RSAC 2016: PhishLabs talks Business Email Compromise attacks


IT Security Thing has returned from a week in San Francisco, where we attended RSAC 2016 for the 25th anniversary year of the world’s biggest IT security conference. At the Conference, we met up with Joseph Opacki, VP of threat research, analysis and intelligence at PhishLabs, who spoke about the latest organisational phishing threats, such as Business Email Compromise (BEC).

Opacki, formerly Senior Director of Global Research at iSIGHT Partners and Technical Director of Advanced Digital Forensics in the Operational Technology Division of the FBI (specialising in malware reverse engineering), talked about the recently published ‘Phishing Trends & Intelligence Report: Hacking the Human.’

Researched by the PhishLabs Research, Analysis and Intelligence Division (R.A.I.D) this report is based upon an analysis of more than a million malicious phishing sites hosted upon 130,000+ unique domains. Since 2008, PhishLabs has specialised in investigating phishing attacks (an average of 6,000 per month), identifying their underlying infrastructures in order to get them shut down.

It’s a ‘fighting back’ philosophy that is increasingly gaining traction amongst IT security professionals. By tracking more than 90 threat actor groups, all of whom use spear phishing techniques, PhishLabs is able to mitigate against attacks in the most proactive of ways.

The ‘Hacking the Human’ report covers the broad church that is the consumer-focused phishing attack. It’s something we are all used to reading plenty about. Indeed, the vast majority of the report is devoted to this category. Here at IT Security Thing, however, we are more interested in the spear phishing detail.

Business Email Compromise (BEC) attacks were on the rise during 2015

You might argue that we read plenty about this as well. But it rather depends upon how you define the category. PhishLabs chooses the definition of “attacks targeting the assets of a specific organisation; narrowly distributed, customised to each target and often the initial step used by advanced threat actors to penetrate that organisations defences.”

The PhishLabs analysis determines that spear phishing remains the primary initial attack vector used by APT actors, although some 22 per cent of attacks analysed during 2015 were reported as being motivated by financial fraud or related crimes. Yet while financial institutions and payment services remained the most highly targeted organisations, when looked at in terms of overall phishing volume share there was a decline across the year.

Not so the number of organisations being targeted with Business Email Compromise (BEC) attacks, for which the PhishLabs analysis noted the largest increase during 2015.

These Business Email Compromise attacks originally got their name as they were associated with employee email accounts being compromised rather than, as is almost always the case today, the sender address being spoofed. Because address spoofing is now so commonplace, it would be more accurate to replace the C for ‘compromise’ in BEC with a C for ‘correspondence’ instead.

Something else that has changed, certainly from the 2014 analysis through to the 2015 one, are the BEC TTPs: Tactics, Techniques and Procedures.

The PhishLabs report highlights the main differences between the most commonly seen Business Email Compromise attacks across the two years. Such things as free email services or compromised organisational accounts being replaced by paid webmail services; the spoofed sender more likely to be the top executive at the target organisation rather than any executive at that company or finance personnel at a supplier or vendor; and multiple messages exchanged instead of a single hit.

Most interestingly, is the gradual replacement of instructions in an attached PDF with instructions in the body of a follow up message instead, and that destinations are more likely to be domestic than residing in Asia.

Not that the 2014 TTPs are extinct. Far from it in the APAC region, for example. But the Business Email Compromise threat has certainly matured elsewhere and in so doing has become a lot more believable and therefore much more dangerous.

According to PhishLabs the reasoning is a simple one: accounts for actioning the fraud are costly, and so are not given up until a positive response is forthcoming. “Most scammers source mule account management to a service which recruits money mules and maintains records,” PhishLabs says.

Business Email Compromise attacks would appear to require precious little effort to research

“Compared to free email services and cheap domain name registrations, mule accounts that receive the fraudulent payments are the single largest investment made by the scammers, often costing more than all other operational overheads combined.”

Targeting for BEC attacks is aimed, comparatively speaking at least, more at smaller organisations where personal requests from the executive team regarding exceptions to standard accounting practice are not seen as so unusual as they might be in larger outfits.

Whatever the size of the target, Business Email Compromise attacks would appear to require precious little effort to research. Business networking sites and publicly available data are typically the cornerstones of data gathering resources.

In many of the cases analysed by PhishLabs, it was determined that full names, titles and email addresses of executives were posted on the organisational website and these, along with consistent (and therefore easily guessable) company-wide email addressing schemes, made spoofing easy enough.

That personal names, email addresses and direct numbers in contact information for accounting or billing departments is often also published, just make a scammer’s job even easier.

For 2016, PhishLabs warns that one of the fastest growing BEC variants is that of a merger and acquisition ploy which reinforces the need for secrecy and so diminishes the chances of discovery through organisational in-house communication. These, along with the commonplace use of quoted conversations with lawyers, have been successful in extracting multiple payments in cases seen so far.

It’s not all bad news though. Fore-warned is fore-armed. Be aware of the Business Email Compromise risk and ensure that all employees are as well. PhishLabs, for its part, is continuing to help law enforcement authorities in identifying mule accounts as part of a BEC threat disruption strategy.

You can download the full ‘2016 Phishing Trends & Intelligence Report: Hacking the Human’ here.