Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label BEC Attacks. Show all posts

AI Might Be Paving The Way For Cyber Attacks

 


In a recent eye-opening report from cybersecurity experts at Perception Point, a major spike in sneaky online attacks has been uncovered. These attacks, called Business Email Compromise (BEC), zoomed up by a whopping 1,760% in 2023. The bad actors behind these attacks are using fancy tech called generative AI (GenAI) to craft tricky emails that pretend to be from big-shot companies and bosses. These fake messages trick people into giving away important information or even money, putting both companies and people at serious risk.

The report highlights a dramatic escalation in BEC attacks, from a mere 1% of cyber threats in 2022 to a concerning 18.6% in 2023. Cybercriminals now employ sophisticated emails crafted through generative AI, impersonating reputable companies and executives. This deceptive tactic dupes unsuspecting victims into surrendering sensitive data or funds, posing a significant threat to organisational security and financial stability.

Exploiting the capabilities of AI technology, cybercriminals have embraced GenAI to orchestrate intricate and deceptive attacks. BEC attacks have become a hallmark of this technological advancement, presenting a formidable challenge to cybersecurity experts worldwide.

Beyond BEC attacks, the report sheds light on emerging threat vectors employed by cybercriminals to bypass traditional security measures. Malicious QR codes, known as “quishing,” have seen a considerable uptick, comprising 2.7% of all phishing attacks. Attackers exploit users’ trust in these seemingly innocuous symbols by leveraging QR codes to conceal malicious sites.

Additionally, the report reveals a concerning trend known as “two-step phishing,” witnessing a 175% surge in 2023. This tactic capitalises on legitimate services and websites to evade detection, exploiting the credibility of well-known domains. Cybercriminals circumvent conventional security protocols with alarming efficacy by directing users to a genuine site before redirecting them to a malicious counterpart.

The urgent need for enhanced security measures cannot be emphasised more as cyber threats evolve in sophistication and scale. Organisations must prioritise advanced security solutions to safeguard their digital assets. With one in every five emails deemed illegitimate and phishing attacks comprising over 70% of all threats, the imperative for robust email security measures has never been clearer.

Moreover, the widespread adoption of web-based productivity tools and Software-as-a-Service (SaaS) applications has expanded the attack surface, necessitating comprehensive browser security and data governance strategies. Addressing vulnerabilities within these digital ecosystems is paramount to mitigating the risk of data breaches and financial loss.

Perception Point’s Annual Report highlights the urgent need for proactive cybersecurity measures in the face of evolving cyber threats. As cybercriminals leverage technological advancements to perpetrate increasingly sophisticated attacks, organisations must remain vigilant and implement robust security protocols to safeguard against potential breaches. By embracing innovative solutions and adopting a proactive stance towards cybersecurity, businesses can bolster their defences and protect against the growing menace of BEC attacks and other malicious activities. Stay informed, stay secure.


Cybercriminals Exploit SVB's Downfall for Phishing

The downfall of Silicon Valley Bank (SVB) on March 10, 2023, has caused instability all across the global financial system, but for hackers, scammers, and phishing schemes, it's evolving into a huge opportunity.

Security experts have already observed a variety of schemes that take advantage of the situation, which has severely hurt tech companies. Proofpoint researchers reported on Twitter that they have observed scammers sending fraudulent emails pertaining to a cryptocurrency company impacted by the failure of SVB.

On March 12, a considerable amount of domain names with the name SVB were registered. Threat actors are preparing for business email compromise (BEC) attacks by registering suspicious domains, creating phishing pages, and more. These operations seek to defraud targets by stealing money, account information, or malware.

A campaign using lures related to USDC, a digital stablecoin linked to the USD that was impacted by the SVB collapse, was found, as per Proofpoint. Fraudulent cryptocurrency businesses were defamed in messages sent through malicious SendGrid accounts that pointed users to URLs where they could claim their cryptocurrency.

