Home Tags Business email compromise

Tag: business email compromise

Hacking the Business Email Compromise

BEC attacks are on the rise, but plain-old spoofing of business executives' email accounts remains more prevalent.

Hacker Accused of Carrying Out Business Email Scam Netting $100M

The long arm of the law tracks done a lone hacker who allegedly used a business email compromise attack to steal $100 million from two U.S. companies.

Turning Tables on Nigerian Business Email Scammers

Researchers from Dell SecureWorks infiltrated a Nigerian business email spoofing and business email compromise operation, shutting down a number of money mule accounts in the process.

Trend Micro Says Cyber-Attacks Will Continued Unabated in 2017

By Don Reisinger  |  Posted 2016-12-07                   Trend Micro Predicts More Sophisticated Cyber-Attacks in 2017 Security software company Trend Micro says cyber-attacks on enterprise networks and the internet of things will only grow in volume and sophistication in 2017. Ransomware Will Start to Level Off The number of ransomware families is expected to “plateau” at some point during 2017, according to Trend Micro. However, compared to 2016, the number targeting individuals and companies will grow by 25 percent. That translates to an average of 15 new ransomware families discovered each month and should result in cybercriminals hitting more and bigger targets. The Internet of Things Becomes a Hacker Haven Connected devices will be important tools for hackers in 2017. Trend Micro predicts hackers will use IoT devices as “sleeper agents” that they’ll pool together for much larger attacks against important infrastructure, launching “massive DDoS attacks” via the devices. They’ll also try to take down wide swaths of the internet and “pummel” major organizations. Email Scams Will Be On the Rise Email-based scams will soar in 2017, since they’re simple to launch and can deliver high returns on a small investment, Trend Micro claims. Hackers, therefore, are expected to boost the number of email attacks on companies and individuals dramatically, and their efforts could net them billions of dollars. A single business email compromise can net hackers $140,000, according to Trend Micro. Watch Out for Business Process Sophisticated hackers will be looking at ways to take advantage of the way financial institutions process business transactions in 2017. Trend Micro believes hackers will first target a financial institution’s email or network and modify processes to redirect cash and payments to their own accounts. The average business process attack on a financial institution could net the hackers upwards of $81 million, according to Trend Micro. Adobe, Microsoft, Apple Under Attack Adobe has long suffered from security flaws in its software, and Trend Micro believes that will continue into 2017. However, the company also says security researchers also will discover dozens of flaws in Apple and Microsoft products next year that could put company data at risk. Still worse, Trend Micro predicts that security improvements made by Microsoft, Adobe and Apple next year could make it even more difficult for researchers to detect attacks. Cyber-Propaganda Is a Rising National Security Threat Trend Micro believes the recent trend of fake news impacting opinions around the world won’t let up in 2017. As more people around the world come online, the company notes, they’ll be sharing fake news to peddle influence. The move also might net them some cash. Security Administrative Costs Will Soar Any company that captures and stores the personal data of people living in the European Union will incur additional costs next year. Under new regulations outlined by the EU, companies will need to keep stored data safe and secure. By 2018, when the regulations go into effect and stringent privacy is expected, companies could pay up to 4 percent of their global revenue for failing to comply. Next year, therefore, could be a costly year as companies around the world ramp up their user database security. New Threats to Worry About While companies have faced all of the aforementioned threats in 2016, Trend Micro warns more threats are coming. Attackers will deliver new payloads and might circumvent the protections companies already have in place across their network infrastructure, as hackers, Trend Micro says, have become “more seasoned.” Corporate network infrastructure, however, has “remained largely the same.” That could be a recipe for trouble. Applying Machine Learning for Protection Although machine learning to combat security threats is nothing new, it could prove to be a critical component in fighting next year’s threats. When companies properly deploy machine learning through a layered system that has both human- and computer-provided inputs flowing through mathematical algorithms, the company says, their chances of fending off threats are higher. Effective machine learning, in other words, could mean the difference between a secure system and dealing with a hack. How to Catch Zero-Day Threats When it comes to zero-day threats, there’s little companies can do to protect themselves. However, to maximize their ability to sidestep threats, companies must continually monitor network behavior and integrity, according to Trend Micro. In addition, the company notes, sandboxing could prove effective in stopping threats from spreading across a network. Companies around the world are under constant cyber-attack. Cyber-criminals in 2016 were able to target companies on several fronts, hitting them with distributed denial of service (DDoS) attacks that knocked their web applications offline and cut them off from their customers for hours at a time. They used phishing attacks to dupe employees into disclosing network login information so they could break in and steal data and trade secrets. Unfortunately, security software company Trend Micro says things won’t change very much in 2017. Rather, Trend Micro’s cyber-threat predictions for the New Year suggest hackers will increase their attacks on mobile platforms and the internet of things (IoT). They also will continue their practice of scamming employees with worthless spam emails and phishing messages. In addition, Trend Micro believes an emerging threat known as cyber-propaganda could be used to foment unrest and destabilize national governments. All the while, hackers are expected to rake in billions of dollars from their activities. This slide show will cover Trend Micro’s predictions on the security threats companies will face in 2017 and suggest what people and enterprises can do to protect themselves from increasingly sophisticated attacks. Don Reisinger is a freelance technology columnist. He started writing about technology for Ziff-Davis' Gearlog.com. Since then, he has written extremely popular columns for CNET.com, Computerworld, InformationWeek, and others. He has appeared numerous times on national television to share his expertise with viewers. You can follow his every move at http://twitter.com/donreisinger.

