Researchers on Tuesday said they saw an increase in business email compromise attacks (BECs) in the fourth quarter of 2021, many of them large-scale events or so-called BEC-as-a-Service attacks.
The Kaspersky researchers said in a BEC-as-a-Service attack, the threat actors send streamlined messages en masse from free email accounts in the hope of snaring as many victims as possible. They said such messages often lack high levels of sophistication, but they are efficient.
According to the researchers, Kaspersky products prevented more than 8,000 BEC attacks, with the greatest number — 5,037 — occurring in October. Along with the large-scale attacks, the researchers said there were also mass-scale CEO scams, which are the more familiar BECs in which victims are tricked into thinking that a high official in the company wants them to wire them money or pay a vendor.
Kaspersky's findings confirm how valuable senior business leaders' email accounts are, said Aaron Turner, vice president SaaS Posture at Vectra. However, Turner said these BEC attacks documented by Kaspersky are not the only paths to sensitive information and the ability to use a compromised email account against additional targets. Turner said as documented in the recent CISA alert, state-sponsored actors have been targeting weaknesses in Microsoft 365-hosted email systems.
“Based upon lessons learned from the Dark Halo, Hafnium, and Nobelium campaigns, attackers are targeting the email of senior business leaders for both intelligence gathering as well as using it as a jumping off point to conquer the email accounts of leaders at other organizations,” Turner said. “The bottom line for security teams is that organizations need to focus not just on typical email hygiene solutions, but email platform posture management as well as constant monitoring for rapid detection and response to assure the integrity of business leaders' email accounts.”
At a time when employees continue to work remotely, it’s more difficult than ever to verify with a colleague whether the request is legitimate, said Joseph Carson, chief security scientist and Advisory CISO at Delinea. Carson said when it appears to be urgent, most people will fall for such scams. The big challenge with BEC security incidents is that the victim has to provide evidence that their account was indeed compromised and the incident was not just human error.
“With cybercriminals being really good at hiding their tracks, such evidence can sometimes be very difficult to gather,” Carson said. “A strong privileged access management solution can help reduce the risk of BEC by adding additional security controls to sensitive privileged accounts along with MFA and continuous verification. As with all companies culture today, it’s important that cyber awareness training is a top priority and always practice identity proofing techniques to verify the source of the requests.”