A substantial KYC phishing campaign using SVB branding and a template with a DocuSign theme was found, as per Cloudflare. Within hours of the campaign's inception, 79 instances were where it was discovered. An assault that included HTML code with a first link that changed four times before linking to an attacker-controlled website was also intended at the company's CEO.

The HTML file used in the attack directs the user to a WordPress instance with the capacity to do the recursive redirection, however, it is unclear if this specific WordPress installation has been hijacked or if a plugin was set up to enable the redirect.







Psychological Tactics Used by Cybercriminals to Conduct Malicious Activities


Recently, the emergence of finance and accounting related cyberattacks via phishing campaigns and Business Email Compromise (BEC) attack has been a hot topic for South African companies having gaps in their payment systems. 

BEC attack is a type of cybercrime wherein the threat actor poses as a trusted figure in order to dupe the victims to give off money or entice them into exposing confidential company information. 

However, according to Ryan Mer, CEO of eftsure Africa, a KYP platform provider, “robust financial controls together with strong server, IT, and email monitoring processes aren’t enough if staff aren’t savvy to the psychological tricks scammers use to manipulate people, making them more vulnerable to tricker and deception.” 

Mer rejects the idea that hackers target solely credulous, unskilled professionals. “The misconception that only foolish individuals fall victim to cybercrime and payment fraud is dangerous because it leads to complacency in the highly educated who occupy senior positions within organizations. Criminals engaging in payment are often well-skilled, well-resourced and armed with enough industry knowledge to appear legitimate.” 

Manipulating Trust and Competence 

Human tendencies to be cooperative, avoid conflict, and find quick and efficient solutions to problems are used as a bait by threat actor to obtain information or persuade their victims to take certain actions. 

A popular tactic is to pretend to be someone they know or trust in order to gain the trust of a potential victim. Examples include a worker receiving a letter from the financial director of a company telling them to make a quick payment to a vendor or an HR manager receiving a polite email from a worker asking that their bank information be altered for payroll purposes. 

Banking on Urgency 

While scammers are becoming more creative, a tried-and-true strategy that hackers frequently use is making their victims feel as though they need to act quickly. According to Mer, phishing emails and business email compromise scams are made to increase employees' likelihood of complying with potential threats they are supposed to notify. 

“Scammers lure victims into acting quickly before they have time to think rationally about the activities they’re undertaking. Implementing processes that require staff to slow down and double-check any actions that involve payments is vital,” he says. 

A new point of contact, a change in email address, or a change in banking information are examples of abrupt changes in customer or supplier business procedures that, he continues, should be viewed with care and thoroughly investigated before agreeing with an urgent request. 

Additional Automated Protection 

The continuous evolution in Cybercrime is making it a moving target. South Africa ranked third globally in terms of the number of cybercrime victims, according to Interpol's most recent African Cyberthreat Assessment Report, which was published in 2021. This crime costs the nation a staggering 2.2 billion yearly. 

“Ongoing education on the latest scams and the tactics used to execute them is crucial for South African companies. In addition, independent third-party verification systems like eftsure can offer a much-need extra layer of protection by automating payment checking and supplier verification, saving time on manual processes and reducing human error,” notes Mer.  

SVB Collapse: An Attackers Paradise you Should Beware of


Lately, the Silicon Valley Bank has been closed down by the California Department of Finance Protection and Innovation. This was apparently the result of a bank run that followed the risk of insolvency and a stock crash. 

Customers of SVB will be able to access the insured portion of their deposits through the deposit insurance national bank, which has been established by the Federal Deposit Insurance Corporation, which has been designated as the receiver. 

Naturally, this problem is receiving a lot of attention. However, it is primarily concerned with the finances, namely what brought SVB to this point and what the risk is currently to the deposit owners. 