How to Identify and Deal With Phishing Email

In October, most people look forward to pumpkin carving, changing weather and, if you're Canadian, Thanksgiving.

But for those in the security world, October also is National Cybersecurity Awareness Month.

Business email compromise has cost companies $...

Securing Office 365? There’s always more you can do

Don't just accept the defaults and hope for the best Wherever you look there's yet another SME or enterprise migrating to Office 365.

This says a lot for the attractiveness of cloud-based office suites, and perhaps it also says something about the attractiveness of letting someone else look after one's SharePoint and Exchange servers rather than having to fight with their maintenance and upkeep internally. It also says a lot about the security of the platform: if there were any serious concerns there wouldn't be so many people using it (the figure I have to hand cites 60 million business customers as of spring 2016). What this tells us, though, is not that it's the Fort Knox of cloud-based office software: it merely says that it's secure enough for commercial organisations to accept it into their infrastructure.

Any system has scope for improvement, or for the user to layer further security mechanisms on top to make the setup even more attractive.
So what does Office 365 give us, and what can we do to take it further, security-wise? Underlying directory services One of the reasons people tend to trust Office 365 is that it's based on the directory service that everyone knows and is familiar with: Active Directory.

Cloud-based AD integrates with its on-premise peer very straightforwardly, and although in the past one tended to use outward federation (that is, AD was hosted and managed in-house and federated/synchronised to an external AD server) the story is now far more bi-directional, so you can manage the AD setup either internally and externally and it'll sync in either direction. Let's face it, it's difficult to criticise the fundamental security capabilities of a cloud-based AD setup because we've all been using it in-house for years and years. Securing other apps The other benefit you get if you adopt the Enterprise Mobility Suite on top of Office 365 is the ability to bring the user authentication of a variety of apps into a single user database.
Interestingly EMS gives you more than you'd be able to do with an in-house AD setup.
So as well as providing native AD authentication you can point all manner of other stuff at it – ODBC lookups, LDAP queries, Web services and of course other native AD servers.

But more interestingly there's a pile of specific support for a wide range of popular cloud-based apps (Salesforce is the one that's generally cited, so let's not buck the trend) and so you can move away from your plethora of separate user databases and toward a single integrated directory service. Two-factor authentication The problem with centralising your authentication, though, is that the impact of a breach on your central authentication database is far greater than a breach on a single application's own internal user database.
So the first thing you'll probably want to add to your Office 365 setup is two-factor authentication (2FA).

To be fair to Microsoft they do provide a 2FA mechanism of their own, but many of us already use third-party 2FA (RSA's SecurID is probably the best known, though more recently I've used Symantec's VIP offering) and it's understandable to want to stick with what you know.

And without trying to sound disparaging to Microsoft, there's something to be said for picking a different vendor for your 2FA in the interests of putting your eggs in more than one vendor basket. Happily the 2FA vendors are happy to sell you their 365-connectable offerings as they're becoming nicely established and stable. Edge protection We mentioned earlier that managing your own in-house Exchange setup can be something of a chore, and quite frankly who can blame you for wanting to ship it off to the cloud for Microsoft to look after it? I've seen it done more than once, and the relief on the faces of the mail server admins was palpable.

