7 Truths About BEC Scams

7 Truths About BEC Scams

Business email compromise attacks are growing in prevalence and creativity. Here’s a look at how they work, the latest stats, and some recent horror stories.

Last summer, the US Federal Bureau of Investigations (FBI) sounded a loud alarm for organizations about the growing danger of business email compromise (BEC) scams. At that time, the FBI said BEC fraud had cost organizations worldwide $12 billion in losses since 2013.

Since then, the threat has continued to grow more dire. Security industry researchers have shown BEC scams are increasing in scope and complexity as attackers perfect their attack playbooks to target an increasing number of victims around the globe.

Here, Dark Reading takes a look at how BEC scams work, the latest statistics on BEC prevalence, and some recent BEC horror stories that should help security professionals and users prepare themselves for this growing class of fraud.

How BEC Works

BEC scams vary, but the general commonality is that they go after well-placed individuals — those who control financial accounts — at both large and small organizations with very targeted spear-phishing attacks. Typically using either email account takeover or spoofing, the bad guys will impersonate a colleague or boss — sometimes the CEO, sometimes a vendor, sometimes a highly ranked individual in another department. They’ll then convince the mark to either transfer money to a fraudster or change details in an existing financial transaction to benefit themselves.

The Fraudulent Activity

Some of the actions the bad guys are trying to trigger include getting their targets to transfer money to an account supposedly held by the company to cover a confidential transaction, paying a phony “unpaid” invoice, or diverting payroll for employees on auto-pay. The scenarios are plentiful, only limited to the creativity of attackers in coming up with a convincing social engineering “hook” that makes sense for whomever the target may be. In many cases, these transactions are sizable, and attackers will do considerable research to come up with a plausible, tailored story. 

Crooks Making a Mint

The crooks are making a fortune on these fraudulent transfers, fully embracing the philosophy of the “bigger the lie, the more believable it is” and, in many cases, convincing victims to transfer millions of dollars at a time. Last year a European cinema chain fell victim to a BEC attack that bilked $21.5 million in a series of transfers over the course of a month. The attackers targeted a Dutch regional executive at the firm by posing as the French CEO of the company that supposedly needed funds transferred for an acquisition.

According to security experts such as Crane Hassold, senior director of threat research at Agari, the upside for BEC attackers is huge because, in many cases, it takes very little technical acumen or infrastructure to carry out their attacks. As such, they expect the bad guys to continue flocking to BEC.

“The ROI for BEC is significantly higher than any of the other more technical cyberattacks,” Hassold told Dark Reading. “I think that’s going to be the next step. We’ll see other groups move into this space.”

Significant BEC Increases in the Past Year

That phenomenon of growing awareness from the bad guys is already making itself apparent in recent statistical analysis of BEC attack trends. According to a report earlier this spring by Proofpoint, the number of BEC attacks per targeted organization increased 476% year-over-year in the last quarter of 2018. Meantime, Mimecast found in its 2019 annual report on email security that impersonation and BEC attacks increased by 67%, with 73% experiencing direct losses.

That last point is important to remember, as BEC losses aren’t from damages to systems, downtime, or lost productivity. Instead, these are losses of cold, hard cash. All told, the FBI said that the known total losses for BEC equaled $2.7 billion in 2018

BEC Scammers Love Targeting CFOs and Financial Gatekeepers

While the types of victims vary from case to case, one thing is certain: The bad guys love to go after CFOs and other financial gatekeepers. In fact, one recent report showed that a multinational gang of attackers conducting BEC campaigns would actually seek out companies that sell contact information to marketers about CFOs to fuel its social engineering targeting efforts. This group not only uses the common “unpaid vendor” story to trick victims, but also other subterfuge, such as pretending to be an executive trying to conduct M&A activity who urgently needs a down payment so as not to jeopardize the deal.

From 419 to BEC Scams

A brand new research report from Agari found that for some cybercriminal games, BEC attacks are just a part of the bad guy’s well-balanced breakfast of fraudulent schemes. It highlighted one group called Scattered Canary, which initially started about 10 years ago by a lone Nigerian 419 scammer. Since then it has built up to at least 35 individuals who now make big bucks with BEC scams; they also conduct romance scams, credential harvesting, credit card and check fraud, and tax cons.