The Cyber Fraud Potential of the SVB Collapse 

In most effective cases of cyberattacks social engineering, deception, and fraud to take advantage of humans are used as bait, at least in part. According to IBM's Cost of Data Breach Study 2022, the initial attack vector is compromised credentials in around a third of cases. These credentials are typically acquired through phishing or other fraudulent activity. Business email compromise (BEC), on the other hand, is the second most lucrative assault method for organized cyber criminals. 

These attacks are most often fueled by chaos and confusion. Cybercriminals are well-organized and have a reputation for seizing openings. They now have a fantastic opportunity to target both current and past SVB consumers in addition to ex-SVB account holders. Customers of SVB are now easy targets for fraud and phishing campaigns. 

The fact that founders, CEOs, CFOs, and finance teams are currently dealing with uncertainty and a lack of information only serves to fuel the fire of attackers. When this happens, people tend to let their guard down and are more susceptible to being scammed by an email that contains any news (and preferably good news). Attacks like these can occur via email and other platforms catering to the founders and financial communities, such as forums and groups on Signal, Telegram, and WhatsApp. Everything becomes a potential point of assault. 

This type of social engineering, or other more conventional methods of gaining access, is merely a prelude to the primary effort we anticipate seeing: a sizable BEC campaign that takes advantage of the astronomical amount of account modifications already in progress. 

SVB account holders will provide their clients with their new account information for future wires when they shift their finances and activities to other banks over the coming weeks. Additionally, given the number of suppliers that businesses use in today's supply chains, finance departments will be inundated with demands to change these accounts. 

How can you Protect Yourself from SVB Related Attacks? 

Phishing campaigns, BEC, and similar attacks are all forms of fraud. They include some or the other kind of impersonation (most likely through a website, email, text message, Slack, or other messaging technologies), which entices victims to take action. Here, we are listing some ways through which one can protect themselves from SVB Related Attacks: 

  • Your awareness is your first line of protection against these assaults. Potential victims will remain more vigilant and be less likely to fall for such schemes if they are aware of the warning indicators to look for in these attacks. 
  • It is highly advised to mandate refresher phishing and BEC training for those who work directly for your business, including the founders, C-level executives, finance departments, customer success reps, etc. 
  • Ensure that your payment modification processes are reliable, and if necessary, add an additional layer of manual verification or signature—at least for the ensuing 30 to 60 days. It's crucial to ensure that no vendor you work with can update a bank account without making a real phone call and engaging in one-on-one communication. 
Moreover, it would be highly beneficial to set up additional monitoring of both account (phishing) and financial activities (BEC). In terms of phishing, be careful to increase the level of awareness of any prospective phishing assaults within your SOC. Pay close attention to failed multifactor authentication (MFA), unsuccessful login attempts, etc. Executive accounts and finance departments should be given extra attention because they are the most potential targets for these attacks.  

BEC Attacks: Google Translate Utilized to Scam Organizations in Any Language


Business Email Compromise (BEC) gangs are carrying out payment fraud scams in a more effective manner by utilizing translation tools and machine learning platforms, successfully dispensing fraudulent emails in multiple languages. 

What are Business Email Compromise Groups? 

BEC attacks entail posing as a senior executive or business partner and convincing a corporate target to wire large quantities of cash to a bank account under the attacker's control. 

Successfully launching the international variant of this cyberattack generally requires a lot of time and effort. The target must be sufficiently researched to make phishing lures plausible. Moreover, native speakers must be hired to translate frauds into other languages. Yet this is all changing as threat actors use free online technologies that reduce some of the need for manual work. 

Midnight Hedgehog and Mandarin Capybara are two BEC groups that best represent the trend, according to a research from Abnormal Security published this week. Both use Google Translate, which enables threat actors to quickly create convincing phishing lures in practically any language. 

Moreover, researchers in the study also cautioned that tools such as commercial business marketing services are aiding the success of less-resourced and less-sophisticated BEC attacks. They are mostly used by sales and marketing teams to find "leads," making it simple to locate the best targets regardless of their region. 

