Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Microsoft: BEC Scammers Use Residential IPs to Evade Detection

BEC scammers use residential IP addresses in attacks to make them seem locally generated and evade detection.

Cybercriminals are using residential IP addresses in business email compromise (BEC) attacks to make them seem locally generated and evade detection, Microsoft says.

The number of reported BEC attacks is constantly increasing, with the Federal Bureau of Investigation (FBI) receiving close to 22,000 BEC complaints in 2022 (PDF), with losses totaling over $2.7 billion.

As part of a BEC attack, cybercriminals use compromised or spoofed email addresses to send fraudulent requests for wire transfers to employees in charge of making or authorizing payments. The fraudsters request payments to be made to bank accounts they control.

One of the latest tactics that BEC scammers have adopted involves the purchase from residential IP services of IPs matching the location of their victim, which allows them to mask the origin of their login attempts.

“Armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent ‘impossible travel’ flags, and open a gateway to conduct further attacks,” Microsoft explains.

The ‘impossible travel’ detection flags physical restrictions when a task is performed at two locations in a shorter amount of time than that required to travel from one location to the other.

“Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts. Threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks,” Microsoft notes.

The tech giant has observed BEC scammers in Asia and an Eastern European country frequently using this tactic.

Advertisement. Scroll to continue reading.

The threat actors use phishing-as-a-service offerings to obtain login credentials, including BulletProftLink, which uses Internet Computer public blockchain nodes for the hosting of phishing and BEC sites, making takedown more difficult.

Organizations are advised to set specific email rules to block messages from outside parties, to implement strong authentication methods, train employees to spot fraudulent emails, use secure email solutions, and implement domain-based message authentication, reporting, and conformance (DMARC) policies to protect against spoofed emails.

“Threat actors’ BEC attempts can take many forms – including phone calls, text messages, emails, or social media messages. Spoofing authentication request messages and impersonating individuals and companies are also common tactics,” Microsoft notes.

Related: FBI: Losses From BEC Scams Surpass $43 Billion

Related: Nigerian BEC Scammer Sentenced to Prison in US

Related: FBI: 65 People Arrested Worldwide in BEC Bust

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.