Business Email Compromise and Payroll Portal Hacks Are Surging, Beazley Warns
Beazley Breach Response Services, a unit of global insurance company Beazley, reports that nearly half of the more than 3,300 breaches it investigated last year traced to a hack attack or malware infection. And half of those hacking/malware attacks were tied to business email compromise schemes.
The rise of business email compromise – aka CEO fraud – has been well documented. By last July, global losses due to BEC attacks had reached at least $12.5 billion, the FBI warned.
David Stubley, who heads security testing firm and consultancy 7 Elements in Edinburgh, Scotland, says attackers increasingly target cloud-based email environments, including Office 365 email inboxes
Many Office 365 rollouts fail to use multifactor authentication, which means attackers can attempt to gain access to a large number of accounts using credential-stuffing attacks or dictionary lists of weak passwords, he says. In addition, many firms fail to have logging in place so that they can ascertain how a breach began or what was stolen.
Beazley says one Office 365 breach that it investigated, for example, resulted in attackers accessing more than 100 employees’ inboxes. Subsequently, digital forensic investigators couldn’t rule out attackers having potentially downloaded everything in each of those mailboxes.
That created a data breach notification nightmare. “In order for counsel and the company to determine if there was an obligation to notify affected clients, 900,000 files were programmatically searched for [personally identifying information],” Beazley says. “The search hits required a document review of tens of thousands of files in order to identify affected individuals and create an address list. Ultimately, 60,000 clients or prospective clients were notified.”
The total cost of the breach was nearly $2 million in legal and review fees as well as $100,000 to notify the clients, backed by a call center, and to pay for credit monitoring services for victims.
Pivoting From Inboxes
BEC schemes have evolved into highly targeted attacks that often involve hackers gaining access to a legitimate email account and then using to be distribute a high volume of BEC lures.
“BBR Services regularly sees email compromise incidents involving multiple users, and sometimes over 100 users are compromised in a single, targeted phishing attack,” it says.
Some phishing attacks still try to trick recipients into sending money to attackers.
Attackers have become more adept at stealing larger amounts of money. “A few years ago, fraudulent transfers were typically under $15,000, but attackers have gotten far bolder,” with Beazley saying it’s seen fraudulent transfers that range from a few thousand dollars up to tens of millions of dollars.
Direct Deposits – for Hackers
Attackers often pivot from a hacked email account to other corporate services, including HR and payroll self-service portals, BBR Services warns.
“Attackers search the compromised inboxes to determine what portal the company uses, set up inbox forwarding rules to redirect any email from the portal directly to trash, reset the password for the portal if it wasn’t the same as for email, and then change the direct deposit to the attacker’s account,” BBR Services warns. “Oftentimes users would not realize for one, two or even three pay periods that they were not receiving paychecks.”
Common Search Terms Used by Attackers Against a Compromised Account
Breaches Fuel Fraud
Regardless of how a company gets hacked, the resulting data breach can help fuel many different types of fraud.
For example, remote purchase – including card-not-present – fraud in the U.K. led to 2018 losses of £506 million ($670 million), says banking industry trade association UK Finance, which represents more than 250 British financial services firms.
“Intelligence suggests that this type of fraud results mainly from the criminal use of card details that have been obtained through data compromise, including third-party data breaches, phishing emails and scam text messages,” UK Finance says.
To help, the industry has put into place a new Banking Protocol, which UK Finance says offers a “rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place.”
Every British police force has access to the system, which in 2018 helped prevent £ 38 million ($50 million) in fraud and facilitated the arrest of 231 suspects.
UK Finance also sponsors a City of London Police unit, called the Dedicated Card and Payment Crime Unit, which pursues the organized crime groups who perpetrate financial fraud and scams. “In 2018, DCPCU prevented an estimated £94.5 million ($125 million) of fraud, secured 48 convictions and disrupted 11 organized crime groups,” UK Finance says.
Beazley, meanwhile, says banks are also becoming more adept at stopping fraud.
“One promising development over the past year has been the banks’ ability to freeze the transaction and return the funds if they are contacted quickly enough – within 24 to 48 hours – by the targeted organization,” it says.
Ransomware Pummels Healthcare Sector
Not all attacks, of course, just involve business email compromise or breaches that lead to fraud. Stubley at 7 Elements says that especially when advanced attackers are at work, they may conclude their intrusion into an organization’s network by crypto-locking files and demanding a ransom.
Of the breaches Beazley investigated in 2018, 9 percent involved ransomware, and of those attacks, 71 percent hit small and midsize organizations, Beazley warns. From a sector standpoint, meanwhile, one-third of all ransomware attacks it tracked hit the healthcare sector, followed by professional services and financial services (both accounting for 12 percent of all outbreaks), retail (8 percent), education (7 percent) and manufacturing and government (both 6 percent).
Ransomware remains easy for attackers to monetize. “Beazley found that the average ransomware demand in 2018 was more than $116,000, but this was skewed by some very large demands,” BBR Services says. “The median was $10,310. The highest demand received by a Beazley client was for $8.5 million – the equivalent of 3,000 bitcoins at the time.”
For organizations that do choose to pay, however, they can sometimes bargain down their attackers.
Security experts and law enforcement agencies, however, recommend that whenever possible, organizations put sufficient defenses in place – including maintaining up-to-date and disconnected backups – that will allow them to wipe and restore affected systems, rather than having to consider paying a ransom.
Date: April 02, 2019