The fact that BEC attacks are already lucrative, causing $2.4 billion in damages in 2021 alone, according to the FBI's Crime Report, and the number of BEC attacks is constantly increasing, is bad news for defenders. Volumes are now likely to increase as some of the cost associated with performing them has been eliminated. 

BEC Groups Scale Fast with Translation, Marketing Tools 

Crane Hassold, director of threat intelligence of Abnormal Security in a report noted that Midnight Hedgehog has been since January 2021 and specialises in impersonating CEOs. 

Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish are among the 11 languages that the company has so far identified in two significant phishing emails from the organization. The emails are lacking the simple mistakes that consumers are conditioned to look out for and regard as suspicious thanks to Google Translate's effectiveness. 

"We've taught our users to look for spelling mistakes and grammatical errors to better identify when they may have received an attack[…]When these are not present, there are fewer alarm bells to alert native speakers that something isn't right," the report said. 

Apparently, Midnight Hedgehog has requested payments ranging from $17,000 to $45,000. 

Mandarin Capybara, the second BEC threat organization mentioned in the report, sends emails posing as communications from business executives but with a twist: Paychecks are transferred to a controlled account via direct deposit by contacting payroll. 

Abnormal Security has noted that Mandarin Capybara targets businesses all over the world with phishing lures in Dutch, English, French, German, Italian, Polish, Portuguese, Spanish, and Swedish. However, unlike Midnight Hedgehog, which the report claimed sticks to non-English-speaking victims in Europe, Mandarin Capybara also targets businesses outside of Europe with phishing emails aimed at English speakers in the US and Australia. 

In some instances, they utilized the same tactics of fraudulent email accounts to distribute emails in multiple languages.

The reason why BEC campaigns are still in trend among threat actors is simply how they operate, where their victims receive these messages, deeming them legitimate, and act upon instructions they think are coming from their ‘boss,’ especially when the emails are written with correct grammar and spelling and the sender's signature style. 

"As email marketing and translation tools become more accurate, effective, and accessible, we'll likely continue to see hackers exploiting them to scam companies with increasing success," said Hassold. 

It is that organizations put procedures in place to make sure that large financial transactions are not approved by only one person and that people should be trained to be on the lookout for payment fraud attacks in addition to deploying appropriate cybersecurity tools to help catch BEC attacks. 

"It's important that organizations use email defenses that look for threats in a more holistic matter to be able to prevent more sophisticated BEC attacks. Defenses that simply rely on static or 'known bad' indicators will have a hard time detecting these attacks, which is why tools that leverage behavioral analytics are better equipped to spot more advanced BEC threats," concludes Hassold.    

Food Product Shipments Could Be Stolen in BEC Attacks, US Food Companies Warned

 

The US Department of Agriculture (USDA), the Federal Bureau of Investigation (FBI), and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) are all sounding the alarm about business email compromise (BEC) attacks that result in the theft of shipments of food items and ingredients. 

BEC is frequently used to steal money. Threat actors compromise email accounts at target firms, then target employees who handle payments by sending them phony emails instructing them to wire huge sums of money to bank accounts under the attackers' control. 

The threat actors, however, are utilizing spoofed emails and websites to mimic real businesses in the attacks aimed at the food and agricultural industry and order food products without paying for them. In the events that were seen, the thieves took cargo worth hundreds of thousands of dollars. 

“Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation,” the agencies caution in a public statement. 

Hackers may employ spear phishing and other ways to compromise email accounts at a real organization and send fake messages, or they may construct email accounts and websites that closely resemble those of actual businesses. 

When contacting the target businesses, the attackers may use the identities of real executives or workers, and they may utilize authentic corporate logos in their bogus emails and papers to lend credibility to their claims. 

Government agencies claim that threat actors may also fabricate credit applications in an effort to deceive the target company into giving credit. Attackers give valid firm information to the target business, which causes it to ship the ordered goods but never get paid for them. 