No Target Is Sacred

Everyone is fair game for BEC attackers. These criminals have stolen nest eggs from families during real-estate transactions, and just this spring they managed to steal $1.75 million from an Ohio Catholic parishthat was raising money for a church renovation. In that case, the criminals posed as a construction company the church was working for, claiming it had missed payments on the project.

Ericka Chickowski

Tracing the Supply Chain Attack on Andriod

JUN 19

Tracing the Supply Chain Attack on Android

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

“Yehuo” () is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.

An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.

Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.

The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.

Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.

In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.

At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]combuydudu[.]comkelisrim[.]comopnixi[.]com and sonyba[.]com — were seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device.

A records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including blazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the bolded domain names below:

Domain Name      Create Date   Registrar
2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
hsuheng[.]com 2015-03-09 GODADDY.COM, LLC
jyhxz.net 2013-07-02 —
longmen[.]com 1998-06-19 GODADDY.COM, LLC
longmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
oppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
tongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD

Following the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with multiple business units and names. For example, 2333youxi[.]comis the domain name for Shanghai Qianyou Network Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet mobile games.”

Like the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and soon changed to Shanghai Blazefire as the owner.

The offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at Room 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.

The domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to be either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd.  According to its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai Quianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.

“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published by Tongjue in 2016.  “The company is mainly engaged in mobile phone pre-installation business.”

That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:

-Crack the restrictions imposed by the manufacturer on the mobile phone.
-Research and master the android [operating] system
-Reverse the root software to study the root of the android mobile phone
-Research the anti-brushing and provide anti-reverse brushing scheme


Many of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the email address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and email addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname “Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.

Searching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site Youxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers to the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.

“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre (playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire product line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”

Interestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com, perhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu Da’s email address as yehuo@blazefire.com.

The CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”

It’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company lists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled Chinese telecom giant by the same name.

According to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a senior executive at six other companies.

Google declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for comment.

It’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire Network Technology Co., Apple still has several of the company’s apps available for download from the iTunes store, as well as others from Shanghai Qianyou Network Technology.


6 Security Scams Set to Sweep This Summer

6 Security Scams Set to Sweep This Summer

Kelly Sheridan

Experts share the cybersecurity threats to watch for and advice to stay protected.

We look forward to summer’s warm weather, travel plans, and maybe some added relaxation. Cybercriminals look forward to summer’s new opportunities for scams and targeted attacks.

Seasonal threats aren’t new; for example, the holiday season typically brings phishing attacks in the form of fake package deliveries and fraudulent gift cards. Similarly, summertime, which drives an increase in flights and hotel stays, should put people on high alert for a wave of related scams.

Travelers taking time away from work and home are often too busy planning their vacations to protect their devices and data, but there’s no downtime for cyberattackers. Hackers are getting more advanced in their techniques to capture information, and they’re taking a closer look at the travel industry, targeting hotel chains and airlines with data breaches to capture loyalty program numbers, payment card data, and other personally identifiable information (PII).

But travel scams aren’t the only security threats to worry about this summer. Here, security experts weigh in on threats that should be top-of-mind for consumers and employees alike. Any threats you’re worried about that aren’t listed here? Feel free to share them in the Comments, below.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Travel Security: Confidence Is Higher Than Deserved

In research released late last month, IBM discovered a disconnect between survey respondents’ confidence in their security practices and their actual security habits while on the road. One-quarter say they are “very” or “extremely” confident in their abilities to protect themselves from cybercrime while traveling; 37% say they’re “somewhat” confident. Only 16% and 9% say they’re “a little” or “not at all” confident, respectively.

But when asked about their travel habits, 24% of these confident respondents admit to connecting to public Wi-Fi networks every time they travel on business; 22% do the same on all personal trips. More than 25% bring and use a device containing confidential or sensitive work-related data when they travel for work; 16% do the same when traveling for pleasure. Nearly 20% of seemingly security-savvy travelers charge devices via public USB ports or charging stations when traveling for business; 17% do the same when they’re on vacation.

More than 70% of Americans have engaged in a higher-risk travel behavior – connecting to public Wi-Fi, for example, or charging on a public USB station – regardless of whether they’re traveling for business or pleasure. Charles Henderson, global managing partner at IBM and head of X-Force Red, points to another trend: “Very often, consumers treat work information differently than they treat personal information,” he says.

