How Phishers 3.0 Attack Businesses in 2019

Phishing, a prevalent form of social engineering aimed at stealing account credentials or money, is running rampant around the global cyber threat ecosystem. What is it that makes these campaigns so prolific nowadays? First of all, they don’t take as much effort to carry out as the average malware distribution stratagem. Furthermore, their email and website borne essence means nearly every Internet user is a potential victim.

By David Balaban

BEC and Lateral Attacks

Many “mainstream” phishing hoaxes are like shots in the dark, with deceptive emails being randomly sent to thousands of people at a time. Contrary to this, some hacking groups focus on compromising specific businesses. The motivation behind the latter approach is clear: companies are much juicier targets than individuals. On the other hand, enterprise security tends to be a hard nut to crack. In response to this dilemma, the crooks are coming up with increasingly sophisticated tactics that allow them to defraud high-profile victims of funds or sensitive data.

BEC scam involving elaborate victim validation

BEC (business email compromise) is a type of phishing where malefactors impersonate an organization’s senior-level executive or trusted partner in order to hoodwink an employee into transferring money to their rogue bank account. This scheme typically relies on a prior hack of an email account belonging to the CEO or contractor the company closely cooperates with.

In June 2019, cyber intelligence experts spotted a somewhat unusual BEC wave being perpetrated by a group of threat actors referred to as Curious Orca. This is a relatively new gang reportedly operating from West Africa. An offbeat hallmark of this campaign revolves around the way the criminals validate the list of previously harvested contact information. This is a critical reconnaissance phase of such frauds that ensures the would-be victims’ profiles are accurate and can be leveraged to orchestrate an effective attack the recipients are likely to fall for.

In most cases, con artists behind BEC scams collect information on specific employees by resorting to commercial services available in the cybercriminal underground. The benefit of this mechanism is that the entire data processing cycle is provided on a turnkey basis for a fee, which means the routine is easy and hassle-free for the adversary. All it takes is running a custom search with the dodgy platform that will generate a spreadsheet with comprehensive details about the corporate employees who meet the criminals’ criteria.

Let’s now zoom back in on the Curious Orca crew. Instead of utilizing the above technique, they prefer a much more tedious workflow that boils down to validating the raw information by hand. The logic of this technique is to send blank emails to all potential targets. This test run is expected to give the attackers an idea of which email addresses are legitimate. If the enterprise email server returns a bounce notification, it means there is no such recipient. Otherwise, the felons will compile a list of valid addresses and enrich the information with extra details, such as the name and job title of every target.

According to the researchers, this phishing group has been extremely busy doing their manual validation work lately. For instance, a single Curious Orca associate has sent probing messages to nearly 8,000 email addresses related to more than 3,000 firms in a dozen countries. As a viable countermeasure for this BEC vector, the white hats recommend that businesses disable email bounce alerts to senders from outside of the organization.

Lateral attacks on the rise

When a lateral phishing attack is underway, the crooks take advantage of a previously compromised email account within a company in order to dupe employees into handing over their credentials. Unlike BEC scams that also leverage breached enterprise accounts as a launchpad for the exploitation, lateral incursions seek to wheedle out authentication info rather than money.

Security analysts investigating this growing offensive vector have recently released a report that speaks volumes about the scope of the menace. The examination of 180 active lateral phishing onslaughts revealed that 11% of them resulted in compromising other staff within the same company. Moreover, 42% of these successful scams were never reported to the organizations’ IT security teams, thus potentially allowing the malicious actors to expand the attack surface without hindrance.

The message templates used in most of the lateral raids under scrutiny include fake alerts about an issue with the recipient’s email account, and notifications containing a link to a shared document. In both scenarios, the victims are redirected to landing pages that mimic login forms where the employees are supposed to enter their sensitive credentials.

It’s noteworthy that a vast majority of these frauds utilize nonspecific email subjects, while only 7% are highly targeted and aligned with the company’s business model and the peculiarities of internal collaboration between departments. In order to prevent a hacked account owner from identifying the shady activity, some crooks quickly delete scam messages they send and receive. Furthermore, they may even reply to emails to reassure the recipients that the original messages are trustworthy.

To raise the bar for attackers, businesses should enforce the use of 2FA (two-factor authentication) for logging into their IT services. Security awareness training of the personnel and effective security solutions will add an extra layer of protection as well.

Summary

The human is the weakest link in the security posture of many modern organizations. This is because people often act on their emotions, and cybercriminals know how to pull the right strings at the right time. For instance, both the BEC and lateral phishing attacks rely on the fact that most employees trust their colleagues and senior management. It comes as no surprise that the impersonation trick works wonders for threat actors.

To stay on the safe side, companies should strengthen their authentication practices and nurture the security mindset of the personnel. A reliable IDS (intrusion detection system) is an additional tier of defense that will keep most phishers at bay.

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.

See more by David here.

Common Dating Scams – Identifying The Red Flags With David Balaban https://t.co/k8NURmsrFv via @Irish_TechNews @SimonCocking

— Jordan Hussain (@JWhoSayin) June 13, 2019

More information about Irish Tech News and the Business Showcase

FYI the ROI for you is => Irish Tech News now gets over 1.5 million monthly views, and up to 900k monthly unique visitors, from over 160 countries. We have over 860,000 relevant followers on Twitter on our various accounts & were recently described as Ireland’s leading online tech news site and Ireland’s answer to TechCrunch, so we can offer you a good audience!

Since introducing desktop notifications a short time ago, which notify readers directly in their browser of new articles being published, over 16000 people have now signed up to receive them ensuring they are instantly kept up to date on all our latest content. Desktop notifications offer a unique method of serving content directly to verified readers and bypass the issue of content getting lost in people’s crowded news feeds.

Drop us a line if you want to be featured, guest post, suggest a possible interview, or just let us know what you would like to see more of in our future articles. We’re always open to new and interesting suggestions for informative and different articles. Contact us, by email, twitter or whatever social media works for you and hopefully we can share your story too and reach our global audience.

If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at [email protected] or on Twitter: @SimonCocking

Comments are closed.