$2.3 billion stolen from 17,642 victims in at least 79 countries. These are the current figures for the growing scourge known as business email compromise (BEC) from 2013 to 2015. It is a version of highly targeted spear-phishing aimed not at stealing credentials but at directly stealing money – and it has proven to be highly effective.
The basic concept is worryingly simple. An attacker poses as a company executive and sends an email to the finance department. That email requests that funds be transferred to a specified account which is actually the attacker’s account. To some degree it relies on social engineering and knowledge of the company. All of this is easily found on the social networks. If a company is currently expanding into a new geographical region, and the names of the CEO and CFO are known and used, then funds transfers to that region would not be unexpected.
Trend Micro has analyzed the spoofed sender and the receiver in CEO frauds. The most popular ‘sender’ is the CEO at 31%, followed by the President at 17%. The most popular recipient is the CFO at just over 40%, followed by the director of finance at just under 10%. The email titles are generally simple, in keeping with what might be expected from a busy executive: ‘Transfer’, ‘Urgent’ or ‘Request’ are common.
This is the basic CEO fraud (also known as the ‘fraude au president’ in parts of Europe because of its particular success in France). Trend Micro includes two further variants, which it defines as ‘bogus invoice scheme’ and ‘account compromise’. In both of these scams an employee’s email account is first compromised. In the former, usually involving a company with foreign customers, the attacker asks the customer to make payments into a new bank account – the attacker’s. In the latter, bogus invoices are sent to multiple customers found on the compromised employee’s contacts list.
The CEO fraud does not necessarily require the use of malware, but can rely entirely on the social engineering within the spoofed email. The other variants require that a relevant employee’s email account is first compromised. Trend Micro has analyzed the known scams, and has concluded, “Most malware used in BEC schemes are off-the-shelf variants, ones that can be easily purchased online for a cheap price. Some malware can be bought for as much as $50, while some are far cheaper, or even available for free.”
Any malware that includes a key logger can simply record email passwords as they are typed, or the malware could access the passwords in browser stores. “We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass,” comments Rapid7’s security research manager, Tod Beardsley. It’s just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.”
The solutions to CEO fraud are simple and obvious; but are clearly not working effectively. Technology can be used to lessen the chance of malware infection and to scan outgoing emails. Technology alone, however, is never enough; and won’t stop scams based on social engineering. Here simulated phishing campaigns have proved very effective in raising employee security awareness. Some training campaigns have hesitated to ‘phish’ the C-Suite. BEC scams suggest that all employees, from the newest recruit to the CEO himself, should undergo staff awareness training – including simulated phishing.