmoil was strengthened by an increasing number of sophisticated cyberattacks.

That’s likely why cybercrime was at an all-time high in 2020, bolstered by confusion and fear brought on by the pandemic. This year, high-profile ransomware attacks on vital infrastructure, such as the Colonial Pipeline and JBS breaches, continue to underscore the need to confront supply chain security challenges with unique solutions. Only by combining the resources and brainpower of security professionals with other strategic thinkers across disciplines, in private and public sectors, can we properly address supply chain security.

Public sector: laws, law, and order

Luckily, that sort of collaboration has already begun. The public sector stepped up to the cyber plate, with action happening in the state legislature up to the executive branch. On the law enforcement side, crackdowns on malware families and ransomware gangs have ticked up in 2021, with Emotet finally defeated in a multi-country, multi-agency effort, and Clop ransomware taken down by investigators from Ukraine and South Korea.

While the US government has historically lagged on technology regulation, the pace has quickened recently with several new laws and an executive order introduced to improve cybersecurity infrastructure and data privacy, as well as bring together disparate groups for better security alignment—particularly for those devices and software used in supply chains.

On May 12, President Joe Biden signed an Executive Order (EO) with sweeping proposals to upgrade federal cybersecurity, including massive changes to its procurement processes, such as requiring that suppliers provide a Software Bill of Materials (SBoM) to help organizations manage risk and learn which vulnerabilities exist in the products they use.

In addition, the EO includes a set of criteria to evaluate the security practices of developers and suppliers, and it proposes a labeling system to identify vendors that have gone above and beyond the baseline, essentially codifying resilience as a competitive edge.

The IoT Cybersecurity Improvement Act, meanwhile, aims to tighten up standards for IoT devices owned or operated by the federal government. The bill directs the National Institute of Standards and Technology (NIST) to draft and publish IoT standards with a focus on secure development, identity management, patching, and configuration. After NIST publishes its guidelines, contractors and vendors must follow up by publishing coordinated vulnerabilities disclosure policies.

Then there are the many data privacy bills that have been introduced in the less than five years since the California Consumer Privacy Act (CCPA) blazed the way in the US. Data privacy and asset management are two areas of upmost importance for supply chain security, and they happen to be central to much of the recent regulatory action happening in Congress.

A major risk factor for sharing data across technology platforms with suppliers is the unknown degree to which that data is secure and private—especially at the sub-tier level.
Since the CCPA was introduced in 2018, 29 other states have proposed data privacy bills mostly centered on consumer rights.

A federal data privacy law introduced in March 2021 would, if passed, provide businesses with a consistent, comprehensive national data privacy infrastructure. In preparation for these data privacy laws, organizations should begin a dialogue with their data teams to assess risk and ensure compliance.

Public sector: regulations and sanctions

If one of the greatest risks on the digital supply chain is unfettered data access, what happens when you share data with international entities known to use information technology to surveil, repress, and manipulate foreign and domestic groups? Over the last two years, the US government has sought to come down on suppliers from countries with authoritarian digital policies.

Recent regulations and sanctions by the Departments of Defense, Treasury, and Commerce on industrial suppliers (primarily in China) therefore help to reduce digital supply chain risk, as well as physical. According to Andrea Little Limbago, PhD, Vice President of Research and Analysis at Intero in her RSA presentation “Supply Chain Resilience in a Time of Techtonic Geopolitical Change,” the US is increasingly employing industrial policy as a tool of economic statescraft.

In 2019, the Department of Defense levied prohibitions on five Chinese companies and their affiliates. That same year, the Department of Treasury doled out financial penalties exceeding $1 billion.

Between 2019–2020, the Department of Commerce added over 350 Chinese-based companies to a list of those not allowed in the supply chain for such violations as possible connection to weapons of mass destruction and human rights concerns. In 2021, expect more to be added from other countries, such as Russia and Saudi Arabia.

Between all the new laws regulating procurement process, data privacy, access management, and even secure development, organizations will have their hands full with domestic compliance alone. Add to that keeping an eye on economic sanctions levied against international suppliers, and it’s looking to be another insane year for enterprise cybersecurity.

