7 Truths About BEC Scams

7 Truths About BEC Scams

Business email compromise attacks are growing in prevalence and creativity. Here’s a look at how they work, the latest stats, and some recent horror stories.

Last summer, the US Federal Bureau of Investigations (FBI) sounded a loud alarm for organizations about the growing danger of business email compromise (BEC) scams. At that time, the FBI said BEC fraud had cost organizations worldwide $12 billion in losses since 2013.

Since then, the threat has continued to grow more dire. Security industry researchers have shown BEC scams are increasing in scope and complexity as attackers perfect their attack playbooks to target an increasing number of victims around the globe.

Here, Dark Reading takes a look at how BEC scams work, the latest statistics on BEC prevalence, and some recent BEC horror stories that should help security professionals and users prepare themselves for this growing class of fraud.

How BEC Works

BEC scams vary, but the general commonality is that they go after well-placed individuals — those who control financial accounts — at both large and small organizations with very targeted spear-phishing attacks. Typically using either email account takeover or spoofing, the bad guys will impersonate a colleague or boss — sometimes the CEO, sometimes a vendor, sometimes a highly ranked individual in another department. They’ll then convince the mark to either transfer money to a fraudster or change details in an existing financial transaction to benefit themselves.

The Fraudulent Activity

Some of the actions the bad guys are trying to trigger include getting their targets to transfer money to an account supposedly held by the company to cover a confidential transaction, paying a phony “unpaid” invoice, or diverting payroll for employees on auto-pay. The scenarios are plentiful, only limited to the creativity of attackers in coming up with a convincing social engineering “hook” that makes sense for whomever the target may be. In many cases, these transactions are sizable, and attackers will do considerable research to come up with a plausible, tailored story. 

Crooks Making a Mint

The crooks are making a fortune on these fraudulent transfers, fully embracing the philosophy of the “bigger the lie, the more believable it is” and, in many cases, convincing victims to transfer millions of dollars at a time. Last year a European cinema chain fell victim to a BEC attack that bilked $21.5 million in a series of transfers over the course of a month. The attackers targeted a Dutch regional executive at the firm by posing as the French CEO of the company that supposedly needed funds transferred for an acquisition.

According to security experts such as Crane Hassold, senior director of threat research at Agari, the upside for BEC attackers is huge because, in many cases, it takes very little technical acumen or infrastructure to carry out their attacks. As such, they expect the bad guys to continue flocking to BEC.

“The ROI for BEC is significantly higher than any of the other more technical cyberattacks,” Hassold told Dark Reading. “I think that’s going to be the next step. We’ll see other groups move into this space.”

Significant BEC Increases in the Past Year

That phenomenon of growing awareness from the bad guys is already making itself apparent in recent statistical analysis of BEC attack trends. According to a report earlier this spring by Proofpoint, the number of BEC attacks per targeted organization increased 476% year-over-year in the last quarter of 2018. Meantime, Mimecast found in its 2019 annual report on email security that impersonation and BEC attacks increased by 67%, with 73% experiencing direct losses.

That last point is important to remember, as BEC losses aren’t from damages to systems, downtime, or lost productivity. Instead, these are losses of cold, hard cash. All told, the FBI said that the known total losses for BEC equaled $2.7 billion in 2018

BEC Scammers Love Targeting CFOs and Financial Gatekeepers

While the types of victims vary from case to case, one thing is certain: The bad guys love to go after CFOs and other financial gatekeepers. In fact, one recent report showed that a multinational gang of attackers conducting BEC campaigns would actually seek out companies that sell contact information to marketers about CFOs to fuel its social engineering targeting efforts. This group not only uses the common “unpaid vendor” story to trick victims, but also other subterfuge, such as pretending to be an executive trying to conduct M&A activity who urgently needs a down payment so as not to jeopardize the deal.

From 419 to BEC Scams

A brand new research report from Agari found that for some cybercriminal games, BEC attacks are just a part of the bad guy’s well-balanced breakfast of fraudulent schemes. It highlighted one group called Scattered Canary, which initially started about 10 years ago by a lone Nigerian 419 scammer. Since then it has built up to at least 35 individuals who now make big bucks with BEC scams; they also conduct romance scams, credential harvesting, credit card and check fraud, and tax cons.