But I also wouldn't blame you for considering persevering with and potentially even expanding some or all of the edge protection you have for inbound email – it's been common for many years to adopt a hosted anti-malware and/or anti-spam offering and to funnel all your inbound email through it on its way to the Exchange server.
So of course Microsoft's mail infrastructure has its own anti-malware mechanisms (and they're very proud of it) but again, by sticking with a third-party offering layered around it you can bring an additional layer of security, visibility and reassurance to yourself and your management. Going in the other direction, Data Leakage Protection (DLP) is also something that you're increasingly likely to need these days, what with the tendency toward accreditations such as PCI-DSS and ISO 27001.

Again there's a selection of DLP tools and policy features with Office 365, but a third-party approach is very much an option. Security monitoring Regardless of whether your installation is on-premise or in the cloud, security monitoring is absolutely critical if you're serious about security.

The market to be in these days is selling Security Information and Event Management (SIEM) software and appliances: storing, collating and analysing log data and the associated response and remediation brings massive benefits, particularly if you're aiming toward some kind of formal security or similar accreditation. Office 365 provides APIs into which SIEM platforms can hook in order to deduce what's occurring in the cloud installation and alert you to potential issues; and as with the likes of DLP and 2FA the vendors of SIEM products are now commonly supporting Office 365 to pretty much the same extent as they support on-premise kit.

Does Office 365 have in-built SIEM? Yes, there are tools that provide you with forensic analysis features and of course there's event logging, but SIEM isn't a core concept for Microsoft and so unless you have a very small setup you'll look to third-party SIEM offerings for the functionality you need, either in a dedicated, targeted SIEM solution from someone like LogRhythm or Splunk or in a multi-function package from the likes of Proofpoint. Backups One of the big differences between the cloud-based world and the on-premise setup is the need for and the implementation of backups.
It's common to decide that the requirement for backups to protect against complete system failure (i.e. disk crashes causing data loss) is much reduced in the cloud thanks to the robust physical implementation of the underlying storage layer.

But remember that physical crashes are just part of the need for backups: the risk of inadvertent deletion of data doesn't go away when you shift the installation into the cloud.

As with some of the other concepts we've mentioned there are built-in tools such as version control and rollback, automatic retention of items in recycle bins, and so on.

But again you're likely to want more, and again you can look to the market as there's a growing selection of options out there. Are we spotting a trend here? We've been talking so far about augmenting Office 365 with security features that don't come as standard, or that do come with the system but are perhaps not so attractive as those of separate products whose developers are more focused on the subject area.

The thing is, though, that aside perhaps from the discussion on backups, little of these supposed shortcomings are unique to Office 365 – they exist in on-premise setups too.

And that makes sense: we're not saying Office 365 is particularly deficient, just that the whole reason all these third party products and services exist is that you can't reasonably expect Microsoft (or any other of your vendors) to have a perfect solution in every specialist field of security as part of its office suite. What do the Office 365 experts think? Aonghus Fraser, CTO at C5 Alliance (), echoes the idea that the service has its own features but they're not the whole story. He notes: “There are a number of areas that should be considered – some are in addition to Office 365 but there are also newer or lesser-known security features or services that can complement that native Office 365 security and cover all bases”. Endpoint security's high on his list. “Whilst there is protection at the server-side for O365 including Exchange and SharePoint Online, it is recommended that a strategy for endpoint protection for devices is implemented.

This can range from leveraging native O365 & Microsoft services such as InTune to ensure that a minimal level of patching and AV is enabled (using Windows Defender) to third party solutions such as Sophos Endpoint which can work on devices and in conjunction with firewalls to detect and isolate compromised devices”. Following up his point about new features that wink into existence, he cites a recently introduced built-in feature: “Advanced Security Management is a new service providing global and security administrators with the facility to detect anomalies in your tenant – alerts for abnormal behaviour, and alerts for activities that might be atypical.

