Protecting against business email compromise (BEC) means stopping stolen credentials at source

More than $26bn has been reported lost in business email compromise attacks in the last 4 years , according to the FBI’s IC3, though the true figure is undoubtedly far higher. Business email compromise attack techniques have also evolved significantly during that time, making them more difficult to identify using basic security defenses like anti-spam filters and endpoint protection, and highlighting the need for effective threat intelligence to address the issue of compromised user credentials.

A quick BEC primer

Business email compromise (BEC) is a form of fraud where bad actors gain access to a victim’s legitimate email account without their knowledge and exploit that platform to trick other victims into instigating damage; typically theft via instructing wire transfers to third parties, diverting payroll to fake employees or procuring gift certificates.

AWS Builder Community Hub

BEC attacks are less of a numbers game than phishing, but there are still many instances of attackers repeatedly reusing proven techniques to qualify victims by initiating trust first, before exploiting it soon after. Some BEC attacks are carried out many months after the user credentials have been compromised and access obtained, typically in high-value scenarios while the attacker studies patterns of communication to formulate the best way of monetizing their advantage.

An industry fed by compromised credentials

BEC is effectively a cybercriminal industry, but one that needs a steady supply of compromised credentials to remain viable. Hence most of the preventative measures for BEC touted by security experts revolve around the use of multi-factor authentication and continual user education; the idea being that the best way to avoid being a victim is for everyone to prevent user credentials being stolen in the first place.

The hard reality is that credential theft is a daily occurence perpetrated on a gigantic scale . In May 2020 alone, more than 8.8 billion records were breached , and those were just the ones we know about. Organizations should absolutely do everything they can to stop credentials from being compromised, but must equally prioritize accepting that some compromises will be inevitable and that appropriate reactive and proactive mechanisms are put in place to mitigate their associated impact.

Easy to believe, difficult to identify

A classic BEC attack will be cleverly designed to appear to the target as a legitimate email from a colleague at the same company, or closely-related organization (i.e. a supplier or customer). The little details are important when trying to look authentic, so scammers will take care to send the email at an appropriate time (i.e. a weekday, avoiding public holidays) and to communicate a message designed to validate trust in the first instance, rather than bluntly asking for a wire transfer. For example, “Let me know when you have a second, I need you to do something for me urgently.” Anyone responding to this clearly trusts that the person is who they say they are (e.g. Jessica, the head of finance). Any subsequent emails build on this to the extent that “fake Jessica” can instruct the recipient to do anything that  “real Jessica” could plausibly request, such as depositing $50,000 in a bank account before 5pm to avoid the business reneging on a contract/losing a customer, etc.

There is also evidence of some BEC exploits that begin on email and then switch to SMS. The common practice of placing significant amounts of personal data into email autosignatures makes this particularly easy for hackers.

Traditional cyber defenses find all this hard to combat because there is little reason for a machine to suspect that anything other than standard business communications is going on because, unlike phishing emails, BEC attacks rarely include any links or attachments. They are also highly targeted, often to less than 10 recipients at a time; well below the threshold to be flagged as mass distribution spam.

Some BEC attacks are based on spoofing email addresses and domains rather than gaining direct access. According to IC3’s latest BEC advisory , over $2bn in losses can be attributed to the exploitation of just two popular cloud-based email services. Recent research by Barracuda , using a sample of 1.5m spear-phishing emails, shows that 47% of all BEC attacks originated from a Gmail domain.

Using threat intelligence to close down BEC threats

To get on the front foot in the fight against BEC, organizations must deploy a range of measures that detect and disrupt the exploitation of stolen credentials, mitigate the risks associated with domain spoofing, and inform the proactive investigation of specific BEC threats to improve security posture and training. All rely upon threat intelligence in the following ways:

Retrieve compromised credentials in real time: Blueliv’s Credentials module  can detect in real-time where user credentials belonging to employees, customers and third-party suppliers have been exploited by malware and botnets, or exposed through data leaks. By proactively scouring the open, deep and dark web for stolen passwords – using sinkholes, honeypots, crawlers, sensors and other data sources – important information can be converted into actionable intelligence, enabling administrators to update passwords internally or notify customers to do the same, before the compromised credentials can be monetized.

Use domain protection against phishing: Prevent your domains being exploited for BEC purposes by uncovering fraudulent domains, social accounts and mobile apps. Blueliv’s Domain Protection module  does exactly that, thereby removing the opportunity for attackers to launch targeted phishing campaigns, pose as staff or cybersquat on your brand assets.

Close down and learn from unique BEC threats: Be better protected against BEC attacks uniquely affecting your organization and others like it by deriving meaningful, contextual intelligence from the collection and analysis of continuously updated information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. Threat Context from Blueliv  is the tool for this job, providing vital insights to support you in conducting red-teaming exercises and developing training materials based on real threat scenarios, to both reduce the probability of social engineering attacks penetrating your defenses and boost your incident response.


Even traditional email security vendors now advocate the greater use of intelligence in countering these advanced threats, though their fixation lies solely with ‘machine learning’ and ‘artificial intelligence’ rather than the application of human experience and analysis in combination with these new technologies.

BEC attacks are a real problem for organizations of all sizes and in all sectors, and the optimum response is to deploy a range of measures to combat the problem. Ultimately, you need to address the supply of compromised credentials, and the only way to do that is through a modular threat intelligence solution that leverages machine automation to manage the sheer scale of information in real time, with intelligent, contextual insights informed by a highly skilled and experienced analyst team.

Visit the dedicated Blueliv blog library on Credential Theft to explore the many facets to this form of threat intelligence, learn more about the latest exploits and inform your next strategic move to combat against compromised credentials.

The post Protecting against business email compromise (BEC) means stopping stolen credentials at source appeared first on Blueliv.

*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Ariadna Miret. Read the original post at: