Home Tags Business email compromise

Tag: business email compromise

Nigerian BEC Scams Hit 500 Companies in 50 Countries

A Kaspersky Lab report on Thursday said an especially potent Nigerian Business Email Compromise campaign has stolen sensitive data from over 500 companies in 50 countries.

Nigerian phishing: Industrial companies under attack

In late 2016, the Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team reported on phishing attacks that were primarily targeting industrial companies from the metallurgy, electric power, construction, engineering and other sectors.

As further research demonstrated, this was just part of a bigger story that began much earlier and is unlikely to end any time soon.

Business Email Compromise Scams Continue to Grow With $5.3B in Loses

The FBI revises its figures on the impact of Business Email Compromise, revealing a significant spike in reported attacks during 2016.

Business Email Compromise Scams Continue to Grow With $5.3B in Losses

The FBI revises its figures on the impact of business email compromise, revealing a significant spike in reported attacks during 2016.

FBI says email scammers stung businesses for $5bn over 4 years

British and Asian banks fingered for following the money The FBI has issued figures about how much scammers using business email compromise (BEC) have netted, and the totals are fairly frightening.…

Business Email Compromise Losses Up 2,370 Percent Since 2015

The FBI says Business Email Compromise scams are growing at astronomical rates, and businesses have lost $5.3 billion since 2013; $346 million in the U.S. alone in the second half of 2016.

Hacking the Business Email Compromise

BEC attacks are on the rise, but plain-old spoofing of business executives' email accounts remains more prevalent.

Hacker Accused of Carrying Out Business Email Scam Netting $100M

The long arm of the law tracks done a lone hacker who allegedly used a business email compromise attack to steal $100 million from two U.S. companies.

Turning Tables on Nigerian Business Email Scammers

Researchers from Dell SecureWorks infiltrated a Nigerian business email spoofing and business email compromise operation, shutting down a number of money mule accounts in the process.

