business email compromise

(Source – Shutterstock)

Business email compromise still a big threat as attacks doubled in 2022

Business email compromise (BEC) attacks apparently doubled in 2022, according to a report by Secureworks. This is rather concerning, given that BECs are one of the least complicated cyberthreat.

Around the world, organizations continue to be amazed at the capabilities brought about by artificial intelligence (AI), especially when it comes to simplifying their workloads and enabling them to increase their productivity. AI tools like ChatGPT for example have taken workplace communication by storm, especially when it comes to preparing reports and even drafting emails.

Despite the endless possibilities the technology brings, cybersecurity issues continue to be a hurdle for businesses. In fact, cybercriminals themselves are now leveraging AI-driven threats to launch attacks on victims and are becoming increasingly harder to trace.

But what’s more concerning is that new research by Secureworks’ Counter Threat Unit (CTU) shows that most of the world’s security incidents actually have more humble beginnings. Simply put, while AI-driven threats are a concern, there are still basic threat actors like BEC that are wreaking havoc on organizations – highlighting a need for businesses to focus on cyber hygiene to bolster their network defenses.

A business email compromise cyber attack is a type of phishing attack that targets organizations, with the goal of stealing money or critical information. It is one of the most basic cyberthreats but can end up costing a company huge losses if the attack is successful. In 2021, the Internet Crime Complaint Center in the US received BEC-related complaints with claimed losses exceeding US$2.4 billion.

In fact, the research showed that the number of incidents involving business email compromise has doubled, replacing ransomware as the most common type of financially motivated cyber threat to organizations. The growth in BEC was linked to a surge in successful phishing campaigns, accounting for 33% of incidents where the initial access vector (IAV) could be established, a nearly three-fold increase compared to 2021 (13%).

CTU’s research also highlighted that an equally popular entry point for attackers – both nation-state and cybercriminal – was to exploit vulnerabilities in internet-facing systems, representing a third of incidents where IAV could be established. Typically, threat actors did not need to use zero-day vulnerabilities, instead relying on publicly disclosed vulnerabilities – such as ProxyLogon, ProxyShell and Log4Shell – to target unpatched machines.

The increased business email compromise attacks meant that ransomware incidents fell by 57%. But that doesn’t mean they should be taken lightly as they still remain a core threat. Secureworks believes this reduction could be due as much to a change in tactics as it is to a reduction in the level of the threat following increased law enforcement activity around high-profile attacks, like Colonial Pipeline and Kaseya. Equally, gangs may be targeting smaller organizations, which are less likely to engage with incident responders.

According to Mike McLellan, Director of Intelligence at Secureworks, business email compromise requires little to no technical skill but can be extremely lucrative. McLellan pointed out that attackers can simultaneously phish multiple organizations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models.

“Let’s be clear, cybercriminals are opportunistic – not targeted. Attackers are still going around the parking lot and seeing which doors are unlocked. Bulk scanners will quickly show an attacker whose machines are not patched. If your internet-facing applications aren’t secured, you’re giving them the keys to the kingdom. Once they are in, the clock starts ticking to stop an attacker from turning that intrusion to their advantage. Already in 2023, we’ve seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging,” McLellan commented.

Business email compromise is not the only threat  

Apart from BEC attacks, hostile state-sponsored activity increased to 9% of incidents analyzed, up from 6% in 2021, with 90% of the attacks attributed to threat actors affiliated with China. Financially motivated attacks also accounted for most of the incidents investigated outside of state-sponsored activity, representing 79% of the total sample, which is lower than in previous years. This could potentially be connected to the Russia and Ukraine conflict disturbing cybercrime supply chains. For instance, the leak of files connected to the Conti ransomware group took the group months to reconfigure and recover from, which could have influenced ransomware’s overall decline.

“Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same. For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage. The intent is different, but the ransomware itself isn’t. The same is true for the initial access vector (IAVs); it’s all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to,” added McLellan.

McLellan also highlighted that once a state-sponsored actor is through that door, they are very hard to detect and even harder to evict.

“As states such as China, Russia, Iran, and North Korea continue to use cyber to advance the economic and political goals of their countries, it is even more important that businesses get the right controls and resources in place to protect, detect, and remediate attacks,” he said.

Another interesting discovery from the report was the misconfiguration and absence of fundamental security controls in the cloud. When businesses rushed their cloud migration and adoption due to the pandemic, many overlooked this, which can make it easier for cybercriminals. Multi-factor authentication (MFA) fatigue attacks – whereby an attacker bombards a user with access requests in an attempt to browbeat them into submission – were also on the rise.

As such, to optimize security posture, Secureworks recommends that organizations ensure they have comprehensive visibility and intelligence-driven detection across their host, network, and cloud environments. Granular recommendations that facilitate preventing future reoccurrence include centralized log retention and analysis across host, network and cloud resources and reputation-based web filtering and network detection for suspicious domains and IPs.