No Target Is Sacred

Everyone is fair game for BEC attackers. These criminals have stolen nest eggs from families during real-estate transactions, and just this spring they managed to steal $1.75 million from an Ohio Catholic parishthat was raising money for a church renovation. In that case, the criminals posed as a construction company the church was working for, claiming it had missed payments on the project.

Ericka Chickowski

Tracing the Supply Chain Attack on Andriod

JUN 19

Tracing the Supply Chain Attack on Android

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

“Yehuo” () is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.

An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.

Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.

The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.

Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.

In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.

At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]combuydudu[.]comkelisrim[.]comopnixi[.]com and sonyba[.]com — were seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device.

A records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including blazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the bolded domain names below:

Domain Name      Create Date   Registrar
2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
hsuheng[.]com 2015-03-09 GODADDY.COM, LLC
jyhxz.net 2013-07-02 —
longmen[.]com 1998-06-19 GODADDY.COM, LLC
longmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
oppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
tongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD

Following the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with multiple business units and names. For example, 2333youxi[.]comis the domain name for Shanghai Qianyou Network Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet mobile games.”

Like the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and soon changed to Shanghai Blazefire as the owner.

The offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at Room 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.

The domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to be either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd.  According to its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai Quianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.

“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published by Tongjue in 2016.  “The company is mainly engaged in mobile phone pre-installation business.”

That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:

-Crack the restrictions imposed by the manufacturer on the mobile phone.
-Research and master the android [operating] system
-Reverse the root software to study the root of the android mobile phone
-Research the anti-brushing and provide anti-reverse brushing scheme


Many of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the email address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and email addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname “Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.

Searching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site Youxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers to the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.

“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre (playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire product line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”

Interestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com, perhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu Da’s email address as yehuo@blazefire.com.

The CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”

It’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company lists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled Chinese telecom giant by the same name.

According to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a senior executive at six other companies.

Google declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for comment.

It’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire Network Technology Co., Apple still has several of the company’s apps available for download from the iTunes store, as well as others from Shanghai Qianyou Network Technology.


6 Security Scams Set to Sweep This Summer

6 Security Scams Set to Sweep This Summer

Kelly Sheridan

Experts share the cybersecurity threats to watch for and advice to stay protected.

We look forward to summer’s warm weather, travel plans, and maybe some added relaxation. Cybercriminals look forward to summer’s new opportunities for scams and targeted attacks.

Seasonal threats aren’t new; for example, the holiday season typically brings phishing attacks in the form of fake package deliveries and fraudulent gift cards. Similarly, summertime, which drives an increase in flights and hotel stays, should put people on high alert for a wave of related scams.

Travelers taking time away from work and home are often too busy planning their vacations to protect their devices and data, but there’s no downtime for cyberattackers. Hackers are getting more advanced in their techniques to capture information, and they’re taking a closer look at the travel industry, targeting hotel chains and airlines with data breaches to capture loyalty program numbers, payment card data, and other personally identifiable information (PII).

But travel scams aren’t the only security threats to worry about this summer. Here, security experts weigh in on threats that should be top-of-mind for consumers and employees alike. Any threats you’re worried about that aren’t listed here? Feel free to share them in the Comments, below.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Travel Security: Confidence Is Higher Than Deserved

In research released late last month, IBM discovered a disconnect between survey respondents’ confidence in their security practices and their actual security habits while on the road. One-quarter say they are “very” or “extremely” confident in their abilities to protect themselves from cybercrime while traveling; 37% say they’re “somewhat” confident. Only 16% and 9% say they’re “a little” or “not at all” confident, respectively.

But when asked about their travel habits, 24% of these confident respondents admit to connecting to public Wi-Fi networks every time they travel on business; 22% do the same on all personal trips. More than 25% bring and use a device containing confidential or sensitive work-related data when they travel for work; 16% do the same when traveling for pleasure. Nearly 20% of seemingly security-savvy travelers charge devices via public USB ports or charging stations when traveling for business; 17% do the same when they’re on vacation.

