How Business Email Compromise Attacks Work: A Detailed Case Study

 

Business email compromise (BEC) attacks are widespread and growing in frequency. Due to their simplicity and effectiveness, BEC will continue to be one of the most popular attacks in 2018, with an expected growth to over $9 billion in losses in 2018. According to an FBI report, BEC attacks have become a $5.3 billion industry in the past year alone.

BEC attacks open doors for cyber attackers to steal money with the help of an unwitting accomplice that is fooled into submitting a wire request to the attackers. BEC requires more than infrastructure and robust security – it requires an educated and security-aware workforce.

The case study outlined below explains how BEC works, and outlines steps businesses can take to prevent similar attacks at their organization.

Criminals launching BEC attacks carefully research their victims. Through social engineering attacks, or even through malware, keyloggers or trojans (RATs), attackers obtain access to the CEO’s email from the target company.

In this case, after compromising the CEO’s email through guessing the password by a brute-force attack, the attacker scoured the entire email box for sensitive information and triggered social engineering attacks within the organization to raise money illegally.

There are two important things to keep in mind regarding the CEO’s email commitment:

  • The attackers initially traced the CEO’s profile and generated a dictionary of words tailored for this attack.
  • The way to access the CEO’s email account was not the most appropriate. Email access was only achieved through a password. There was no such thing as two-factor authentication (2FA), which made it easier for the cyber attackers. In fact, the email system did not allow this security mechanism.

Later, after a detailed analysis by a security specialist, it was proven the first access to the CEO’s account was achieved 75 (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pedro Tavares. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/R71g9v_7rqc/