However, it’s important to keep in mind that the standards put forth by these bills and regulations often represent a minimum security requirement for organizations. Lowest common denominator won’t cut it against the combined forces weaking organizations’ supply chain security. That’s why IT and security professionals must apply due diligence to protect against supply chain risks. A few recommended steps:

  • Ensure that your partners and suppliers are also secure by auditing existing suppliers for risk and evaluating new suppliers’ security during the acquisition process.
  • Prioritize asset management by tracking all data stored, segmenting networks, and restricting access to the most sensitive data.
  • Catalogue the software products used at your organization and document their components (and vulnerabilities) in SBoMs.
  • Share SBoMs or other attestations using a standardized set of repositories and channels called a Digital Bill of Materials (DBoM).
  • Conduct scenario planning with tabletop war games or an internal think tank. Don’t forget to test both digital and physical worst-case scenarios.

For more information on supply chain security, read this article from CPO Magazine: https://www.cpomagazine.com/cyber-security/recent-cyber-attacks-signal-alarm-for-better-supply-chain-security/

To learn how the US government plans to crack down on ransomware attacks on the supply chain and other vital infrastructure, check out this article on Malwarebytes Labs: https://blog.malwarebytes.com/malwarebytes-news/2021/06/ransomware-to-be-investigated-like-terrorism/

A TLDR version of President Biden’s Executive Order on Improving the Nation’s Cybersecurity: https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

Categories
Security

Casino fish tank hack a cautionary tale for businesses using IoT

Pinch me if you’ve heard this one. In 2017, a casino was breached through a smart thermometer used to monitor the temperature of an aquarium installed in the lobby. Threat actors exploited the smart thermometer to penetrate the casino’s network and steal information from its high-roller database. Yikes.

The fish tank hack has already gone down in history as the ultimate cautionary tale for installing IoT in your home or business. Yet adoption of IoT has steadily risen over the last five years for consumers and organizations — despite, or in some cases because of, the COVID-19 pandemic causing a serious wrinkle in basically everything.

IoT security is no longer a fringe concern. Business owners and security teams alike should be looking at ways to build IoT security protocols into their plans for adoption — especially because many such devices have little protection built into their own functionality.

Weak IoT security should concern consumers, businesses as adoption increases

Back in 2017, IoT was still a baby-faced newbie. The technology was not yet well understood, but early adopters were keen to demonstrate their savvy with the latest and greatest. However, that lack of understanding carried with it grave consequences — especially for one North American casino.

In July of that year, the casino was breached through rather unorthodox means: a fish tank. Not just any fish tank, of course. The high-tech aquarium was installed in the casino’s lobby and its temperature and salinity were remotely monitored via Internet-connected thermostat, which also allowed for automated feeding of the fish.

Unfortunately, lack of proper security protocols like network segmentation and antivirus protection meant the smart device also allowed hackers to easily access the casino’s network and exfiltrate 10 GB of data from its high-roller database. The data, which may have included information about some of the casino’s biggest spenders, along with other private details, was sent to a remote server in Finland. By the time the casino discovered its error, it was too late.

The story has become something of a cybersecurity legend; a parable for IoT security. Four years later, adoption of IoT has increased ten-fold, yet the lessons learned from the fish tank hack have yet to penetrate the masses. Consumers and organizations might know much more about the benefits of smart devices, but many remain ignorant of their security deficits. And despite the US government getting involved and passing IoT laws, there is still a lack of regulation across the industry.

Today, IoT devices are in hot demand. The global market for IoT was valued at $761.4 billion in 2020, according to Mordor Intelligence, and it is expected to top $1.3 trillion by 2026. Juniper Research says that there will be 83 billion IoT connections by 2024, up from 35 billion recorded in 2020. That’s a whole lot of IoT, especially considering the pandemic derailed the global economy, employment, and entire industries for more than a year.

IoT adoption among consumers has picked up pace over the last five years, with smart phones and home automation particularly driving growth. The global home automation market alone stood at $45.8 billion in 2017 and is projected to reach $114 billion by 2025.

The most popular smart home devices include home assistants like Alexa or Google Home, smart thermostats such as Nest, and smart doorbell/security devices like Ring. Other IoT home products include smart locks, refrigerators, washers and dryers, wristwatches, baby monitors, and toys. Almost all cars made today have some form of Internet connectivity. Even medical devices and health/fitness apps count as IoT.

Each of these devices carry with them known vulnerabilities. Alexa and other home assistants have been known to record conversations without any such deliberate request from their owners. Smart thermostats and locks have been exploited by domestic abusers looking to trap and torture their victims. Baby monitors and smart toys have invited creepers to look in on sleeping babes and record interactions with said wee ones. And cybercriminals have used IoT devices to snatch or modify patient data and penetrate hospital networks, not unlike the methods used to access the casino’s high-roller database.