Examples could include logging in from unusual locations, mass download by a single user (suggesting a data leakage risk) or administrative activity from a non-administrative IP address”. The non-technical elements Our original request to Aonghus was for three observations, of which we've just mentioned two; the third is non-technical but absolutely key. He states: “It is essential to ensure that business policies are regularly maintained in line with Office 365 capabilities such as Multi-Factor Authentication and Data Leakage Prevention in order for security to be optimised whilst taking into account employee productivity”. It's key to ensure your business is able to work effectively and in a governed way as you evolve into the cloud world: “An understanding of the implications on users of implementing some security measures is essential to ensure that users are well-informed and do not try to bypass the measures due to lack of understanding or usability or productivity being severely compromised.
If the measures are too draconian users will find a way to circumvent them; business decisions need to align with the security recommendations in order for the right balance to be achieved”. People as a problem Aonghus touched on the issue of ensuring that staff are well informed and don’t try to side-step security measures, but it’s worth remembering that even with a strong staff awareness programme there’s still a risk of inappropriate inactivity.

And you can’t really blame your staff for falling for the occasional phishing attack: some are so sophisticated that even the most aware staff member will be taken in eventually. As Joe Diamond, Director of Cybersecurity Strategy at ProofPoint puts it: “The level of social engineering to craft a convincing lure is what makes phishing so successful. We see this used across attacks that use malware, and those that don’t – such as business email compromise spoofing attacks and phishing for credentials”. Joe continues: “While end user education serves an important role, you cannot rely on it.

Focus on where your users digitally communicate the most – email, social sites, and mobile apps – and put in the protection needed to shield advanced attacks from ever reaching your end users”. As for the complexity of attacks these days: “The attack on customers of National Australia Bank that Proofpoint recently identified is a perfect example of how to the naked eye, the emails and links were virtually indistinguishable from legitimate bank communications.

The email content tricked recipients into entering credentials to verify their account and provide accounts details, before redirecting to the legitimate banking site.

The URL [looked] legitimate, but a letter was swapped with Unicode and encoding in the URL hid suspicious code”. In short Like any system of its kind, Office 365 is sufficiently secure in its basic form but there's always more you can do – either to make it easier to exploit what it inherently does or to add further layers of protection and reporting on top of what you get “out of the box”. You may decide when you move to Office 365 that you can wind down some of the extras you bolted onto your on-premise system simply because technology's moved on and the inherent provision in Office 365 is good, but any cloud email service is fair game for an attacker because a compromise of a single system serves up multiple victims so you're unlikely to want to throw away all the extras that can help you provide a layered security model as you evolve to a cloud setup. Oh, and one more thing: moving to the cloud doesn't make you immune from the long-standing tradition of stereotypical bad practice.

Aonghus gets the last word in this respect: “Accepting the default settings without considering whether, for example, the password expiry policy is appropriate is something that is often left – a 'hope for the best' approach or assumption that Microsoft defaults are right for you is not a good strategy where security is concerned”.

Amen. ®

Hacker takes down CEO wire transfer scammers, sends their Win 10...

'Whaling' attackers fall for poison PDF 'invoices' HITB Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams... and they hate him for it. The director of SEC Consult's Singapore office has made a name striking back at so-called "whaling" scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police. Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers' main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts. It works.

The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year.
Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015. Harpooned companies include Mattel, which shipped and by dumb luck recuperated $3m its executive sent to a hacker's Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January. They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims. Lukavsky told The Reg of his work on the back of his presentation at August's Hack in the Box in Singapore, where he explained that he uses the attacker's tactics to compromise scammers' Microsoft accounts. "Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters," Lukavsky says. "We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information." "We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook." Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper. The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa. He says he got a kick out of the tale of one security researcher who avenged his parents by convincing a net scammer to run the dangerous Locky ransomware. Lukavsky says one of his friends recently compromised a whaling scammer and has reported seven of the criminal's bank accounts to financial institutions which shut them down. "And those bank accounts are probably one of the most valuable goods to the fraudsters as they are difficult to set up in times of more stringent regulatory controls, know your customer rules, anti money laundering, etcera," he says. It generally difficult for organisations to recuperate their losses. Ubiquiti clawed back $9m from the $46.7m it lost, a rare win. The document harvesting system Lukavsky uses is being woven into a data leak prevention system Sec Consult hopes to launch by year's end. MyNetWatchman's Donald McCarthy has had equal fun messing with whaling scammers. He told Vulture South earlier this year how he doxed tax scammers in Africa, where about 17,000 business email compromise actors, or about 40 per cent of the global pool, are thought to operate. Some of the best scams are compartmentalised, with different teams responsible for various intelligence and social engineering tasks.