Trend Micro Says Cyber-Attacks Will Continued Unabated in 2017

By Don Reisinger  |  Posted 2016-12-07                   Trend Micro Predicts More Sophisticated Cyber-Attacks in 2017 Security software company Trend Micro says cyber-attacks on enterprise networks and the internet of things will only grow in volume and sophistication in 2017. Ransomware Will Start to Level Off The number of ransomware families is expected to “plateau” at some point during 2017, according to Trend Micro. However, compared to 2016, the number targeting individuals and companies will grow by 25 percent. That translates to an average of 15 new ransomware families discovered each month and should result in cybercriminals hitting more and bigger targets. The Internet of Things Becomes a Hacker Haven Connected devices will be important tools for hackers in 2017. Trend Micro predicts hackers will use IoT devices as “sleeper agents” that they’ll pool together for much larger attacks against important infrastructure, launching “massive DDoS attacks” via the devices. They’ll also try to take down wide swaths of the internet and “pummel” major organizations. Email Scams Will Be On the Rise Email-based scams will soar in 2017, since they’re simple to launch and can deliver high returns on a small investment, Trend Micro claims. Hackers, therefore, are expected to boost the number of email attacks on companies and individuals dramatically, and their efforts could net them billions of dollars. A single business email compromise can net hackers $140,000, according to Trend Micro. Watch Out for Business Process Sophisticated hackers will be looking at ways to take advantage of the way financial institutions process business transactions in 2017. Trend Micro believes hackers will first target a financial institution’s email or network and modify processes to redirect cash and payments to their own accounts. The average business process attack on a financial institution could net the hackers upwards of $81 million, according to Trend Micro. Adobe, Microsoft, Apple Under Attack Adobe has long suffered from security flaws in its software, and Trend Micro believes that will continue into 2017. However, the company also says security researchers also will discover dozens of flaws in Apple and Microsoft products next year that could put company data at risk. Still worse, Trend Micro predicts that security improvements made by Microsoft, Adobe and Apple next year could make it even more difficult for researchers to detect attacks. Cyber-Propaganda Is a Rising National Security Threat Trend Micro believes the recent trend of fake news impacting opinions around the world won’t let up in 2017. As more people around the world come online, the company notes, they’ll be sharing fake news to peddle influence. The move also might net them some cash. Security Administrative Costs Will Soar Any company that captures and stores the personal data of people living in the European Union will incur additional costs next year. Under new regulations outlined by the EU, companies will need to keep stored data safe and secure. By 2018, when the regulations go into effect and stringent privacy is expected, companies could pay up to 4 percent of their global revenue for failing to comply. Next year, therefore, could be a costly year as companies around the world ramp up their user database security. New Threats to Worry About While companies have faced all of the aforementioned threats in 2016, Trend Micro warns more threats are coming. Attackers will deliver new payloads and might circumvent the protections companies already have in place across their network infrastructure, as hackers, Trend Micro says, have become “more seasoned.” Corporate network infrastructure, however, has “remained largely the same.” That could be a recipe for trouble. Applying Machine Learning for Protection Although machine learning to combat security threats is nothing new, it could prove to be a critical component in fighting next year’s threats. When companies properly deploy machine learning through a layered system that has both human- and computer-provided inputs flowing through mathematical algorithms, the company says, their chances of fending off threats are higher. Effective machine learning, in other words, could mean the difference between a secure system and dealing with a hack. How to Catch Zero-Day Threats When it comes to zero-day threats, there’s little companies can do to protect themselves. However, to maximize their ability to sidestep threats, companies must continually monitor network behavior and integrity, according to Trend Micro. In addition, the company notes, sandboxing could prove effective in stopping threats from spreading across a network. Companies around the world are under constant cyber-attack. Cyber-criminals in 2016 were able to target companies on several fronts, hitting them with distributed denial of service (DDoS) attacks that knocked their web applications offline and cut them off from their customers for hours at a time. They used phishing attacks to dupe employees into disclosing network login information so they could break in and steal data and trade secrets. Unfortunately, security software company Trend Micro says things won’t change very much in 2017. Rather, Trend Micro’s cyber-threat predictions for the New Year suggest hackers will increase their attacks on mobile platforms and the internet of things (IoT). They also will continue their practice of scamming employees with worthless spam emails and phishing messages. In addition, Trend Micro believes an emerging threat known as cyber-propaganda could be used to foment unrest and destabilize national governments. All the while, hackers are expected to rake in billions of dollars from their activities. This slide show will cover Trend Micro’s predictions on the security threats companies will face in 2017 and suggest what people and enterprises can do to protect themselves from increasingly sophisticated attacks. Don Reisinger is a freelance technology columnist. He started writing about technology for Ziff-Davis' Gearlog.com. Since then, he has written extremely popular columns for CNET.com, Computerworld, InformationWeek, and others. He has appeared numerous times on national television to share his expertise with viewers. You can follow his every move at http://twitter.com/donreisinger.

How to Identify and Deal With Phishing Email

In October, most people look forward to pumpkin carving, changing weather and, if you're Canadian, Thanksgiving.

But for those in the security world, October also is National Cybersecurity Awareness Month.

Business email compromise has cost companies $...

Securing Office 365? There’s always more you can do

Don't just accept the defaults and hope for the best Wherever you look there's yet another SME or enterprise migrating to Office 365.

This says a lot for the attractiveness of cloud-based office suites, and perhaps it also says something about the attractiveness of letting someone else look after one's SharePoint and Exchange servers rather than having to fight with their maintenance and upkeep internally. It also says a lot about the security of the platform: if there were any serious concerns there wouldn't be so many people using it (the figure I have to hand cites 60 million business customers as of spring 2016). What this tells us, though, is not that it's the Fort Knox of cloud-based office software: it merely says that it's secure enough for commercial organisations to accept it into their infrastructure.

Any system has scope for improvement, or for the user to layer further security mechanisms on top to make the setup even more attractive.
So what does Office 365 give us, and what can we do to take it further, security-wise? Underlying directory services One of the reasons people tend to trust Office 365 is that it's based on the directory service that everyone knows and is familiar with: Active Directory.

