AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
Ransomware stole a lot of headlines in 2016 as organizations across the world fell victim to it. From hospitals to city transit systems, the infectious malware invaded enterprises, encrypting files and generally wreaking havoc. For most of those afflicted, ransomware translated into lost productivity and gallant efforts by IT departments to restore data silos. For some, it meant coughing up a payoff that translated into several thousand dollars’ worth of bitcoin currency.
But for all the focus on this encrypting menace, there is another form type of attack that is inflicting a much greater toll on besieged organizations. The heavy costs associated with this rapidly growing threat results in the loss of millions of dollars, and sometimes, the dismissal of company executives. Though this new cyber assault isn’t garnering the share of the headlines that ransomware currently acquires, corporations should fear its intrusion far more seriously.
The attack is known as Business Email compromise or CEO fraud. Call it phishing on steroids. BEC is a high stakes form of cyber scam that requires careful planning and stealth-like reconnaissance of cyber criminals. Victimized organizations reside in all 50 states and over 100 countries. Unlike typical phishing attacks, BEC doesn’t target the naïve or easy prey but instead specifically targets high level business executives such as the CFO or corporate attorney to initiate a wire transfer for some stated reason.
There is a reason why BEC attacks should be obtaining a greater share of the headlines. The money involved in these scams is big, real big. Take for example the hit taken by Ubiquiti, a San Jose based manufacturer of networking technology for service providers and enterprises. On August 6, 2015, the company released its earning statement for the fourth fiscal quarter which included a revelation that the company had been victimized by a BEC scam that resulted in losses of $39.1 million which had impacted its bottom line. The loss was a result of a scam which was discovered a month earlier that involved an employee impersonation and fraudulent request of a $46.7 million wire transfer to a bank located in Hong Kong. The company was able to recover $8.1 of the transferred money.
The amount of groundwork and planning that goes into these types of attacks is extensive. An example of the necessary preparation to implement a successful strike was the attack launched last year upon Bonnier Publications in Florida involving a Chinese bank. The scam involved two separate wire transfer requests involving $1.5 million each. What made this scam so effective was that it was launched on the first day of work for its newly hired CEO. Fortunately, the scam was discovered before the second transfer was issued. However extensive the required preparation is, the possible rewards are more than worth it. Case in point was a BEC scam involving Crelan, a Belgian bank that lost $76 million, equal to 6% of its equity capital.
Thus far there are four scenarios in which these types of BEC attacks are based upon:
- Known as the “Bogus Invoice Scheme” or the “Supplier Swindle”, this ploy usually involves a business that has an established relationship with a supplier. The objective is to fulfill a request to wire funds for invoice payment to an alternate, fraudulent account via spoofed email, telephone, or facsimile.
- Known as “CEO Fraud” or “Business Executive Scam, the scheme involves the impersonation of a high level executive or attorney who directs an employee who is designated with the responsibility of initiating wire transfers. The request usually involves a highly time sensitive matter and a third party bank for which the impersonator has access to.
- This scenario is simply another take on CEO Fraud except in this case, the actual email of a high level executive is compromised. Once hacked, the account is used to make requests for invoice payments to fraudster-controlled bank accounts. Messages are sent to vendors that the compromised account regularly communicates with. One advantage of this ploy is that the afflicted company may not know of the fraud until vendors contact them about the designated invoices.
- As a final take on the BEC con, cybercriminals target financial employees by impersonating themselves as an attorney representing a confidential organizational matter. These types of attacks are usually timed at the end of the business week or just prior to holidays to coincide with the office hours of international financial institutions.
For cybercriminals, the beauty of BEC phishing is obvious. It is highly cost effective and with only a few successful attacks, a hacker can make more money than an entire ransomware distribution channel can in a year. Unfortunately, the financial losses that they afflict on their victims affects not only their check book, but in some cases, their stock price and financial viability. Ransomware is certainly a menace we must contend with, but BEC is a tragedy waiting to happen.