More than 70% of Americans have engaged in a higher-risk travel behavior – connecting to public Wi-Fi, for example, or charging on a public USB station – regardless of whether they’re traveling for business or pleasure. Charles Henderson, global managing partner at IBM and head of X-Force Red, points to another trend: “Very often, consumers treat work information differently than they treat personal information,” he says.

In addition, people are more likely to protect their own data than corporate trade secrets, a common issue faced by CISOs, he says. It is worth noting respondents travel far more frequently for personal than business reasons. Only 26% report traveling for work, while 84% say they primarily travel for personal reasons.

Seasonal Scams Turn Political

It’s not new for cybercriminals to capitalize on major events with phishing campaigns; we’ve previously seen this in Olympic Destroyer and World Cup-themed attacks. It is helpful, however, to know which trends are top-of-mind. This summer, it’s the 2020 presidential campaign.

“Obviously, political alliances and political leanings are something that’s useful in trying to get people,” says Adam Kujawa, director of Malwarebytes Labs.

Leading into the 2020 campaign, we’ll likely see several attempts by cybercriminals locally based in the US or Western countries. Will disinformation manifest in social media campaigns, as it did during the 2016 elections? Not necessarily. After social media came under a harsh spotlight following the last presidential campaign, Kujawa thinks criminals spreading gossip and disinformation will turn to phishing.

“These are the kind of focused attacks we see more against consumers,” he adds. Still, it’s important for employees to be aware of threats that could potentially arrive in their inboxes.

Loyal to Fraud

Cybercriminals are ramping up with attacks against travel companies. In recent years we’ve seen massive breaches at Marriott/StarwoodCathay Pacific, and British Airways. “The travel industry as a whole has been targeted much, much more,” IBM’s Henderson says, because it “has the trifecta of data criminals care about.”

This includes PII (names, passports, driver’s license numbers, birthdates), payment card data, and loyalty numbers. It’s an emerging trend for cybercriminals, he explains. “Loyalty programs, and loyalty fraud, is huge,” Henderson says. Rewards numbers for airlines and hotels are located on boarding passes and baggage tags. Cybercriminals have their eyes peeled, as points can be cashed in for free flight tickets and hotel stays, Henderson explains.

And because rewards customers are considered VIPs, hotels and airlines try to avoid inconveniencing them and often don’t pressure them for details if they call in with a loyalty program number. This makes it easy for criminals, armed with a loyalty program number, to pretend to be someone else and walk away with free flights or hotel stays.

“They don’t want to be the inconvenient travel airline or hotel,” says Henderson, who points to a need for industry standards around traveler protection with respect to loyalty programs. He also advises companies in the travel industry to test what a breach looks like, so they can more effectively detect and respond to incidents when they occur.

Summertime Employment Scams

Job hunters should be aware of multiple variations of employment scams during the summer months, says Adrien Gendre, chief solution architect at Vade Secure. These impersonate companies of all sizes and industries, and while they happen year-round, they’re most prevalent during the summer months and at year’s end when people are job hunting.

Some scams arrive in the form of fake job offers appearing to come from recruiters at large companies. They invite recipients to join a job search database by downloading a free application, which is laced with malware. Others are deceptive spam emails, which claim to offer available jobs but redirect recipients to a fraudulent site. There are also LinkedIn phishing attempts, which try to manipulate people into sharing data or downloading malware.

“The topics of LinkedIn phishing emails range from bogus connection requests to fake job offers, with the goal of harvesting credentials and other personal information or installing malware,” Gendre says.

He advises employees to be logical: If something seems too good to be true, it likely is. “For instance, large, well-known companies typically have candidates flocking to them, so why would they need to blindly email people who may or may not have the necessary experience?” he says.

Further, think twice if an alleged recruiter demands an immediate response. Yes, you have to move quickly to land a dream job – but that’s exactly what the attacker wants.