Teams will often compromise a business's email accounts to gather intelligence on the types of services and partners it uses. Criminal call centre services offer scammers the ability to pay for English-speakers to make follow-up phone calls to further convince targeted businesses. Scammed funds are often wired between banks on its way to the Chinese port city of Wenzhou, a hub of cybercrime on the East China Sea, where money trails run cold. ®

Ransomware Takes Off in 2016 First Half: Trend Micro Study

The number of ransomware variants has escalated so far this year, Trend Micro's latest security report finds, but little data exists on how many victims have been hit. In the first half of 2016, attackers focused a great deal more on ransomware than in...

Brisbane council loses $500k to scammers

Email and a phone call enough to secure nine payments. The local council of the Australian city of Brisbane has been fleeced of A$450,000 (£248,000, US$334,000) from email-whaling scammers who tricked staff into wiring money into their bank accounts. The scammers phoned and emailed the council posing as one of its suppliers. Lord mayor Graham Quirk has commissioned Deloitte to conduct a review into how the scam took place. Quirk told reporters the scammers gained the cash in nine payments made since 13 July. "It was then checked and it was found that the place where the cheques were going to was different to what the ridgy-didge* account was," Cr Quirk said. It was the largest scam against the council, Cr Quirk says. Business email compromise, a subset of phishing that tricks executives into wiring money to attackers, is estimated by the FBI to have cost US$740 million in the US alone since 2013. The social engineering scams are a scourge of businesses and result in many millions being plundered by convincing executives to wire money into different accounts. The best scams are compartmentalised with different teams responsible for various intelligence and social engineering tasks.

Teams will often compromise a business' email accounts to gather intelligence on the types of services and partners it uses. Criminal call centre services offer scammers the ability to pay for english-speakers to make follow-up phone calls to further convince targeted businesses. Scammed funds are often wired between banks on its way to the Chinese port city of Wenzhou, a hub of cybercrime on the East China Sea where money trails run cold. In April Toy maker Mattel recovered some US$3 million shipped off to Chinese hackers who sent a well-crafted phishing email to a finance executive. ® * Archaic Australian slang for "genuine". Sponsored: Global DDoS threat landscape report

BEC Campaign Tricks Company Into Wiring $400K to Hackers

Researchers gained significant insight into a Nigerian business email compromise (BEC) operation that likely costs companies $6 million annually, including one incident where a firm was tricked into sending $400,000 to the group's bank accounts. Nigerian cyber-criminals hacked into the email of an Indian chemical company, hijacking a deal between the company and its U.S. customer and stealing the entire $400,000 payment, according to researchers with security firm SecureWorks.Details of the attack—of a type known as business email compromise (BEC)—is part of the intelligence gleaned by researchers from a misconfigured server used by the group.

The fraud scheme is known as "wire-wire" in West African nations and involves compromising the email accounts of potential victims, waiting for a high-value order or transaction, and then sending new bank account details to the customer.If done right, the scheme can be very lucrative—scoring between $30,000 and $60,000 on average—and hard to detect, Joe Stewart, director of malware research at SecureWorks, told eWEEK.

The collected evidence shows that West African groups are quickly evolving from 411 and Nigerian prince scams to more sophisticated social engineering, he said."What we learned from watching these actors over a period of months is that they worked in a way substantially different from our preconceived notions of Nigerian threat actors," he said. "Week to week, given the average [we're seeing], they are probably taking in $6 million a year." SecureWorks named the group that stole the $400,000 Wire-Wire Group 1 (WWG1) and suspects that it has more than 30 members. Most members of the group live in the same region of Nigeria, the company stated in its report. The details of the West African group come the same week that international law enforcement announced the arrest of the Nigerian head of a group conducting similar scams.

That unnamed group, which may have stolen as much as $60 million, used both business email compromise and romance scams to bilk victims of money.
In one case, a target paid $15.4 million before the scam ended.Law enforcement officials did not name the group or its leader, but referred to him as "Mike." The group's members come from Malaysia, South Africa and Nigeria.To avoid being tracked, the group laundered its gains through contacts in China, Europe and the U.S., according to authorities.

