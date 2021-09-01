One of the most damaging forms of cybercrime is also one that requires very little technical knowledge.

The compromise of business email, or BEC for short, cost U.S. businesses $ 1.8 billion in losses in 2020, accounting for 43% of all cybercrime losses for the year. Yet despite the low entry bar, actors involved in BEC have a very limited presence in underground cybercrime, especially compared to actors carrying out more popular forms of cybercrime activity.

Despite the lack of interest, Intel 471 has observed a number of players using popular cybercrime forums to recruit or outsource functions related to BEC scams. Much like other forms of cybercrime, those behind BEC scams seek partnerships with those who have the skills to access organizational networks or conduct social engineering programs used to intercept wire transfers.

In February, a participant in a popular Russian-language cybercrime forum announced that he was looking for a team of native English speakers for the social engineering elements of BEC attacks after gaining access to custom Microsoft Office 365 domains. . Additionally, another actor on another forum requested the same in June, posting help announcements that essentially outsourced social engineering work behind BEC, while the actor would take care of the technical aspects. associates.

Players like the ones we have witnessed are looking for native English speakers, as the North American and European markets are the main targets of these scams. The use of correct English is very important for these actors, as they want to ensure that the messages they send to their victims, mainly high-level employees of an organization, do not raise any alarm bells. .

Another skill that cybercrime players seek to outsource is laundering money stolen through BEC programs so that it becomes untraceable and usable. Intel 471 observed a Russian-speaking actor place an ad on a cybercrime forum, seeking to launder sums of up to $ 250,000 through a cryptocurrency tumbler, a service that mixes multiple transactions and distributes money to recipients in incomplete installments, making it much more difficult to trace. The six-figure sum suggested that the scams were targeting large companies.

While BEC-related behavior has been limited in underground cybercrime, the sporadic solicitation of outsourcing has brought out some players related to previous BEC scams in the past 60 days. A Nigeria-based actor who was linked to BEC scams in 2019 has resurfaced in recent months. He responded to several of the announcements described above, as well as several announcements of his own BEC service and partnership offering. Several messages posted by the actor on several cybercrime forums requested help in obtaining email database access and credentials from Italy and the United States, suggesting that the The actor was in the reconnaissance phase to plan BEC attacks. In discussions seen by analysts at Intel 471, the actor claimed that he had withdrawn $ 100,000 / year from the BEC attacks launched.

As a first line of defense, proper training for an organization’s email users is essential to neutralize the BEC threat. Knowing the techniques employed by threat actors and the key indicators that an email or sender is fraudulent or inauthentic can help reduce the threat of BEC.

To prevent potentially malicious emails from reaching employee inboxes, an email authentication protocol such as Domain-Based Message Authentication, Reporting, and Compliance (DMARC) can be used. implemented. These protocols help differentiate legitimate and verified emails from fraudulent and unverified emails and spoofed domains, which can be used to launch a BEC campaign.

The BEC footprint on underground forums is not as large as that of other types of cybercrime, possibly because many operational elements of the BEC employ targeted social engineering tactics and fraudulent domains, which typically do not require no technical services or products offered by the underground network. Many BEC attacks do not require access to the victims’ network, use no malicious payload, and may simply use a spoofed email domain with a single letter different from that of the targeted company. While it may not be as popular as credential theft or ransomware, the intelligence we have uncovered shows that criminals will use the metro for all types of schemes, as long as these forums remain a hotbed of. skills that can earn criminals money.