Watch Your Wi-Fi

Travelers have a nasty habit of hunting down free Wi-Fi before and after their flights. Attackers are taking advantage, IBM’s Henderson says, and using this behavior to inform their strategies. Many have started to bring their own Wi-Fi hotspots and/or sting rays (fake cell towers designed to intercept data between devices and the Internet) into airports, hoping travelers will connect. While cybercriminals target travel companies year-round, they’re more likely to target travelers during peak times of the year.

“If you notice a behavior in travelers, you’re going to target it in the form of crime,” he explains. The airport is an interesting place because people who are getting off a flight and didn’t want to pay for in-flight Wi-Fi want to catch up with the world as soon as they land. Similarly, people whose devices are running low on battery are quick to plug into any USB charging port without stopping to think the connection could be malicious.

Malwarebytes Labs’ Kujawa also points to the risks associated with not only rogue hotspots, but public Internet. “Public Wi-Fi, combined with auto-connecting on devices, is a huge security vulnerability, in my opinion,” he says.

Travelers should be aware of when their devices connect to public Wi-Fi networks at Starbucks or McDonald’s, which can happen without their agreement. “That’s an easy way to not even be aware the information’s traveling over the network,” he adds.

Targeted in Transit

More than half of the respondents in IBM’s research are “very” or “extremely” concerned their credit cards or other sensitive information will be stolen while traveling, while about 31% say they are similarly concerned about this type of data theft at home. Nearly 40% say they put “a great deal” or “extreme amount” of effort into protecting digital data while traveling, 32% say they put “some” effort into their protection, and 19% say they put in “not much” or no effort at all.

But data is in demand, and Henderson encourages travelers to recognize this. “Understand that your data is valuable,” he says. “That’s something that a lot of consumers miss.” If people accept their data has value, he continues, they’re more likely to protect it.

“Luckily, it’s very easy to try and avoid that stuff happening anymore,” says Kujawa, who recommends prepaid credit cards for those worried about having numbers stolen on the road. But that’s not all travelers can do to protect their data: Malwarebytes advises travelers to buy shields for contactless payment cards so they can transport them without leaking information. It’s also smart to back up data on all devices coming on the journey; this way, if anything is stolen, the information isn’t lost.

Lone Wolf Scammer Built a Multifaceted BEC Cybercrime Operation

Lone Wolf’ Scammer Built a Multifaceted BEC Cybercrime Operation

Kelly Jackson Higgins

A one-man 419 scam evolved into a lucrative social-engineering syndicate over the past decade that conducts a combination of business email compromise, romance, and financial fraud.

This wasn’t the first time the chief financial officer of email security vendor Agari had been targeted in a business email compromise (BEC) scam. As with the first incident in August 2018, three months later Agari’s software tool flagged a suspicious email meant for its CFO, Raymond Lim, that posed as a supplier requesting a wire transfer for an invoice payment.

Agari researchers played along with the scammers as they had done in the August incident, impersonating the CFO’s administrative assistant and stringing them along for about a month, gathering intel on the people and operation behind the November emails. The researchers were able to identify the BEC attackers as a Nigeria-based cybercrime gang they nicknamed Scattered Canary, a group of some 35 individuals they believe may be a subgroup of an even larger criminal organization.

They discovered that this group wasn’t just sending BEC emails to make money. Scattered Canary also conducts romance scams, credit card fraud, check fraud, fake job listings, credential harvesting, and tax schemes, among other online cons.

“What we recognized when we looked at this group … was that BEC is just one type of attack these guys use at any given time. There can be dozens of [different] scams they can be doing [simultaneously],” says Crane Hassold, senior director of threat research at Agari.

The researchers kept in touch with Scattered Canary for a couple more months and were able to obtain from them eight mule accounts, which they then passed on to law enforcement as well as to financial organizations to help shut down the money-laundering.

Agari traced back the group’s founding, which began in 2008 when a lone individual, who they dubbed “Alpha,” ran rudimentary but lucrative Craigslist scams that duped victims into wiring him money or mailing him cashier’s checks for items sold on the forum. Alpha then expanded into romance scams and brought on a fellow fraudster (“Beta”). The pair laundered their pilfered funds via money mules and then ultimately set their sights on bigger targets, mainly businesses and government agencies via BEC scams, the centerpiece of the group’s operation today. In the past two years, the group doubled in size as it harvested new mule accounts and expanded into other crimes, such as tax return fraud.