Cloud-based AD integrates with its on-premise peer very straightforwardly, and although in the past one tended to use outward federation (that is, AD was hosted and managed in-house and federated/synchronised to an external AD server) the story is now far more bi-directional, so you can manage the AD setup either internally and externally and it'll sync in either direction. Let's face it, it's difficult to criticise the fundamental security capabilities of a cloud-based AD setup because we've all been using it in-house for years and years. Securing other apps The other benefit you get if you adopt the Enterprise Mobility Suite on top of Office 365 is the ability to bring the user authentication of a variety of apps into a single user database.
Interestingly EMS gives you more than you'd be able to do with an in-house AD setup.
So as well as providing native AD authentication you can point all manner of other stuff at it – ODBC lookups, LDAP queries, Web services and of course other native AD servers.

But more interestingly there's a pile of specific support for a wide range of popular cloud-based apps (Salesforce is the one that's generally cited, so let's not buck the trend) and so you can move away from your plethora of separate user databases and toward a single integrated directory service. Two-factor authentication The problem with centralising your authentication, though, is that the impact of a breach on your central authentication database is far greater than a breach on a single application's own internal user database.
So the first thing you'll probably want to add to your Office 365 setup is two-factor authentication (2FA).

To be fair to Microsoft they do provide a 2FA mechanism of their own, but many of us already use third-party 2FA (RSA's SecurID is probably the best known, though more recently I've used Symantec's VIP offering) and it's understandable to want to stick with what you know.

And without trying to sound disparaging to Microsoft, there's something to be said for picking a different vendor for your 2FA in the interests of putting your eggs in more than one vendor basket. Happily the 2FA vendors are happy to sell you their 365-connectable offerings as they're becoming nicely established and stable. Edge protection We mentioned earlier that managing your own in-house Exchange setup can be something of a chore, and quite frankly who can blame you for wanting to ship it off to the cloud for Microsoft to look after it? I've seen it done more than once, and the relief on the faces of the mail server admins was palpable.

But I also wouldn't blame you for considering persevering with and potentially even expanding some or all of the edge protection you have for inbound email – it's been common for many years to adopt a hosted anti-malware and/or anti-spam offering and to funnel all your inbound email through it on its way to the Exchange server.
So of course Microsoft's mail infrastructure has its own anti-malware mechanisms (and they're very proud of it) but again, by sticking with a third-party offering layered around it you can bring an additional layer of security, visibility and reassurance to yourself and your management. Going in the other direction, Data Leakage Protection (DLP) is also something that you're increasingly likely to need these days, what with the tendency toward accreditations such as PCI-DSS and ISO 27001.

Again there's a selection of DLP tools and policy features with Office 365, but a third-party approach is very much an option. Security monitoring Regardless of whether your installation is on-premise or in the cloud, security monitoring is absolutely critical if you're serious about security.

The market to be in these days is selling Security Information and Event Management (SIEM) software and appliances: storing, collating and analysing log data and the associated response and remediation brings massive benefits, particularly if you're aiming toward some kind of formal security or similar accreditation. Office 365 provides APIs into which SIEM platforms can hook in order to deduce what's occurring in the cloud installation and alert you to potential issues; and as with the likes of DLP and 2FA the vendors of SIEM products are now commonly supporting Office 365 to pretty much the same extent as they support on-premise kit.

Does Office 365 have in-built SIEM? Yes, there are tools that provide you with forensic analysis features and of course there's event logging, but SIEM isn't a core concept for Microsoft and so unless you have a very small setup you'll look to third-party SIEM offerings for the functionality you need, either in a dedicated, targeted SIEM solution from someone like LogRhythm or Splunk or in a multi-function package from the likes of Proofpoint. Backups One of the big differences between the cloud-based world and the on-premise setup is the need for and the implementation of backups.
It's common to decide that the requirement for backups to protect against complete system failure (i.e. disk crashes causing data loss) is much reduced in the cloud thanks to the robust physical implementation of the underlying storage layer.

But remember that physical crashes are just part of the need for backups: the risk of inadvertent deletion of data doesn't go away when you shift the installation into the cloud.

As with some of the other concepts we've mentioned there are built-in tools such as version control and rollback, automatic retention of items in recycle bins, and so on.

But again you're likely to want more, and again you can look to the market as there's a growing selection of options out there. Are we spotting a trend here? We've been talking so far about augmenting Office 365 with security features that don't come as standard, or that do come with the system but are perhaps not so attractive as those of separate products whose developers are more focused on the subject area.

The thing is, though, that aside perhaps from the discussion on backups, little of these supposed shortcomings are unique to Office 365 – they exist in on-premise setups too.