In one of the most recent attacks, a US sugar supplier was the target. She was asked to supply a truck full of sugar, but she recognized the fake email and got in touch with the real company to confirm it. 

A food distributor dispatched two full truckloads of powdered milk in a different attack after receiving an email from a forged account that used the real name of the chief financial officer of a large international snack food and beverage firm. The supplier received a $160,000 payment from the victim company. 

Another incident saw the attackers placing fraudulent orders for big supplies of powdered milk and other materials while posing as a US corporation, resulting in losses of over $430,000. 

A US food supplier and manufacturer was the target of a BEC attack in April that used a fake email from a legitimate business to send two shipments totaling more than $100,000 for which it never got paid. A food company in February received orders from four distinct scammers totaling roughly $600,000 but never got paid for them. 

Food and agriculture businesses are advised to independently verify the contact information of new suppliers or clients, look for signs of spoofing in links and email addresses, check the wording and grammar of all correspondence, confirm changes to invoices and payment details, be wary of orders and payments that seem to be urgently needed, ask for clarification on questions that seem suspicious, and train staff to recognize BEC scams.

Cybercrimes are More Interconnected and are Likely to be More Prevalent


According to two senior representatives from the cyber-security company, Palo Alto Networks, cybercrime and online scams are anticipated to be more prevalent than in previous years. 

Among various cyber threats, business e-mail compromise (BEC) and ransomware attacks continue to be on the top of the global watch list. 

As per Ms. Wendi Whitmore, Palo Alto Network’s Unit 42 senior vice-president, BEC scams, targets both corporations and individuals making genuine transfer-of-funds requests. It makes BEC the most common and costly threat to organizations worldwide. 

“We see (criminal) organizations where you’ve got a member in Nigeria that’s closely communicating (on the Dark Web) with someone in Eastern Europe, and maybe communicating closely with someone in Asia […] I think that as the economy continues to have more challenges, we’re going to see even more of that level of interconnectivity,” says Ms. Whitmore. 

On the FBI Internet Crime Complaint Centre report 2021, BEC continues to hold the apex position, for the sixth year. 

Does Dark Web Harbor Cybercrime? 

Mr. Vicky Ray, a principal researcher at Unit 42 who studies data and telemetry used in such global cyberattacks, believes that the Dark Web has become a breeding ground for cybercrime. 

On the Internet or the ‘Surface web,’ which is readily accessed by the general public, one can look for a variety of information or participate in forums. On the other hand, in order to access Dark Web, one needs a certain browser and a known URL. Some Dark Web forums demand that new members have a known party vouch for them. 

According to Palo Alto, the growth of Darknet markets in Asia has given cybercriminals more flexibility, since the platform's anonymity makes it less likely that they will ever be tracked. 

“It’s hard, but at the end of the day, it is our job to connect these dots together to really answer... the hard question of who may be behind it (a cyberattack) or what the motivation is.” Mr. Ray told The Straits Times. 

No matter if the attack is a ransomware attack or a data breach, cyber criminals are in an ecosystem where “everyone supports each other and collaboration is everywhere”, he continues, showing a screengrab of a malware developer apparently receiving feedback on a Dark Web forum. 

“What has changed in the past three years has been the tactics of ransomware as a service […] These gangs who were actually creating and using the ransomware to target victims, or potential victims back in the day, what they have realized is, if they provide that to other criminals, who are called affiliates, they can be more profitable,” he adds. 

Cybercrime on Dark Web

Criminals on the Dark Web co-operate in an operation in a variety of ways, from "consultants" who offer professional guidance to affiliates who buy malware from developers. 

However, there also lies a similar collaboration between law enforcement and business parties, like Palo Alto, which shares its criminal research with Interpol. 

In one such case, for instance, in 2021, the Nigerian Police Force detained 11 members of certain cybercrime gangs, who are assumed to be part of a threat group ‘SilverTerrier’ recognized for their BEC scams, said Interpol on its website. 

