The multiplying impact of BEC attacks

The 2023 Verizon Data Breach Investigations Report (DBIR) has confirmed what FBI’s Internet Crime Complaint Center has pointed out earlier this year: BEC scammers are ramping up their social engineering efforts to great success.

BEC attackers targeting the real estate sector

The FBI has recently published a new public services announcement, warning again about the continuous evolution and danger of BEC attacks.

“Between December 2021 and December 2022, there was a 17% increase in identified global exposed losses,” the FBI shared.

“In 2022, the IC3 saw an increase in BEC reporting with a nexus to the real estate sector and BEC incidents where funds were transferred directly to a cryptocurrency exchange, or to a financial institution holding a custodial account for a cryptocurrency exchange. The BEC scam targets all participants in real estate transactions, to include buyers, seller, real estate attorneys, title companies, and agents.”

BEC attacks against the financial services sector

Microsoft’s threat analysts have recently uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations.

Attack chain from AiTM phishing attack to BEC (Source: Microsoft)

This particular attack started with a phishing email from one of the target organizations’ trusted vendors, instructing the target to view or download a fax document.

The link pointed to a malicious URL hosted online graphic design platform Canva, hosting a page showing a fake OneDrive document preview and links containing another phishing URL, pointing to a spoofed Microsoft sign-in page requesting a password.

“After the target provided the password on the phishing page, the attacker then used the credentials in an authentication session created on the target website,” Microsoft explained.

“When the attacker is prompted with MFA in the authentication session, the attacker modified the phishing page into a forged MFA page. Once the target completed the multifactor authentication, the session token was then captured by the attacker.”

Attackers then used the stolen cookie (through a session replay attack) to sign in, and took advantage of badly configured MFA to gain access. This allowed for the second stage of the phishing attack, when the threat actors sent over 16,000 emails to the target’s contacts.

“The attacker then monitored the victim user’s mailbox for undelivered and out of office emails and deleted them from the Archive folder. The attacker read the emails from the recipients who raised questions regarding the authenticity of the phishing email and responded, possibly to falsely confirm that the email is legitimate. The emails and responses were then deleted from the mailbox,” Microsoft added.

Some of those 16,000 emails that have been sent out are bound to have been successful, and the attackers likely repeated the same process again.

BEC scammers are master of social engineering

More often than not, BEC attackers are after the target companies’ money or sensitive information, but the FBI has recently warned that they are also occasionally after physical goods (construction materials, agricultural supplies, computer technology hardware, and solar energy products).

In these latest attacks outlined by Microsoft, it’s clear how the attackers are exploiting the trust relationship companies have established with partner/customer organizations, thus increasing the attack’s effectiveness, while potentially destroying business connections, reputation and trust.

BEC cybercriminals are also not limiting their attacks to emails. According to a recent report by IRONSCALES and Osterman Research, they are using SMS messages (36%), social media connection requests (28%), and phone calls (22%) as well.

FBI’s advice for protection against BEC attacks:

• Use secondary channels or two-factor authentication for verifying account changes.
• Verify email URLs and watch out for misspelled domain names.
• Avoid sharing login credentials or personal information via email.
• Verify the sender’s email address, especially on mobile devices.
• Enable full email extensions on employees’ computers.
• Monitor personal financial accounts for irregularities.