In addition, people are more likely to protect their own data than corporate trade secrets, a common issue faced by CISOs, he says. It is worth noting respondents travel far more frequently for personal than business reasons. Only 26% report traveling for work, while 84% say they primarily travel for personal reasons.

Seasonal Scams Turn Political

It’s not new for cybercriminals to capitalize on major events with phishing campaigns; we’ve previously seen this in Olympic Destroyer and World Cup-themed attacks. It is helpful, however, to know which trends are top-of-mind. This summer, it’s the 2020 presidential campaign.

“Obviously, political alliances and political leanings are something that’s useful in trying to get people,” says Adam Kujawa, director of Malwarebytes Labs.

Leading into the 2020 campaign, we’ll likely see several attempts by cybercriminals locally based in the US or Western countries. Will disinformation manifest in social media campaigns, as it did during the 2016 elections? Not necessarily. After social media came under a harsh spotlight following the last presidential campaign, Kujawa thinks criminals spreading gossip and disinformation will turn to phishing.

“These are the kind of focused attacks we see more against consumers,” he adds. Still, it’s important for employees to be aware of threats that could potentially arrive in their inboxes.

Loyal to Fraud

Cybercriminals are ramping up with attacks against travel companies. In recent years we’ve seen massive breaches at Marriott/StarwoodCathay Pacific, and British Airways. “The travel industry as a whole has been targeted much, much more,” IBM’s Henderson says, because it “has the trifecta of data criminals care about.”

This includes PII (names, passports, driver’s license numbers, birthdates), payment card data, and loyalty numbers. It’s an emerging trend for cybercriminals, he explains. “Loyalty programs, and loyalty fraud, is huge,” Henderson says. Rewards numbers for airlines and hotels are located on boarding passes and baggage tags. Cybercriminals have their eyes peeled, as points can be cashed in for free flight tickets and hotel stays, Henderson explains.

And because rewards customers are considered VIPs, hotels and airlines try to avoid inconveniencing them and often don’t pressure them for details if they call in with a loyalty program number. This makes it easy for criminals, armed with a loyalty program number, to pretend to be someone else and walk away with free flights or hotel stays.

“They don’t want to be the inconvenient travel airline or hotel,” says Henderson, who points to a need for industry standards around traveler protection with respect to loyalty programs. He also advises companies in the travel industry to test what a breach looks like, so they can more effectively detect and respond to incidents when they occur.

Summertime Employment Scams

Job hunters should be aware of multiple variations of employment scams during the summer months, says Adrien Gendre, chief solution architect at Vade Secure. These impersonate companies of all sizes and industries, and while they happen year-round, they’re most prevalent during the summer months and at year’s end when people are job hunting.

Some scams arrive in the form of fake job offers appearing to come from recruiters at large companies. They invite recipients to join a job search database by downloading a free application, which is laced with malware. Others are deceptive spam emails, which claim to offer available jobs but redirect recipients to a fraudulent site. There are also LinkedIn phishing attempts, which try to manipulate people into sharing data or downloading malware.

“The topics of LinkedIn phishing emails range from bogus connection requests to fake job offers, with the goal of harvesting credentials and other personal information or installing malware,” Gendre says.

He advises employees to be logical: If something seems too good to be true, it likely is. “For instance, large, well-known companies typically have candidates flocking to them, so why would they need to blindly email people who may or may not have the necessary experience?” he says.

Further, think twice if an alleged recruiter demands an immediate response. Yes, you have to move quickly to land a dream job – but that’s exactly what the attacker wants.

Watch Your Wi-Fi

Travelers have a nasty habit of hunting down free Wi-Fi before and after their flights. Attackers are taking advantage, IBM’s Henderson says, and using this behavior to inform their strategies. Many have started to bring their own Wi-Fi hotspots and/or sting rays (fake cell towers designed to intercept data between devices and the Internet) into airports, hoping travelers will connect. While cybercriminals target travel companies year-round, they’re more likely to target travelers during peak times of the year.