During Operation Falcon II, which ran from December 13 to December 22, 2021, investigators analyzed data from the network's BEC scams, which were allegedly linked to 50,000 individuals. One suspect had more than 800,000 potential victim domain credentials on his laptop, while no monetary amount was disclosed. 

In regards to this, Interpol said, “Through Interpol’s Gateway initiative, Palo Alto Networks’ Unit 42 and Group-IB (a cyber-security firm) have contributed to investigations by sharing information on ‘SilverTerrier’ threat actors, and analyzing data to situate the group’s structure within the broader organized crime syndicate. They also provided key technical expertise consultancy to support the Interpol teams.” 

The Gateway Initiatives aid law enforcement agencies and corresponding private companies to communicate information in a secure and quicker manner, in order to mitigate and disrupt cybercrime.

“We really see the significance of these (partnerships)... So you will see a lot of the law enforcement now openly talking to us and collaborating,” adds Mr. Ray  

Nigerian Scammers Specializing in BEC Attacks Continue to Mature

 

Cybersecurity researchers at Palo Alto Networks Unit 42 have actively tracked the evolution of SilverTerrier Nigerian Business Email Compromise (BEC) threat actors. 

From 2014 to the present, researchers have uncovered over 170,700 samples of malware directly linked to Nigerian BEC actors. These samples have been noticed in over 2.26 million phishing attacks targeting users across all industries worldwide.

Evolution of Nigerian threat actors 

Business email compromise (BEC) attacks are one of the most financially damaging cybercrimes and have been on the rise over the past seven years. The Nigerian threat actors dubbed SilverTerrier, have contributed greatly to this growth. These threat actors are responsible for collectively producing more than 170,700 samples of malware directly linked to 2.26 million attacks, according to Palo Alto Network findings. 

SilverTerrier specializes in business email compromise attacks, the kind of email fraud in which scammers impersonate a target’s coworker or friend, then ask for wire transfers. The focus on Nigerian threat actors provides insight into one of the world’s largest subcultures given Nigeria’s historic ranking as a top-five hotspot for cybercrime. 

When first discovered in 2014, SilverTerrier included only a few individuals experimenting with commodity malware. Presently, it has 540 individual threat actors performing attacks worldwide.

Researchers at Palo Alto Networks have traced one such individual named, Onuegwu Ifeany, who studied computer science at Imo State University and launched Ifemonums-Solution LTD as a legitimate business venture in late 2014. That same year, he began his criminal activities, and from 2014 until his arrest, he registered over 150 malicious domains for personal use and to support other actors. Many of these domains also served as command-and-control infrastructure for over 2,200 samples of malware, including Pony, LokiBot, PredatorPain, ISRStealer, ISpySoftware, Remcos, and NanoCore.

Over the past seven years, researchers have also discovered over 10 different commodity information stealer families employed by SilverTerrier actors, with more effective tools being adopted over older ones. Since 2014, the threat actors have employed 13 RAT families, with LuminosityLink, NJRat, Quasar, and WarZone dropping in popularity over time, but Netwire, DarkComet, NanoCore, Remcos, ImminentMonitor, Adwind, Hworm, Revenge, and WSHRat are still actively used. 

How to protect yourself against BEC attacks? 

According to GreatHorn report, nearly 50% of all BEC attacks result from the spoofing of an individual’s identity in the display name. Among those spear phishing emails, cybercriminals are also using company names (68%), names of individual targets (66%), and the name of boss/managers (53%) to conduct their attacks. By following the steps given below you can mitigate the risks: - 

  • Avoid free web-based e-mail accounts 
  • Enable multi-factor authentication for business email accounts
  • Don’t open any email from unknown parties
  • Secure your domain 
  • Double-check the sender’s email address
  • “Forward,” don’t “reply” to business emails 
  • Know your customers and vendor’s habit 
  • Always verify before sending money or data