lolloj - Fotolia
Business email compromise (BEC) is the top cyber criminal trend identified by the latest cyber crime report by security firm Secureworks.
Victims’ losses related to such schemes increased by 2,370% between January 2015 and December 2016, according to figures released by the FBI.
As security awareness grows among companies and their employees, the report said it becomes more challenging for cyber criminals to trick victims into conducting fraudulent transactions, downloading malware or compromising sensitive data.
But this becomes substantially easier if threat actors can make employees believe their request is coming from a trusted colleague or boss, which is why BEC has become an increasingly popular technique used to defraud organisations.
Typically, the cyber criminals send emails to employees who have access to company funds through an email account closely resembling that of a company executive. The “executive” requests the employee to authorise a money transfer to a particular account, which is actually owned by the cyber criminals.
An alternative approach is to compromise the computer, email account or email server of the victim organisation to intercept, alter or initiate business transactions, including direct payments on behalf of the victim organisation with the money destined to financial accounts they control.
Read more about CEO fraud
- Corvid secures email and takes users out of the firing line.
- Whaling attacks take phishing to the next level with bigger targets.
- Business email compromise accounted for $3bn in losses in the US alone in the first six months of 2016.
- A Brentwood-based recruitment firm wanted to solve its email archiving problems but ended up with better security, including new anti-whaling protection in the wake of an attack.
Secureworks researchers believe these schemes will likely continue to grow in popularity due to their low barrier to entry and high payout potential.
According to the report, researchers at Secureworks tracked the activities of a criminal threat group that had successfully compromised email accounts of several non-client organisations by using commodity remote access Trojans (RATs).
The group then used their access to monitor each organisation’s communications regarding business transactions.Whenever payment details were relayed to the payer via an invoice, the group would use their access to alter the destination bank account details and route payments to their own account.
In one particular instance identified by the researchers, a US chemical company unknowingly wired $400,000 to a bank account controlled by the group.
The next most prominent cyber crime trend identified by the report is ransomware, which the report notes is a growing threat and continues to offer cyber criminals a high return on investment.
In 2016 alone, researchers at Secureworks saw 200 new ransomware variants – a 122% increase from the year before.
The departure of several venerable ransomware families during 2016 made it a year of upheaval, the report said.
Read more about ransomware
- Businesses still get caught by ransomware, even though straightforward avoidance methods exist.
- Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
- The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
- The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.
After two years as the largest ransomware family by distribution, CryptoWall was withdrawn in February 2016. In May 2016, TeslaCrypt abruptly released decryption keys for the latest variants and ceased operation.
However, the report said CrytoWall and TelsaCrypt were soon replaced by two new major families, Cerber and Locky.
Cerber is sold openly through an affiliate program on semi-exclusive underground forums and became a popular replacement for CryptoWall, while Locky was the ransomware of choice for two of the larger operators of the Bugat v5 or Dridex banking botnets, and added additional affiliates throughout 2016.
The distribution of ransomware
In December 2016, Asprox’s operators began distributing Locky, and in early 2017, they began distributing Cerber.
Other new ransomware includes Troldesh (Shade), which was used to target the UK, and Stampado, which includes a “Russian Roulette” feature that deletes a random file from the victim’s computers every six hours if the ransom is not paid.
Arguably, the most well-known ransomware attack to date, the report said, was the May 2017 large-scale campaign delivering the WannaCry ransomware, also known as WCry and WannaCryptor, which attempted to spread via a Windows Server Message Block (SMB) worm to other vulnerable systems.
Even though the WannaCry ransomware outbreak was contained fairly quickly after a kill switch was discovered in its code, the report said it had a significant impact on a number of organisations which were using legacy systems or ones that had not been patched against the vulnerability it used to spread, including a number of systems in the NHS.
WannaCry is perhaps the most public ransomware outbreak to date, but the report points out that it is not an isolated event. Ransomware attacks have been rife in 2016 and 2017, due in part to the malware’s widespread availability and success at turning a profit for cyber criminals.
Banking and mobile malware significant threats
In addition to BEC and ransomware, the report highlights banking malware and mobile malware as significant threats in the past year.
According to the report, banking trojans and banking malware are hallmarks of organised cyber criminal groups, who use them to facilitate large-scale fraud across the globe. These attacks range from highly-targeted intrusion activities mounted against high-value targets to massive banking trojan botnets which provide a good return on investment through achieving mass distribution, the report said.
Mobile ransomware is of increasing concern, with researchers noting large-scale attacks could be devastating to individual and corporate phone communications, while small-scale spyware infections would offer all manner of personal information to attackers.
The report notes that online crime is a market economy, with personal information a popular commodity with tested and verified credit card data available – in some cases for as little as between $10 and $20 – and “fullz”, or highly detailed personal information records, are also offered for as low as $10.
The market is also highly adaptable to changes in the environment such as technical improvements and law enforcement takedown operations, the reports said, while malware as a service and the affordability of spam botnets ($200 per million messages) provide cyber criminals with a low barrier of entry.
Cyber crime as rife as ever
In conclusion, the report said it is clear that the cyber criminal world – including the internet underground – is alive and well, with creative developments in the way, in which victims are being targeted.
For both organisations and individuals, the report said it is useful to understand the inner workings of the cyber criminal world and be aware of the threats targeting them, their money and their information.
Cyber criminals are working constantly to find innovative and efficient ways to steal information and money with the lowest risk to their personal freedom, the report said, and awareness of online criminal threats, techniques and markets is the best defence.