Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion.
Microsoft has observed an increase in sophistication and tactics by
threat actors specializing in business email compromise (BEC), including
leveraging residential internet protocol (IP) addresses to make attack
campaigns appear locally generated.
This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS)
and has caught federal law enforcement’s attention because it allows
cybercriminals to evade “impossible travel” alerts used to identify and
block anomalous login attempts and other suspicious account activity.
We are all cybersecurity defenders.
Microsoft’s Digital Crimes Unit has observed a 38 percent increase in Cybercrime-as-a-Service targeting business email between 2019 and 2022.
Inside the rise of BulletProftLink’s industrial-scale BEC service
Cybercriminal activity around business email compromise is accelerating.
Microsoft observes a significant trend in attackers’ use of platforms,
like BulletProftLink, a popular platform for creating industrial-scale
malicious mail campaigns. BulletProftLink sells an end-to-end service
including templates, hosting, and automated services for BEC.
Adversaries using this CaaS receive credentials and the IP address of
the victim.
BEC threat actors then purchase IP addresses from residential IP services matching the victim’s location creating residential IP proxies which empower cybercriminals to mask their origin. Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent “impossible travel” flags, and open a gateway to conduct further attacks. Microsoft has observed threat actors in Asia and an Eastern European nation most frequently deploying this tactic.
Impossible travel is a detection used to indicate that a user account might be compromised. These alerts flag physical restrictions that indicate a task is being performed in two locations, without the appropriate amount of time to travel from one location to the other.
The specialization and consolidation of this sector of the cybercrime economy
could escalate the use of residential IP addresses to evade detection.
Residential IP addresses mapped to locations at scale provide the
ability and opportunity for cybercriminals to gather large volumes of
compromised credentials and access accounts. Threat actors are using
IP/proxy services that marketers and others may use for research to
scale these attacks. One IP service provider, for example, has 100
million IP addresses that can be rotated or changed every second.
While threat actors
use phishing-as-a-service like Evil Proxy, Naked Pages, and Caffeine to
deploy phishing campaigns and obtain compromised credentials, BulletProftLink offers a decentralized gateway design, which includes Internet Computer public blockchain nodes to host phishing
and BEC sites, creating an even more sophisticated decentralized web
offering that’s much harder to disrupt. Distributing these sites’
infrastructure across the complexity and evolving growth of public
blockchains makes identifying them, and aligning takedown actions, more
complex. While you can remove a phishing link, the content remains
online, and cybercriminals return to create a new link to existing CaaS
content.
Successful BEC attacks cost organizations hundreds of millions of
dollars annually. In 2022, the FBI’s Recovery Asset Team initiated the
Financial Fraud Kill Chain on 2,838 BEC complaints involving domestic
transactions with potential losses of over $590 million.
Although the financial implications are significant, wider long-term
damages can include identity theft if personally identifiable
information (PII) is compromised, or loss of confidential data if
sensitive correspondence or intellectual property are exposed in
malicious email and message traffic.
Business email compromise phishing mail by type
Data represents a snapshot of BEC phishing by type January 2023 through April 2023
Top targets for BEC are executives and other senior leaders, finance
managers, human resources staff with access to employee records like
Social Security numbers, tax statements, or other PII. New employees
perhaps less likely to verify unfamiliar email requests are also
targeted. Nearly all forms of BEC attacks are on the rise. Top trends
for targeted BEC include lure, payroll, invoice, gift card, and business
information.
BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering
and the art of deception. Instead of exploiting vulnerabilities in
unpatched devices, BEC operators seek to exploit the daily sea of email
traffic and other messages to lure victims into providing financial
information, or taking a direct action like unknowingly sending funds to
money mule accounts, which help criminals perform fraudulent money
transfers.
Unlike a “noisy” ransomware attack
featuring disruptive extortion messages, BEC operators play a quiet
confidence game using contrived deadlines and urgency to spur
recipients, who may be distracted or accustomed to these types of urgent
requests. Instead of novel malware, BEC adversaries align their tactics
to focus on tools improving the scale, plausibility, and inbox success
rate of malicious messages.
Although there have been several high-profile attacks that leverage
residential IP addresses, Microsoft shares law enforcement and other
organizations’ concern that this trend can be rapidly scaled, making it
difficult in more cases to detect activity with traditional alarms or
notifications.
Variances in login locations are not inherently malicious. For example, a
user might access business applications with a laptop via local Wi-Fi,
and simultaneously be signed into the same work apps on their smartphone
via a cellular network. For this reason, organizations can tailor
impossible travel flag thresholds based on their risk tolerance.
However, the industrial scale of localized IP address for BEC attacks
creates new risks for enterprises, as adaptive BEC and other attackers
increasingly take the option of routing malicious mail and other
activity through address space near their targets.
Recommendations:
Fighting business email compromise requires vigilance and awareness
Although threat actors have created specialized tools to facilitate BEC,
including phishing kits and lists of verified email addresses targeting
C-Suite leaders, accounts payable leads and other specific roles,
enterprises can employ methods to pre-empt attacks and mitigate risk.
For example, a domain-based message authentication, reporting, and conformance (DMARC)
policy of “reject” provides the strongest protection against spoofed
email, ensuring that unauthenticated messages are rejected at the mail
server, even before delivery. Additionally, DMARC reports provide a
mechanism for an organization to be made aware of the source of an
apparent forgery, information that they would not normally receive.
Although organizations are a few years into managing fully remote or
hybrid workforces, rethinking security awareness in the hybrid work era
is still needed. Because employees are working with more vendors and
contractors, thereby receiving more “first seen” emails, it’s imperative
to be conscious of what these changes in work rhythms and
correspondence mean for your attack surface.
Threat actors’ BEC attempts can take many forms – including phone calls,
text messages, emails, or social media messages. Spoofing
authentication request messages and impersonating individuals and
companies are also common tactics.
A good first defensive step is strengthening policies for accounting,
internal controls, payroll, or human resource departments on how to
respond when requests or notifications of changes regarding payment
instruments, banking or wire transfers are received. Taking a step back
to sideline requests that suspiciously do not follow policies, or
contacting a requesting entity through its legitimate site and
representatives, can save organizations from staggering losses.
BEC attacks offer a great example of why cyber risk needs to be
addressed in a cross-functional way with executives and leaders, finance
employees, human resource managers and others with access to employee
records like Social Security numbers, tax statements, contact info, and
schedules, at the table alongside IT, compliance, and cyber risk
officers.
Recommendations:
Learn more about BEC and Iranian threat actors with insights from Simeon Kakpovi, Senior Threat Intelligence Analyst.
Snapshot data represents average annual and daily BEC attempts
detected and investigated by Microsoft Threat Intelligence Digital
Crimes Unit (DCU) between April 2022 and April 2023. Unique phishing URL
takedowns directed by Microsoft Digital Crimes Unit are between May
2022 to April 2023.1
35 million annual
156,000 daily
417,678 phishing URL takedowns
For more threat intelligence insights and guidance visit Security Insider: Cybersecurity + Threat Intelligence | Security Insider (microsoft.com)