“If you notice a behavior in travelers, you’re going to target it in the form of crime,” he explains. The airport is an interesting place because people who are getting off a flight and didn’t want to pay for in-flight Wi-Fi want to catch up with the world as soon as they land. Similarly, people whose devices are running low on battery are quick to plug into any USB charging port without stopping to think the connection could be malicious.

Malwarebytes Labs’ Kujawa also points to the risks associated with not only rogue hotspots, but public Internet. “Public Wi-Fi, combined with auto-connecting on devices, is a huge security vulnerability, in my opinion,” he says.

Travelers should be aware of when their devices connect to public Wi-Fi networks at Starbucks or McDonald’s, which can happen without their agreement. “That’s an easy way to not even be aware the information’s traveling over the network,” he adds.

Targeted in Transit

More than half of the respondents in IBM’s research are “very” or “extremely” concerned their credit cards or other sensitive information will be stolen while traveling, while about 31% say they are similarly concerned about this type of data theft at home. Nearly 40% say they put “a great deal” or “extreme amount” of effort into protecting digital data while traveling, 32% say they put “some” effort into their protection, and 19% say they put in “not much” or no effort at all.

But data is in demand, and Henderson encourages travelers to recognize this. “Understand that your data is valuable,” he says. “That’s something that a lot of consumers miss.” If people accept their data has value, he continues, they’re more likely to protect it.

“Luckily, it’s very easy to try and avoid that stuff happening anymore,” says Kujawa, who recommends prepaid credit cards for those worried about having numbers stolen on the road. But that’s not all travelers can do to protect their data: Malwarebytes advises travelers to buy shields for contactless payment cards so they can transport them without leaking information. It’s also smart to back up data on all devices coming on the journey; this way, if anything is stolen, the information isn’t lost.

Lone Wolf Scammer Built a Multifaceted BEC Cybercrime Operation

Lone Wolf’ Scammer Built a Multifaceted BEC Cybercrime Operation

Kelly Jackson Higgins

A one-man 419 scam evolved into a lucrative social-engineering syndicate over the past decade that conducts a combination of business email compromise, romance, and financial fraud.

This wasn’t the first time the chief financial officer of email security vendor Agari had been targeted in a business email compromise (BEC) scam. As with the first incident in August 2018, three months later Agari’s software tool flagged a suspicious email meant for its CFO, Raymond Lim, that posed as a supplier requesting a wire transfer for an invoice payment.

Agari researchers played along with the scammers as they had done in the August incident, impersonating the CFO’s administrative assistant and stringing them along for about a month, gathering intel on the people and operation behind the November emails. The researchers were able to identify the BEC attackers as a Nigeria-based cybercrime gang they nicknamed Scattered Canary, a group of some 35 individuals they believe may be a subgroup of an even larger criminal organization.

They discovered that this group wasn’t just sending BEC emails to make money. Scattered Canary also conducts romance scams, credit card fraud, check fraud, fake job listings, credential harvesting, and tax schemes, among other online cons.

“What we recognized when we looked at this group … was that BEC is just one type of attack these guys use at any given time. There can be dozens of [different] scams they can be doing [simultaneously],” says Crane Hassold, senior director of threat research at Agari.

The researchers kept in touch with Scattered Canary for a couple more months and were able to obtain from them eight mule accounts, which they then passed on to law enforcement as well as to financial organizations to help shut down the money-laundering.

Agari traced back the group’s founding, which began in 2008 when a lone individual, who they dubbed “Alpha,” ran rudimentary but lucrative Craigslist scams that duped victims into wiring him money or mailing him cashier’s checks for items sold on the forum. Alpha then expanded into romance scams and brought on a fellow fraudster (“Beta”). The pair laundered their pilfered funds via money mules and then ultimately set their sights on bigger targets, mainly businesses and government agencies via BEC scams, the centerpiece of the group’s operation today. In the past two years, the group doubled in size as it harvested new mule accounts and expanded into other crimes, such as tax return fraud.

Scattered Canary’s scams are rooted in pure social engineering: no malware required.

“We’ve not seen Scattered Canary using malware,” says Ronnie Tokazowski, senior threat researcher at Agari. “They are using compromised RDP [remote desktop protocol] credentials and compromised websites to host phishing kits,” but they don’t have a full-blown hacking infrastructure per se, he explains. Scattered Canary mostly employs specific scam scripts and templates they copy and paste in emails they send to their targeted victims.

