The security community has already been painfully aware of the threat of business email compromise (BEC), which has been used to defraud businesses and organizations of over $3 billion. These schemes start simply enough. Threat actors craft convincing-looking phishing emails using publicly-available information about their targets. And attackers don’t just try to fool their targets with this detailed information alone. More sophisticated attackers can spoof a targeted organization’s email domain. This can trick victims into thinking the phish is the best email from an executive or certainly one of their assistants.
After the email is convincing enough, the attacker needs only to stipulate their instructions for account takeover so they can cash out.
French industrial equipment manufacturer Etna Industrie fell victim to a BEC scheme in 2022. Their CEO, Carole Gratzmuller, returned to work to locate that her accountant had wired $542,000 to foreign banks–at the direction of a message from the criminal pretending to be her.
Sometimes attackers use the data from open-source intelligence gathering and social engineering to craft a convincing phish targeted at an executive. Stolen credentials are precious here, primarily should they can be utilized to take over the email account of an executive assistant and put it to use to send the email. Attackers can instruct the email recipient to siphon funds into threat-actor-controlled mule accounts. Or, they can place a link in the email that leads to an attacker-controlled phishing page. By entering their credentials, attackers obtain an exceptionally high-value group of certificates, especially when the targeted executive tends to reuse passwords between accounts. Attackers might also manipulate lower-ranking employees into initiating a bank transfer for an executive (“CEO fraud”) or making adjustments from inside an organization to make fraudulent wire transfers less detectable.
Such was the case with the Olympic Vision BEC campaign. The campaign, detected by security researchers from TrendMicro in March 2022, targeted companies in the U.S. and Asia in the genuine estate, manufacturing and construction sectors. The emails crafted by those behind the campaign contained a keylogger now dubbed “Olympic Vision”, which was found in attachments. Once opened, the extensions installed a backdoor through which your attackers could log keystrokes and take screenshots to steal personal information and perform network reconnaissance.
Patching the Human Factor
Defending against schemes that utilize sophisticated social engineering methods is easier said than done. Experts concur that humans could function as the weakest link in any organization’s security posture.
Based on the FBI, BEC has seen a 1,300% escalation in exposed losses since January 2015, totalling over $3 billion. Furthermore, undetected attackers may use their tactics to obtain usage of an organization, taking note of its billing systems, vendors, and even employees’ communication styles. Once inside, attackers may spend months studying their environment before launching an attack. Olympic Vision gathers its target’s computer name, saved browser credentials, FTP clients, IM clients, email clients, keystrokes, network information, screenshots, clipboard information, and text. This is precious information, especially for coders who can tweak existing exploits to leverage those vulnerabilities.
Luckily, heightened BEC and phishing campaigns with technical components could be defended against through keen awareness of the malware they leverage. Malware like the sort found in Olympic Vision can gather the information that makes this type of compromise quieter. Emails containing billing information could be valuable in ensuring staff aren’t alerted each time a fraudulent transaction is initiated. Organizations could be proactive in patching their network defences for IoC’s associated with the malware found in BEC campaigns, such as Olympic Vision and HawkEye.
But what goes on when criminals currently have stolen credentials?
When passwords are reused between employees and personal accounts, credentials that have already been breached through credential stuffing techniques are fair game for use in BEC campaigns.
Criminals able to complement personal accounts to corporate accounts using an employee’s personal information are more likely to breach the corporate take into account the objective of crafting a fraudulent email. If this kind of current email address is linked to a person who regularly corresponds with executives, such as, for example, an executive assistant, the phish becomes that much more convincing.
Unfortunately, the most significant vulnerability for almost any organization can also be the hardest to patch. Patching the human factor can only be achieved through the ambitious and practical education of every employee who needs technology to do their job. Organizations may also update acceptable use policies to implement mandatory security best practices for all employees.
Beyond education and patching, large organizations and SMBs can benefit from SpyCloud’s early warning breach detection platform. Publicly available credentials make your organization even more vulnerable to actors performing reconnaissance before sending a phishing email. Limiting your public exposure can be a valuable countermeasure against attackers searching for something to pivot from throughout the reconnaissance phase. To prevent account takeover, you’ll need to believe such as an attacker. And soon you know your exposure. You don’t have the entire picture–whether your adversary is a person in a cracking community or an organized crime ring.