Saturday, October 1, 2022

Why BEC Attacks Will Far Surpass Ransomware In 2023


Just last weekend, I wrote a blog in which I partially wrote about how the Cyber pundits are already making predictions for 2023.  Although it is still a bit early to tell what could happen, there are two known catalysts out there now which will dominate the threat landscape:

*The Russian annexation of key territories in the Ukraine;

*The Cyberattacker shifting gears in their tactics.

Now I cannot say too much about the first point, because anything could change in that part of the world.  But, I can talk with some certainty about the second one.  After some time, the Cyberattacker usually will change the way in which they launch their threat variants. 

There are reasons for this, but one of the primary ones is to still keep their identity as elusive as possible.

Another one could be is that they are simply tired of what they are doing at the current time and want to go onto something else.  This really only happens when the profit potential is dissipating. Such is the case with Ransomware. 

It was the threat variant of choice back in 2020, right when COVID-19 pandemic was at its peak, but this year, as it takes the back seat in the news, the total number of Ransomware attacks have actually fallen for 2022.

Of course, it is still out there, but not to the magnitude of severity that we have seen.  But now, the trend is shifting into another direction, which are known as “Business Email Compromise”, or “BEC” attacks. 

This is where an employee of a company is sent a Phishing kind of email, demanding that the financial or accounting department wire a hefty sum of money to a third party in order to complete a deal.

The money is sent, and voila, it is gone forever in a phony, offshore account.  The scenario I have jus depicted is of course a very simplistic one, but these are the details of the basic form of attack. Just consider some of these stats to show you how BEC attacks are on the rise:

*It has doubled since Q2 of this year by 34%;

*The attacks for end users has increased by 84%.

More information about these stats can be seen at the following links:

https://arcticwolf.com/resources/blog/incident-response-insights-from-arctic-wolf-labs-1h-2022/

https://abnormalsecurity.com/blog/bec-attacks-increasing-new-research-shows

Also, according to the FBI, BEC attacks accounted for $2.4 billion of the $6.9 billion in losses so far to the American consumer and businesses.  This is almost 34%, whereas Ransomware attacks only accounted for a mere .7% of this entire total.  More information about this can be seen at this link:

https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

There are numerous reasons cited why BEC attacks have become so much more popular this year, but four of the most cited are as follows:

1)     BEC payments do not require a virtual currency to be used, unlike a Ransomware attack, where Bitcoin is still the preferred means of payment.  But it can take time for a victim to get the virtual currency collected, unlike with BEC attacks, where the real currency is used.

 

2)     BEC  attacks can make use of multiple attack methods.  In our example earlier in this blog, we used Phishing.  But a BEC attack can take place via Social Engineering, Vishing, Smishing, Robocalls, traditional mail, etc.

 

3)     There are also other technological weaknesses that are giving rise to the proliferation BEC attacks – some of these include the recent weaknesses that have been found in Microsoft Exchange, VMware, and the Remote Desktop Protocol (RDP).

 

4)     Cyberattackers are also purchasing PII datasets from the Dark Web for pennies on the dollar.  These can then be used to launch Social Engineering attacks.

 

These four findings can be seen in the diagram below:


(SOURCE:  https://www.darkreading.com/threat-intelligence/cybercriminals-see-allure-bec-attacks-ransomware)

My Thoughts On This:

With all of these stats now presented to you, you may be wondering how you can protect you and your business from a BEC attack from taking place.  Once again, it all comes to security awareness training.  Keep in mind that a BEC attack is going to focus primarily on one thing: 

Directly asking for money.  So the moment that your administrative assistant gets an email or a phone call asking for money, you need to tell them to stop the conversation immediately, and have him or her report that back to their higher ups and the IT Security team.

Then the request for the money to be sent over needs to be validated.  But if it already has been sent, your next course of options is to immediately call your local FBI office to try to recoup whatever you can.  To varying degrees, the FBI has been successful in retrieving money in such kinds of attacks.

But in the end, it is going to be the finance or accounting department that will send the money, if the request is legitimate.  Therefore, it is very important to make sure that the right controls have been implemented, and upgraded with the latest patches and firmware upgrades. 

Any and all requests for money transfers should be confirmed with at least two layers of approval.  True, this may seem to be a bit much, but this is one sure fire way of having a good set of checks and balances in place.

In fact, many financial institutions today have automated alarms in place to warn them any fraudulent activity from taking place.  If anything is detected, the transaction is halted immediately until the details of it can be confirmed.

In fact, this very situation happened to one of my clients the other day.  They were about to send out a wire transfer to a phony bank account.  The only thing that prevented this from happening were the AI and ML detection tools that were in place to detect potential fraud.


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...