Scattered Canary’s scams are rooted in pure social engineering: no malware required.

“We’ve not seen Scattered Canary using malware,” says Ronnie Tokazowski, senior threat researcher at Agari. “They are using compromised RDP [remote desktop protocol] credentials and compromised websites to host phishing kits,” but they don’t have a full-blown hacking infrastructure per se, he explains. Scattered Canary mostly employs specific scam scripts and templates they copy and paste in emails they send to their targeted victims.

BEC and email compromise scams have been on the rise worldwide: The FBI Internet Crime Complaint Center last year received more than 20,000 reports from victims who lost more than $1.2 billion to these scams. Interestingly, in the US, half of BEC victims actually recovered 99% of their money, according to Verizon’s “Data Breach Investigations Report.” Barely 10% of them didn’t recover any of their money in the scams. But it only takes a few successful hits to be lucrative. As Verizon points out in its report, even if just 1% of 1,000 BEC attacks are successful, the BEC scammer can still net thousands of dollars.

London Blue Calling
Prior to the November incident, Agari researchers turned the tables on a BEC scam on Aug. 7, 2018, when their email security platform caught a BEC email sent to CFO Lim that posed as Agari CEO Ravi Kahtod. The team was able to extract enough information from their email interactions with the attackers to pinpoint the physical location of two of the main operators of the gang, who live and work in London.

London Blue at the time had 20 to 25 individuals, including 17 money mules spread around the US and Western Europe.

But Scattered Canary is a much larger operation than London Blue, according to Agari. “Scattered Canary is likely an arm of a bigger entity. We are still trying to research that a little more heavily,” Hassold notes.

Scattered Canary over time had adjusted and reset its tactics. For example, after years of spoofing a targeted company’s domain, the group began employing webmail or other email accounts in the fall of 2016. They also take advantage of how Google doesn’t spot periods in email addresses — badscammer007@gmail.com and bad.scammer.007@gmail.com, for example, are seen by Gmail as the same address, according to Agari’s report. “This allows scammers to scale their operations more effectively by removing the need to create and monitor a different email account for every account they create on a website,” the company states in its recently published report on Scattered Canary.

A recent Cisco Systems report found that two-thirds of BEC scams employ free webmail and 28% use registered domains.

Meanwhile, starting in July 2018, Scattered Canary shifted from wire transfers to gift cards as a way to cash out its stolen funds. They duped business victims with emails purportedly from the CEO asking them to purchase Amazon and Apple iTunes gift cards. “Like other scammers involved in gift card BEC scams, Scattered Canary laundered the gift cards they received from victims through a peer-to-peer online cryptocurrency exchange called Paxful,” Agari wrote in its report on the gang. Scattered Canary was able to get 132 gift cards from victims valued at two bitcoin apiece on Paxful, or some $12,000 to $14,000.

The BEC gang halted the gift card cashout approach in November 2018 when the price of bitcoin dropped.

Hassold says it’s possible well-established cybercrime organizations in Eastern Europe and Russia could pivot to BEC scams as well. Given their size and resources, those gangs could perform even more convincing attacks.

“The ROI for BEC is significantly higher than any of the other more technical cyberattacks. I think that’s going to be the next step. We’ll see other groups move into this space,” Hassold says, which will mean more professional and difficult-to-spot BEC emails.

Cybercriminals already have been moving away from pricey zero-day attacks to lower-tech, cheaper weapons, such as malware-laden file attachments. “They’re going back to basics. I don’t need to develop an 0-day if I can put a macro in a Word file and a victim will click on it,” Agari’s Tokazowski notes. Hassold recommends that organizations include social engineering in their cyberthreat training and conversation in order to defend against BEC and other email-borne scams targeting businesses today.

“These nontechnical type attacks are now the predominant mode of cyberattacks today,” he says. “This is the type of attack employees will see, so they should include them in education and awareness training.”

Related Content


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise …