Spoofing, spear phishing dominate BEC attacks: report

Dive Brief:

Business email compromise attacks are dogging the enterprise, with 71% of organizations saying they experienced a spoofed email account over the past year, according to study sponsored by GreatHorn and conducted by Cybersecurity Insiders. The report is based on the online survey responses of 270 IT and cybersecurity professionals in the U.S. during the month of May.
With the move to remote work, the number of spear phishing attacks has risen, with 65% of IT security professionals saying their companies have experienced such an incident in 2021, according to the report. More than 50% said spear phishing has increased during the past 12 months; 39% of respondents experience spear phishing on a weekly basis.
Of the malicious links found in phishing emails, 57% are designed to steal credentials, often targeting C-suite executives or finance department employees. In addition, 22% of these emails include links to websites containing malicious payloads, including ransomware.

Dive Insight:

Criminal threat actors and state-sponsored attackers are still using email as a way to trick employees into accessing their corporate environments.

The move to remote work since March 2020 has exacerbated this trend as workers are no longer protected by corporate firewalls and have faced additional distractions of children doing remote education, spouses working alongside them at home as well as often insecure home Wi-Fi connections.

Despite the switch by many workers to cloud-based business applications, they are still facing threats that are not being caught by spam filters and built-in security systems, according to Kevin O'Brien, co-founder and CEO of GreatHorn.

"Organizations have adopted cloud email in a significant way during the last year," O'Brien said. "After doing so they were told by cloud email providers and legacy email security providers that email was protected. But these models aren't protecting to the level organizations require and users are still falling victim to BEC attacks — clicking links that harvest credentials, paying a fake invoice or downloading a malicious attachment."

The end game from the threat actor's perspective is usually either one of two things: the user winds up paying money into the threat actor's account or the threat actor is able to gain access into sensitive data or computer systems, according to O'Brien.

BEC attacks continue to trick users by spoofing identities, either the company name, the name of the victim or the name of a supervisor at work. Oftentimes the emails are sent to contacts in an unsuspecting victim's email account and others believe the emails are sent from a legitimate and trusted source before it's too late.

Threat actors most often use social engineering methods inside an email message, combined with a URL that leads to a phishing kit, according to O'Brien. The kit can either be used to steal credentials or deploy malware.

"When the malware is deployed, it is often in the form of direct ransomware that will lock a machine, propagate through a network or install a backdoor," O'Brien said via email. "Or the malware is used as a vector for gaining access to credentials (such as a keystroke logger)."

The report highlights the continued need to use multi-factor authentication as a method of preventing malicious actors from unauthorized email access, he said. Alternative authentication methods like keystroke biometrics may be an option that companies should consider, he said.

The threat actor that Microsoft calls Nobelium, launched a supply chain attack in late May that targeted government agencies and NGOs with phishing emails.