The groups pay a significant amount of money to such criminal services.
In the case of Wire-Wire Group 1, for example, about half of the stolen funds end up in the hands of the criminal group that launders the money, according to SecureWorks.The groups are not only evolving their techniques, but have evolved themselves: They are, for example, more likely to consist of mature adults, rather than younger actors, according to SecureWorks investigation into WWG1. While 411 scammers tend to be students and 20-something adults, who show off their cash and work from cyber-cafes, members of WWG1 are in their late 20s, 30s and 40s, operate from their home Internet connection and are involved in mainstream church groups. Messages between members of WWG1 show that they work to help out other members of their community by introducing them to the money-making scheme, according to SecureWorks.The security firm dubbed the leader of the group they are investigating as "Mr. X" and stressed that the group is unrelated to the one shut down by law enforcement this week.Business email compromise has grown to be a significant threat to companies, especially small and medium businesses that do not have good accounting controls.
In April, the FBI warned that, since October 2013, more than 17,600 victims have reported the scam, with business losses totally $2.3 billion.The attacks are accelerating as well.
Since the beginning of 2015, the FBI has noted a 270 percent increase in victims and losses.The FBI warned companies to beware of account information or changes that are only sent through email.

Any changes should be verified over the phone by calling known contacts at the partner's business.
In addition, companies should implement multiple levels of authentication as part of their accounting practices.

Social engineering tricks and why CEO fraud emails work

CSO Online | Aug 4, 2016 At the Black Hat conference in Las Vegas, CSO’s Steve Ragan talks with Stephanie Carruthers, owner of Snow Offensive Security, about why business email compromise (aka CEO fraud) works so well against companies.
She also discusses several tricks that phishers will use to gain trust among corporate employees when preparing for an attack.

Business Email Compromise Gets a New Twist

No longer are business email compromise scams just about getting organizations to send money; now some such attacks are sending fraudulent CEO emails to deliver malware payloads. Business email compromise (BEC) is a growing problem, as hackers are increasingly defrauding unsuspecting organizations into sending money.
In a new twist, in BEC attacks uncovered by security firm Trustwave, emails that appear to be coming from corporate CEOs are now being used to deliver malware payloads as well."The malware payloads are a new element, whereas previous reports tend to point at either wire or information transfer scams," Phil Hay, a research manager at Trustwave, told eWEEK.The FBI issued a public service announcement alert earlier this month warning of the dire consequences of BEC.

According to the FBI's Internet Crime Complaint Center (IC3), $3.1 billion has been lost globally to BEC fraud.The FBI defines BEC as an email-based scam, where attackers are able to trick businesses into making wire transfer payments that appear to be going toward legitimate business requests.

The IC3 warned that it has seen a 1,300 percent increase in losses from BEC attacks since January 2015.

Back on Jan. 22, 2015, the IC3 warned that BEC spam email campaigns had resulted in $215 million in losses. While the primary motive of BEC today has been for direct financial fraud, Trustwave's newly discovered samples are not taking that approach. While is it possible that a BEC attack could attempt to defraud an organization and deliver malware at the same time, that's not what Trustwave is seeing. Hay said that the thrust of a BEC attack all depends on what the attacker wants to do. "The wider point is that there are different groups behind the emails—some are into scams, others have jumped on the bandwagon and started using the CEO fraud technique to help distribute their malware or get the malware installed in the target organization," Hay said.With the CEO fraud technique, attackers use a CEO's name and what appears to be a legitimate email to solicit some form of response from a targeted organization.

The basic premise of the attack is that an employee of a targeted organization is not likely to ignore an email from the organization's CEO.Trustwave is seeing samples of both regular BEC and CEO fraud hit its Secure Email Gateway Cloud platform as well as from submitted reports from Trustwave's on-premises customers."It's very widespread. We see new samples almost every day from a wide variety of customers," Hay said about BEC. "So while the scam emails are targeted to a particular company/CEO, the number of companies targeted at any one time appears to be very broad."Trustwave has observed that companies often get repeat attacks, sometimes weeks or months after the initial one, according to Hay.With the CEO fraud attack, malware is being delivered by way of a malicious file attachment.

For years, security experts have told users not to click on attachments, yet it's still a problem."Despite the advice, some users are still clicking on attachments and links.

The CEO fraud technique just makes it a bit more believable for an end user," Hay said.There are some things that can be done to help mitigate BEC risks.

Among the suggestions that Hay makes is that employees should be educated about BEC so they can spot potential scams.

Additionally, for payment transfers there should be processes in place to verify payment authenticity.
Standards for verifying email can also help, including the use Sender Policy Framework (SPF), SenderID and DMARC (Domain-based Message Authentication, Reporting and Conformance).Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.