And that makes sense: we're not saying Office 365 is particularly deficient, just that the whole reason all these third party products and services exist is that you can't reasonably expect Microsoft (or any other of your vendors) to have a perfect solution in every specialist field of security as part of its office suite. What do the Office 365 experts think? Aonghus Fraser, CTO at C5 Alliance (), echoes the idea that the service has its own features but they're not the whole story. He notes: “There are a number of areas that should be considered – some are in addition to Office 365 but there are also newer or lesser-known security features or services that can complement that native Office 365 security and cover all bases”. Endpoint security's high on his list. “Whilst there is protection at the server-side for O365 including Exchange and SharePoint Online, it is recommended that a strategy for endpoint protection for devices is implemented.

This can range from leveraging native O365 & Microsoft services such as InTune to ensure that a minimal level of patching and AV is enabled (using Windows Defender) to third party solutions such as Sophos Endpoint which can work on devices and in conjunction with firewalls to detect and isolate compromised devices”. Following up his point about new features that wink into existence, he cites a recently introduced built-in feature: “Advanced Security Management is a new service providing global and security administrators with the facility to detect anomalies in your tenant – alerts for abnormal behaviour, and alerts for activities that might be atypical.

Examples could include logging in from unusual locations, mass download by a single user (suggesting a data leakage risk) or administrative activity from a non-administrative IP address”. The non-technical elements Our original request to Aonghus was for three observations, of which we've just mentioned two; the third is non-technical but absolutely key. He states: “It is essential to ensure that business policies are regularly maintained in line with Office 365 capabilities such as Multi-Factor Authentication and Data Leakage Prevention in order for security to be optimised whilst taking into account employee productivity”. It's key to ensure your business is able to work effectively and in a governed way as you evolve into the cloud world: “An understanding of the implications on users of implementing some security measures is essential to ensure that users are well-informed and do not try to bypass the measures due to lack of understanding or usability or productivity being severely compromised.
If the measures are too draconian users will find a way to circumvent them; business decisions need to align with the security recommendations in order for the right balance to be achieved”. People as a problem Aonghus touched on the issue of ensuring that staff are well informed and don’t try to side-step security measures, but it’s worth remembering that even with a strong staff awareness programme there’s still a risk of inappropriate inactivity.

And you can’t really blame your staff for falling for the occasional phishing attack: some are so sophisticated that even the most aware staff member will be taken in eventually. As Joe Diamond, Director of Cybersecurity Strategy at ProofPoint puts it: “The level of social engineering to craft a convincing lure is what makes phishing so successful. We see this used across attacks that use malware, and those that don’t – such as business email compromise spoofing attacks and phishing for credentials”. Joe continues: “While end user education serves an important role, you cannot rely on it.

Focus on where your users digitally communicate the most – email, social sites, and mobile apps – and put in the protection needed to shield advanced attacks from ever reaching your end users”. As for the complexity of attacks these days: “The attack on customers of National Australia Bank that Proofpoint recently identified is a perfect example of how to the naked eye, the emails and links were virtually indistinguishable from legitimate bank communications.

The email content tricked recipients into entering credentials to verify their account and provide accounts details, before redirecting to the legitimate banking site.

The URL [looked] legitimate, but a letter was swapped with Unicode and encoding in the URL hid suspicious code”. In short Like any system of its kind, Office 365 is sufficiently secure in its basic form but there's always more you can do – either to make it easier to exploit what it inherently does or to add further layers of protection and reporting on top of what you get “out of the box”. You may decide when you move to Office 365 that you can wind down some of the extras you bolted onto your on-premise system simply because technology's moved on and the inherent provision in Office 365 is good, but any cloud email service is fair game for an attacker because a compromise of a single system serves up multiple victims so you're unlikely to want to throw away all the extras that can help you provide a layered security model as you evolve to a cloud setup. Oh, and one more thing: moving to the cloud doesn't make you immune from the long-standing tradition of stereotypical bad practice.

Aonghus gets the last word in this respect: “Accepting the default settings without considering whether, for example, the password expiry policy is appropriate is something that is often left – a 'hope for the best' approach or assumption that Microsoft defaults are right for you is not a good strategy where security is concerned”.

Amen. ®