BEC and email compromise scams have been on the rise worldwide: The FBI Internet Crime Complaint Center last year received more than 20,000 reports from victims who lost more than $1.2 billion to these scams. Interestingly, in the US, half of BEC victims actually recovered 99% of their money, according to Verizon’s “Data Breach Investigations Report.” Barely 10% of them didn’t recover any of their money in the scams. But it only takes a few successful hits to be lucrative. As Verizon points out in its report, even if just 1% of 1,000 BEC attacks are successful, the BEC scammer can still net thousands of dollars.

London Blue Calling
Prior to the November incident, Agari researchers turned the tables on a BEC scam on Aug. 7, 2018, when their email security platform caught a BEC email sent to CFO Lim that posed as Agari CEO Ravi Kahtod. The team was able to extract enough information from their email interactions with the attackers to pinpoint the physical location of two of the main operators of the gang, who live and work in London.

London Blue at the time had 20 to 25 individuals, including 17 money mules spread around the US and Western Europe.

But Scattered Canary is a much larger operation than London Blue, according to Agari. “Scattered Canary is likely an arm of a bigger entity. We are still trying to research that a little more heavily,” Hassold notes.

Scattered Canary over time had adjusted and reset its tactics. For example, after years of spoofing a targeted company’s domain, the group began employing webmail or other email accounts in the fall of 2016. They also take advantage of how Google doesn’t spot periods in email addresses — badscammer007@gmail.com and bad.scammer.007@gmail.com, for example, are seen by Gmail as the same address, according to Agari’s report. “This allows scammers to scale their operations more effectively by removing the need to create and monitor a different email account for every account they create on a website,” the company states in its recently published report on Scattered Canary.

A recent Cisco Systems report found that two-thirds of BEC scams employ free webmail and 28% use registered domains.

Meanwhile, starting in July 2018, Scattered Canary shifted from wire transfers to gift cards as a way to cash out its stolen funds. They duped business victims with emails purportedly from the CEO asking them to purchase Amazon and Apple iTunes gift cards. “Like other scammers involved in gift card BEC scams, Scattered Canary laundered the gift cards they received from victims through a peer-to-peer online cryptocurrency exchange called Paxful,” Agari wrote in its report on the gang. Scattered Canary was able to get 132 gift cards from victims valued at two bitcoin apiece on Paxful, or some $12,000 to $14,000.

The BEC gang halted the gift card cashout approach in November 2018 when the price of bitcoin dropped.

Hassold says it’s possible well-established cybercrime organizations in Eastern Europe and Russia could pivot to BEC scams as well. Given their size and resources, those gangs could perform even more convincing attacks.

“The ROI for BEC is significantly higher than any of the other more technical cyberattacks. I think that’s going to be the next step. We’ll see other groups move into this space,” Hassold says, which will mean more professional and difficult-to-spot BEC emails.

Cybercriminals already have been moving away from pricey zero-day attacks to lower-tech, cheaper weapons, such as malware-laden file attachments. “They’re going back to basics. I don’t need to develop an 0-day if I can put a macro in a Word file and a victim will click on it,” Agari’s Tokazowski notes. Hassold recommends that organizations include social engineering in their cyberthreat training and conversation in order to defend against BEC and other email-borne scams targeting businesses today.

“These nontechnical type attacks are now the predominant mode of cyberattacks today,” he says. “This is the type of attack employees will see, so they should include them in education and awareness training.”

Related Content


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … 

Baltimore Ransomware Attack Takes Strange Twist

Kelly Jackson Higgins

Kelly Jackson Higgins

Tweet suggests possible screenshot of stolen city documents and credentials in the wake of attack that took down city servers last week.

A mysterious and newly created Twitter account on May 12 posted what purports to be a screenshot of sensitive documents and user credentials from the city of Baltimore, which was hit late last week by a major ransomware attack.

Researchers at Armor who have been investigating the so-called Robbinhood ransomware malware used in the attack on the city discovered the post. They say it could either be from the attacker, a city employee, someone with access to the documents — or even be just a hoax. The city is still recovering from the May 7 attack, which has disrupted everything from real estate transactions awaiting deeds, bill payments for residents, and services such as email and telecommunications.

