BEC attacks: Scammers’ latest tricks

BEC attacks are generally low-volume but, according to a recent survey by GreatHorn, 71% of organizations experienced at least one in the past year.

Trend Micro’s latest research has revealed that scammers have been ramping up their efforts and that some have switched to impersonating and targeting ordinary employees instead of executives or ranking management personnel.

“From our observations, BEC attacks don’t only target high-profile users but also any employee that can be found on social media networks with significant personal information published (such as LinkedIn). These pieces of information can be used to spoof employees and partners, and cause significant financial damage to businesses,” threat researchers and analysts Marshall Chen, Loseway Lu, Paul Pajares and Fyodor Yarochkin shared.

BEC attacks are often difficult to detect

Business email compromise (BEC) scams have been among the top three most lucrative cybercriminals schemes for the last several years.

Email security solutions have trouble detecting BEC scam emails because they are targeted toward specific recipients, generally don’t include malicious attachments or links, and often begin with innocuous requests. Also, the scammers use various other tricks, such as inserting spaces in between words (“I NVOICE” istead of “INVOICE”).

Intended targets, on the other hand, often fail to spot that these emails have spoofed senders / use spoofed email addresses, or don’t find the various email addresses / domains the scammers use suspect.

Tricks employed by the scammers

One of the tricks employed by BEC scammers is to register domain names with telecommunications industry-related keywords and names of service providers: sprint-mobile.net, 5g-tmobile.com, verizone4g-device.com, and so on.

Another is registering domains with lengthy names, common keywords, and new generic top-level domain (TLD) words: servermail-reply-office-works-secure-protecty-inbound-netsuite.one, systerm-proctection-outlook.management, reply-netsuite-mails.management, etc.

Sometimes the scammers will use other trust-inducing keywords in email addresses, such as mail_ceoofficial, chiefexecutiveoffice, officepresident and offshoreoffice.

To less tech-savvy employees, seeing some of these keywords is enough to consider the email legitimate and trustworthy. Some may even be fooled by the scammers’ use of free email services such as Gmail, Hotmail, and Outlook, since we’re all used to receiving legitimate emails from those popular email services.

Aside from free email services, BEC scammers also take advantage of:

• Local email services (e.g., virginmedia.com in the UK, or naver.com in South Korea);
• Encrypted email services (e.g., Tutanota, Protonmail, Cryptex);
• Self-registered domains and direct-to featured email service, so they can create look-alike domains (e.g., trendmjcro.com), local-looking ones (e.g., example-tw.com), and take advantage of positive email authentication (SPF, DKIM) results; and
• Stolen email credentials, to spam and reply to previous email conversations (especially finance- or purchase-themed threads).

Since security solutions can’t detect and block every BEC attack, it’s on companies to keep their workforce regularly updated on the latest scammers’ techniques and trained in spotting them and reporting them to IT or IT security teams.