We often hear about BEC, an acronym that stands for Business Email Compromise, a threat we all face every day in our mailbox. But in fact, what are we talking about? How to avoid falling into the traps artfully constructed by cyber criminals?
BEC: technique analysis
The acronym indicates a method in the world of cybercrime, often used by malicious actors against companies of all sizes, aimed primarily at extorting money, but also at obtaining sensitive information or data of the target company.
The technique in question does not primarily target corporate IT infrastructures, as is the case with ransomware, but focuses on the most commonly used collaboration and productivity environments on a global scale.
Examples are Microsoft 365 or Google Workspace, as well as, of course, on-premise corporate e-mail management services, such as the widely used Microsoft Exchange.
Anatomy of the attack
In the first instance, attackers need to obtain a user’s access. Here we can make a distinction, there are targeted and random attacks. In targeted attacks, the attacker targets a specific company and a specific user, such as a CEO or CFO.
He will then attempt to obtain the user’s credentials, performing social engineering activities and gathering as much information as possible, and then attempt to hack the account by performing brute-force or simply attempting to obtain the credentials with spam messages containing malicious links in order to spur the victim to enter the credentials.
In random attacks, the attacker obtains access without a targeted interest, perhaps by purchasing credentials on the deep/dark web, in Telegram channels or black markets in general, or by obtaining credentials through Infostealer-type malware, whose purpose is precisely to collect credentials and cookies from the endpoints it infects.
Access granted: what now?
Once he has gained access, the threat actor studies the correspondence, studies the conversations, tries to identify himself in the context of the affected company, and once he has gathered enough information, he inserts himself into the middle of a conversation, sending e-mails that actually come from a legitimate user in order to attempt to extort money from external suppliers/customers.
Often these e-mails are very well written, difficult to see that it is a scam; and very often it happens that the other side pays money against “false” invoices, to foreign bank accounts that do not belong to the legitimate creditor.
The attackers obviously try to conceal their illicit activity within the hacked systems, sometimes resorting to the use of mailbox rules, in order to move messages or entire threads containing specific words in the subject line or coming from specific senders into mailbox folders, very often the RSS feed folder is used as it is almost always ignored by most users.
Goal #2: Persistence
Another activity that is often carried out by attackers is to create persistence in the breached environments, so that if they are isolated if the company becomes aware of the compromise, they would still grant themselves secondary access, just as in the case of ransomware attacks.
Typically, persistence consists of the creation of additional users, if the primary access violated is a user with administrative privileges, or the insertion of other authentication factors such as the creation of tokens for external applications with a long life span.
These attacks may also not have as their primary purpose the extortion of money, but may instead have as their goal the obtaining of sensitive data or the exfiltration of corporate data (think of how many companies keep their data in cloud systems such as SharePoint, OneDrive or Google Drive, or simply have a corporate tenant available to act as a “relay” to distribute spam messages and thus exploit the reputation of verified domains to bypass the checks of recipients’ antispam systems.
BEC: how to defend yourself
To defend oneself, it is basic to put in place certain security measures, such as:
- Have 24-hour monitoring and response systems in place that can nip any threat in the bud by detecting in real-time any abnormal access, brute force, spray attacks or access from foreign countries
- Introduce multi-factor authentication on users accessing services, especially users with administrative privileges
- Carry out periodic training for company staff, focusing on the most commonly used attack vectors, threats and techniques used by attackers
- Equip themselves with advanced anti-spam systems, in order to detect any malicious links or unlawful messages
- Regulate conditional access, i.e. define rules so that, before a user can access resources, certain minimum requirements must be met, such as the use of a verified device or the origin of a recognised IP address
- Collect and historicise audit logs of cloud systems, useful for detecting signs of compromise or to possibly reconstruct the attack kill chain.
BEC-type compromises are widespread today and pose a significant threat to all companies, given the lower effort required to execute them compared to more complex and articulated attacks, as well as the ease with which victims often fall for these scams.
Analysis by Alessandro Lomi – Incident Response Specialist, CYBEROO