Ransomware attacks typically are all about making money: Attackers demand a fee to decrypt victims’ files they have accessed and encrypted. Whether the tweet came from the attackers trying to put the squeeze on the city to pay up or threatening to abuse the kidnapped information is unclear.

City officials previously have said they have no plans to pay the ransom. “I think the mayor was very clear: We’re not paying a ransom,” said City Council president Brandon Scott in an interview yesterday on a local CBS affiliate.

Eric Sifford, security researcher with Armor’s Threat Resistance Unit (TRU), discovered the Twitter post appearing to taunt or threaten Baltimore officials. He says he’s not sure whether the tweet came from the actual attackers. “They are trying to make a statement … and to show that they not only were able to encrypt major portions of network of the city …. but they have a lot of internal access,” as well, if the documents in the screenshot are legitimate, Sifford says.

Armor today will post a blog with an obfuscated shot of the tweet and account to ensure the City of Baltimore gets the chance to change the posted usernames and passwords if, indeed, they are legit.

Dark Reading has viewed the full Twitter account and post but is only publishing the obfuscated information.

Source: Armor

Source: Armor

Meanwhile, the Robbinhood attackers in their ransom note demanded $17,600 in bitcoin per system — a total of about $76,280, according to analysis by Armor. The bitcoin wallet for the ransom for the city had not been used at this time, the researchers say, indicating the city has kept its vow not to pay.

Most of Baltimore’s servers were shut down as officials investigated the attack last week, but its 911 and 311 systems were not hit, according to reporting by The Baltimore Sun. When the attack was spotted, employees at City Hall were told to unplug Ethernet cables and shut down their computers and other devices to stem the spread of the malware, Baltimore city councilman Ryan Dorsey told the Sun.

Efforts today to reach some Baltimore city officials, including the office of the city’s newly named mayor, Bernard C. Jack Young, were unsuccessful in several cases, in part because email is down for many employees, and several departments are instead using Google Voice voicemail to get messages.

A spokesperson for Baltimore City Council Member Zeke Cohen, with whom Dark Reading was able to contact, said Cohen’s office did not have any information on the tweet, nor could they verify whether the information and documents in the screenshot are from the information encrypted by the ransomware attackers.

Security expert John Bambenek, director of cybersecurity research at ThreatStop, says the tweet looks relatively legitimate. “Either someone spent real effort trying to find documents from public sources or it’s our guy. Either way, he just put himself on the menu for the FBI if he’s not,” Bambenek says.

‘Hurry Up!’
Armor said the Robbinhood ransom note also warns the city not to call the FBI, or risk the attackers going away and leaving the files encrypted. “We’ve watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections,” the ransom note said, specifying payment within four days or the fee would increase. After 10 days, the data would no longer be recoverable, the note said, according to Armor.

“We won’t talk more. All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!” the note read, according to Armor.

The same ransomware recently hit the city of Greenville, N.C., as well as several power companies in India last month, according to the security firm.

Meanwhile, Baltimore’s ransomware attack is one of 22 against state and local government entities so far in 2019, Armor notes. Other victims including Washington, Pennsylvania; Amarillo, Texas; Cleveland Airport, Cleveland, Ohio; Augusta City Center, Augusta, Maine; Stuart, Florida; Imperial County, California; Garfield County, Utah; Greenville, North Carolina; Albany, New York; Jackson County, Georgia; Schools System of Taos, New Mexico; Del Rio, Texas; Atlanta, Georgia; and Leominster, Massachusett

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Think Your Business Is Too Small to Get Hacked? Wake Up!

Think Your Business Is Too Small to Get Hacked? Wake Up!

Andy Norton

by Andy Norton

digital security small business owners FISixty percent of small- to mid-sized businesses (SMBs) go bankrupt six months after suffering a cyberattack. The risk is simply too great. SMBs need to strengthen their digital security.

UberEquifaxYahoo…if you look only at the headlines, you’d probably think that digital attackers target just large corporations. Many small business owners are of this viewpoint. According to a 2017 survey by Paychex, more than two-thirds (68 percent) of small business owners are not worried about their business being hacked. Not only that, but the same study revealed that 90 percent of small business owners feel at least somewhat confident that their organization could recover from a security incident in the event one happened.

