PiChris - Fotolia

Flashpoint warns of under-the-radar phishing campaigns

Simple but hard-to-detect phishing campaigns are targeting all industry sectors as a key enabler of business email compromise attacks, security analysts warn

Business email compromise (BEC) is an increasingly popular method for cyber criminals looking to trick employees into sending them money or confidential information.

Typically, attackers compromise the email accounts of top-level executives and then use email-based social engineering techniques to get accountants to carry out money transfers to criminal-held accounts.

The same technique, also known as CEO fraud or whaling, is used to trick employees into sending out confidential information, and in March 2017, a report revealed the use of fake or compromised email accounts to steal information increased by 39% in the last three months of 2016.

According to the FBI, thieves stole nearly $750m in such scams from more than 7,000 firms in the US between October 2013 and August 2015, security author Brian Krebs wrote in an August 2015 blog post.

In 2017, from 28 March to 8 August, threat actors sent 73 malicious PDF documents containing links that redirected victims to credential-harvesting phishing sites, warn security analysts at Flashpoint.

By using this method to steal email credentials, the analysts said the credential phishing campaign had a low detection rate due to its simplicity.

The malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organisations, real estate firms and churches.

Read more about business email compromise

Once credentials were harvested, the attackers then used compromised email accounts to send phishing emails to victims’ contacts, but the emails may have been viewed as “trusted” by email services given they were coming from legitimate email accounts, said Ronnie Tokazowski, senior analyst at Flashpoint.

“This practice helps threat actors committing BEC to gain a better foothold into target organisations, and allows them to potentially breach additional organisations,” he wrote in a blog post.

“Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information,” he said.

Analysts assess with moderate to high confidence that these attacks are likely being carried out by attackers located in western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the relatively minimal use of malware, and the lack of operational security (OPSEC) practices on the attackers’ part.

While BEC actors operating out of western Africa are broadly considered among the lowest-skilled cyber threat actors, they have been responsible for more than $5bn in fraud in the past three years, according to the FBI.

In comparison, ransomware was projected to be a $1bn industry in 2016, and Europe estimated that the now-defunct AlphaBay Market was responsible for almost $1bn in business between its creation in 2014 and its closure in July 2017, according to Europol.

BEC actors and cyber criminals located in West Africa typically do not make significant efforts to enhance their OPSEC practices or conceal their locations, according to Tokazowski. “However, they are still largely successful in stealing billions of dollars from publicly traded and high-profile organisations each year.”

Read more on Hackers and cybercrime prevention