The pandemic only sweetened the pot for cybercriminals looking to take advantage of the hasty shift to remote work, which was (and still is) reliant on IoT, cloud computing, and users’ security hygiene to function smoothly. Add to that a home assistant all-too-eager to record company secrets shared over Zoom meetings, and you have the recipe for a much-weakened security perimeter.

Yet organizations — nay, entire industries — have jumped on the IoT bandwagon, with adoption skyrocketing over the last few years and projections showing continuing growth through the middle of the decade. Right now, about 40 percent of companies are deploying IoT within their business infrastructures, according to Eclipse Foundation’s 2020 IoT Commercial Adoption survey. However, Microsoft’s 2020 IoT Signals Report states that 1 in 3 decision makers plan to up their IoT investments.

Certain industries are mostly responsible for driving growth in organizations’ IoT adoption rates. The industrial sector, including manufacturing, agriculture, and retail will account for over 70 percent of all IoT connections in just three years, according to Juniper Research. Technologies such as smart cities, factory automation, precision farming, and e-commerce will contribute to such growth.

One industry particularly impacted by IoT is healthcare. The global healthcare IoT market is expected to reach $14 billion by 2024, says Zion Market Research, driven largely by healthcare facilities’ growing use of cloud computing and medical management apps. To protect patients from potential exposure to COVID-19, virtual appointments for non-emergency care have become the norm, and smart thermometers now scan patients for fever, a telltale symptom of the virus.

In addition, the global IoT medical device market is growing steadily at a rate of about 15 percent between 2019 and 2025 and is expected to generate around $63 million by 2025 (Zion Market Research). IoT is likely to transform conventional paper-based healthcare by simplifying access to real-time patient data and remote monitoring. From diagnostic biotech to smart pills that automate administration of medication, there’s no shortage of IoT applications in the medical field.

Between all of this IoT use at home and in the office, as well as in manufacturing, agriculture, retail, and healthcare, the lack of strong security protocols only introduces more and more opportunities for cybercriminals to penetrate organizations’ defenses. That’s why it’s important for individuals, business owners, developers, and IT and security teams to understand how to protect IoT devices as they’re being built and once they’ve been deployed.

For an overview of why IoT security is so lacking, plus a few recommended solutions for boosting IoT defenses, check out this blog on Malwarebytes Labs:
https://blog.malwarebytes.com/101/2017/12/internet-things-iot-security-never/


Categories
Security

Increase in remote work sparks insider threat concerns

Any horror movie junkie will tell you, if the protagonist gets a creepy phone call, it’s probably coming from inside the house. That same logic can be applied to cybersecurity and insider threats — especially now that more than half of US employees are working remotely. In fact, insider threats increased by 25 percent last year, thanks in large part to remote work. 

Insider threats are largely misunderstood, yet their costs to organizations can be just as high as attacks by cybercriminals. And while breaches by insiders are most often the result of well-intentioned negligence, remote work has further complicated (and diluted) office security, leading to an increase in the use of shadow IT. Of course, we can’t forget that deliberate, malicious sabotage by insiders, though less common, is also made that much easier by remote work.

Remote work a boon for insider threats

As of today, more than half of the American workforce is working remotely “always” or “sometimes,” according to a February 2021 Gallup. More than a year into the pandemic and remote work is holding strong — and so are insider threats. 

In fact, insider threats have risen sharply over the last three years in volume and cost. The 2020 Cost of Insider Threats Report by Ponemon Institute found that malicious insider threats increased by 47 percent from 2018 to 2020. In addition, the cost of those threats surged 31 percent over the same period, from $8.76 million to $11.45 million. Of all industries, retail and finance experienced the most growth in insider threats over the two-year period. 

But a rise in remote work is adding fuel to the fire, leading to an even greater increase in insider threats through the pandemic and beyond. Forrester found in its Predictions 2021: Cybersecurity report that breaches caused by employees increased by 25 percent in 2020, thanks in large part to remote work. 

So why does remote work cause insider threats? 

