{"id":52022,"date":"2023-05-19T10:00:00","date_gmt":"2023-05-19T10:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/cyber-signals-shifting-tactics-fuel-surge-in-business-email-compromise\/"},"modified":"2023-05-19T10:00:00","modified_gmt":"2023-05-19T10:00:00","slug":"cyber-signals-shifting-tactics-fuel-surge-in-business-email-compromise","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cyber-signals-shifting-tactics-fuel-surge-in-business-email-compromise\/","title":{"rendered":"Cyber Signals: Shifting tactics fuel surge in business email compromise"},"content":{"rendered":"

Today we released the fourth edition of Cyber Signals<\/strong><\/a> <\/em>highlighting a surge in cybercriminal activity around business email compromise (BEC). Microsoft has observed a 38 percent increase in cybercrime as a service (CaaS) targeting business email between 2019 and 2022.1<\/sup><\/p>\n

Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBI\u2019s Recovery Asset Team (RAT) initiated the Financial Fraud Kill Chain (FFKC) on 2,838 BEC complaints involving domestic transactions with potential losses of more than USD590 million.2<\/sup>  <\/p>\n

BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts with an adjusted average of 156,000 attempts daily. <\/p>\n

\n
\n
\n
\n
\n

Cyber Signals<\/h2>\n
\n

Microsoft\u2019s Digital Crimes Unit has observed a 38 percent increase in cybercrime as a service targeting business email between 2019 and 2022.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n

\"graphical <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n

Common BEC tactics<\/h2>\n

Threat actors\u2019 BEC attempts can take many forms\u2014including via phone calls, text messages, emails, or social media. Spoofing authentication request messages and impersonating individuals and companies are also common tactics. <\/p>\n

Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking direct action like unknowingly sending funds to money mule accounts that help criminals perform fraudulent money transfers.  <\/p>\n

Unlike a \u201cnoisy\u201d ransomware attack featuring disruptive extortion messages, BEC operators play a quiet confidence game using contrived deadlines and urgency to spur recipients who may be distracted or accustomed to these types of urgent requests. Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and in-box success rate of malicious messages. <\/p>\n

Microsoft observes a significant trend in attackers\u2019 use of platforms like BulletProftLink<\/a>, a popular service for creating industrial-scale malicious mail campaigns, which sells an end-to-end service including templates, hosting, and automated services for BEC. Adversaries using this CaaS are also provided with IP addresses to help guide BEC targeting.   <\/p>\n

BulletProftLink\u2019s decentralized gateway design, which includes Internet Computer blockchain nodes to host phishing and BEC sites, creates an even more sophisticated decentralized web offering that\u2019s much harder to disrupt. Distributing these sites\u2019 infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex.  <\/p>\n

While there have been several high-profile attacks that take advantage of residential IP addresses, Microsoft shares law enforcement and other organizations\u2019 concern that this trend can be rapidly scaled, making it difficult to detect activity with traditional alarms or notifications.  <\/p>\n

Although, threat actors have created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting C-suite leaders, accounts payable leads, and other specific roles, there are methods that enterprises can employ to preempt attacks and mitigate risk.  <\/p>\n

BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance, and cyber risk officers at the table alongside executives and leaders, finance employees, human resource managers, and others with access to employee records like social security numbers, tax statements, contact information, and schedules.   <\/p>\n

Recommendations to combat BEC<\/h2>\n