This perspective boils down to the fact that many SMBs don’t feel they’re important enough to suffer a digital attack. As the Huffington Post found in a survey, small businesses reasoned that they’re safe because they don’t store sensitive information. But more than half of organizations admitted to storing email addresses (68 percent), phone numbers (64 percent), and billing addresses (54 percent). Such a disconnect suggests that SMBs don’t understand the value of the personally identifiable information (PII) they currently store.

It also explains why SMBs just aren’t investing in their digital security. This reality became apparent in a 2015 small business technology survey conducted by Time Warner Cable Business Class (TWCBC). In the study, a third of small business owners said that they manage their own network security solutions, while 27 percent disclosed that they don’t use any security solution.

These findings are consistent with those of other studies, including the following:

  • The vast majority of businesses divulged to the Huffington Post that they’re doing little to prepare themselves against online threats. This lack of preparation extends to their dismissal of basic digital security hygiene. For example, just 38 percent of SMBs stated that they upgrade their security solutions and 22 percent encrypt databases.
  • Sixty-five percent of respondents to a 2017 Ponemon Institute report laid bare that they don’t strictly enforce their own password security policies.
  • PwC survey found that companies with less than $100 million in revenue actually reduced their digital security spending. They cut their budgets despite the fact that digital attacks themselves became more numerous than ever over the course of the year.

Clearly, many small- and mid-sized businesses have simply dismissed the notion that they need to worry about digital security. CloudEntr uncovered as much when 60 percent of SMBs said that recent data breaches had no impact on their security policies. It’s, therefore, no surprise that three-quarters of SMBs told IDT911 that they don’t have any cyber insurance. They don’t think they’ll suffer an attack themselves, so why waste resources in protecting themselves in the event that they suffer one?

The Consequences of Treating Digital Security as an Afterthought

Such an inadequate response to digital security threats has had a, well, predictable response. As the U.S. Securities and Exchange Commission found back in 2015, small businesses have increasingly become easier targets for digital attackers than enterprises, as SMBs possess fewer resources with which they can defend themselves against the same types of digital threats targeting large enterprises. This disparity makes SMBs softer targets for online criminals. Indeed, it’s no wonder why data compiled by SCORE showed that almost half of all digital attacks (43 percent) now target small businesses.

Not surprisingly, it’s also bad when one of these digital attacks is successful. Without proper digital security safeguards, bad actors can essentially run through a victim SMB’s network and do whatever they want. And without cyber insurance, SMBs have little chance of recovering from the costs associated with a data breach. That’s why 60 percent of small businesses go bankrupt just six months after suffering a digital attack, as reported by BankInfoSecurity.

The Future of Digital Security for SMBs

Small business owners – you really need to step up your game if you hope to adequately protect your business against digital threats. And we get it, that you wear many hats and security may not be one of them. But you don’t have to figure it all out yourselves and go it alone.

Most SMBs obviously aren’t large enough to have their own security teams, but you can look to the expertise and capabilities of a security services provider that can fulfill your digital security needs. Just don’t go with the first managed security services provider (MSSP) you find. It’s essential to do your research carefully and look for a company that uses an AI-based security solution to monitor the network for suspicious activity while helping its own analysts navigate the growing flood of alerts across their entire client base. Otherwise, as I said before, the volume of alerts will outstrip their capacity to investigate them, increasing the risk that an attack will get past their defenses and reach your business.

That’s where Lastline comes in. Unlike other AI solutions, Lastline blends network traffic analysis with sandboxing to monitor for anomalous behavior and to evaluate these findings for malicious indicators. This technique enables Lastline to provide high-fidelity insights into what’s truly going on without generating false positives that waste the MSSP analysts’ time.

We have selected and trained very high-quality MSSPs to use our software on behalf of their SMB customers. It’s a relationship that could save your business without requiring you to become a security expert so that you can continue to focus on all of the other parts of keeping your business running smoothly.

The post Think Your Business Is Too Small to Get Hacked? Wake Up! appeared first on Lastline.

*** This is a Security Bloggers Network syndicated blog from Blog – Lastline authored by Andy Norton. Read the original post at: https://www.lastline.com/blog/digital-security-is-your-business-is-too-small-to-get-hacked/