Insider threats were far less threatening before the rise of remote work. Before the pandemic, a minority of organizations’ employees worked remotely, so security policies were lax. (As were the security habits of remote workers.) A lack of physical oversight made it difficult to enforce stronger policies or even to push out updates. Weakened traditional office security infrastructure, going from brick-and-mortar to virtual, also allowed for more mistakes by employees and more opportunities for malicious actors. 

Malwarebytes Labs’ 2020 report on Covid’s impact to business security found that 20 percent of organizations experienced a breach because of a remote worker. Pandemic conditions often led to hastily thrown-together remote infrastructures built by potentially outstretched, overworked, or underfunded IT/security teams. Work from home (wfh) user behavior also led to mistakes, resulting in security breaches. That behavior has only been exacerbated the longer the pandemic has stretched on. 

Margaret Cunningham, principal research scientist of Forcepoint X-Labs, recently conducted a survey of 2000 European workers’ wfh behaviors to determine why insider threats happen. She found that while younger workers reported a much higher use of shadow IT than older workers, an average of 50 percent were using some sort of shadow IT. That’s a lot of people and a lot of different exposure points for organizations’ assets and data. 

The survey found that mistakes were made by users because of:

  • increased stress (especially for caretakers, such as parents or those caring for a sick or disabled family member) 
  • blending of personal and professional boundaries 
  • lots of distractions 
  • well-intentioned innovation or creative problem-solving 

This last one is interesting and may be a harbinger of increased insider threats to come. An employee may be working on something potentially innovative or creative to get their job done, but in doing that, they create security issues.

All of this well-intentioned behavior doesn’t mean the entire US workforce is benevolent. While the majority of insider threats are honest mistakes, there are still plenty of malicious insiders. Ponemon’s 2020 Insider Threats Report also found that 23 percent of insider threats are deliberate, malicious acts. 

Case in point: In Q4 2020, Shopify was breached in an insider incident. The customer data of about 200 merchants was exposed by two employees who were scheming to steal transaction data. The data exposed included details like email, name, street address, and order details, but didn’t involve complete payment card numbers or financial information. 

While malicious insider threats are less common, they are more costly than those made by careless mistakes. Ponemon found that careless or negligent employees cost organizations an average of $307,111 per incident, and malicious insiders or credential thieves cost $871,686. The cost of insider incidents on the whole has surged by 31 percent over the last two years. 

So what can organizations do to mitigate these risks? What’s NOT going to work is making it even harder to do work because of stringent security policies. We need to think more about what people are doing and why. 

Cunningham’s survey showed that the sense of being burdened by security policies mirrors the use of shadow IT: It’s parallel. We may need to loosen our guard in one area — allow some low-risk security faux paus — in order to shore up the other. Security and IT teams should also be more communicative about why they’re blocking access or what’s at risk. 

For more information on risk mitigation for insider threats, check out this article on building a secure, cloud-based remote workforce: https://blog.malwarebytes.com/business-2/2020/03/remotesec-achieving-on-prem-security-levels-with-cloud-based-remote-teams/

For a refresher on best wfh security practices, consider sending your employees this article: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Here’s a video interview of Margaret Cunningham discussing the factors that influence remote worker behavior: https://www.bankinfosecurity.com/remote-work-creates-insider-threat-concerns-a-16240

Categories
Security

Business email compromise cost businesses $1.8B in 2020

I know looking back at 2020 for any reason can be a less-than-appealing thought. But in the case of business email compromise (BEC), it would not only be a dangerous oversight, but a costly one. In fact, last year BEC cost organizations nearly $2B.

That’s what the FBI discovered (among many other unsavory finds) in its annual Internet Crime Report released March 17. The report states that businesses suffered losses totaling $1.8B, a more than threefold increase from the $54 million lost in 2019. And although the FBI received the most complaints about phishing scams, BEC far outpaced phishing in financial damage, underscoring its tremendous cost — and the need for more awareness.

Last week, the FBI issued another warning to state, local, and tribal governments about BEC — unfortunately, the BEC attacks do not appear to be slowing in 2021.

BEC a growing problem for organizations

People complained to the FBI about business email compromise (BEC) 19,369 times in 2020. That sounds like a hefty number… until you stack it up against the $1.8B in collective losses caused by BEC, according to the FBI’s annual Internet Crime Report. If we divide the cost of BEC losses among the 19,000+ victims evenly, that’s an average of a little less than $100,000 per business. That’s not a loss many businesses could take on the chin lightly.

While BEC might have barely cracked the top 10 most-reported cybercrimes in 2020, it blew away the competition in victim losses. The second-most costly crime was confidence fraud/romance scams at around $600,000, over $1B less than BEC, and it’s not a cybercrime particularly targeted to businesses.

Yet how many could tell what business email compromise looks like? How to spot a BEC scam and properly report it? The best methods to protect against it? Last year, BEC was the most expensive cybercrime, and it was reported far less phishing and its counterparts — vishing, smishing, and pharming — which ensnared nearly 250,000 in 2020, according to the FBI report.

If you’re wondering why I didn’t mention ransomware, it’s because the $29 million in losses reported to the FBI do not paint an accurate picture of the total devastation ransomware wreaked on businesses last year. The FBI’s record is so low because it doesn’t reflect estimates of lost business, time/productivity, wages, customer and company data, equipment, or any third-party remediation services acquired. Which makes the $4.2B in total losses reported from cybercrime in 2020 that much more nauseating.

Getting back to BEC, last week, the FBI warned state and local governments that the onslaught of BEC attacks is not slowing in 2021. The organization issued a Private Industry Notification stating that these smaller government organizations are being targeted by BEC attackers because they have inadequate resources and cybersecurity controls. The FBI cites two risks contributing to these attacks: the move to remote work and the failure to provide sufficient training to the workforce.

So what does business email compromise, or email account compromise (EAC) as some call it, actually look like? BEC/EAC is a sophisticated scam that targets both businesses and individuals that are transferring funds. BEC typically happens when a threat actor compromises a legitimate business email account through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.

But as cybercrime has evolved, so have BEC/EAC attacks. In 2013, BEC/EAC scams routinely began with the hacking or spoofing of CEO or CFO email accounts. Fraudulent emails were sent to unknowing recipients requesting wire payments. Not wanting to question the directions of their superiors, employees typically responded by sending the money first, asking questions later.

Over the years, BEC has evolved to include compromising not just business emails, but personal, vendor, and lawyer email accounts as well. Fraudulent requests have expanded to include W-2 information, large amounts of gift cards, and other personally identifiable information (PII).

In 2020, the IC3 (branch of the FBI researching cybercrimes) observed an increase in the number of BEC/EAC complaints related to sophisticated, multi-pronged cyberattacks. In these variations, an initial victim is first scammed via extortion, tech support scam, romance scam, etc. into providing the criminal with PII. The PII is then used to establish a bank account that will receive stolen BEC/EAC funds, which are then exchanged for cryptocurrency.

Try getting out of that mess! Actually, as with most cybercrime, the best protection is prevention. Here are a few tried and true tips for protecting against BEC/EAC.

  • Keep an eye on the usual phishing red flags, such as odd formatting, bad grammar, or false email addresses.
  • Mind the money: BEC emails typically target someone with access to financial records/finances and may make strange payment requests, such as wiring money to an unknown location.
  • Pay special attention to emails sent by people claiming to be accountants, lawyers, or executives, especially those with a sense of urgency. They may be trying to convince you to wire money in support of a business deal, such as an acquisition. Even if the deal is real, the request may not be.
  • Watch out for vendor email compromise, especially an attack where a threat actor has successfully infiltrated a vendor’s email account. The sender’s domain name is genuine and the transaction may seem legitimate, often with proper documentation attached (because the account has been hacked, not spoofed). However, the processing details direct payment to a different account controlled by the scammer.
  • Add BEC/EAC awareness to your company’s security training regimen. Your IT/security team should be able to recognize a standard phish from BEC, and your other employees should at least get a sense that something’s not right with this email. Anyone working directly with vendors, processing payments, or handling financial records should sit for this training as well.
  • Training alone isn’t enough. Compliance is required to head off BEC/EAC. Employees targeted by BEC are typically mid-level and might be nervous approaching an executive, lawyer, or other purported requester to verify unless there is an accepted protocol for reporting potential fraud.
  • Build a layered defense with technical controls, including multi-factor authentication, encryption, virtual private networks (VPNs), and enterprise security software, like Malwarebytes Endpoint Detection and Response.

For more on the FBI’s Internet Crime Report and the impact of BEC in 2020, read our Malwarebytes Labs blog:
https://blog.malwarebytes.com/business-2/2021/03/report-reveals-the-staggering-scale-of-business-email-compromise-losses/

To read the full Internet Crime Report:
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf