On 10 March, Silicon Valley Bank (SVB) – a popular institution for the venture capital community in the Bay area – failed when venture capitalists (VCs) quickly started to pull money out of the 40-year-old bank, causing federal regulators to step in and shut its doors before more damage could be done. As investors and CEOs scramble to make sense of the situation, many are looking for alternative locations to store and manage their personal and company’s money ASAP. We understand that in this pressure-filled moment, many will likely take shortcuts and quickly share sensitive information on unsecured platforms, leaving malicious threat actors to take advantage through techniques like business e-mail compromise (BEC).
Currently, vendors are rushing to set up new accounts to switch payments to and scrambling to update ALL payment details for their customers so that new receivables are being sent to their new bank account versus their now defunct SVB account. These account details are being sent unsecurely over e-mail and as attached PDF’s, and the recipients are operating with urgency to get money transferred ASAP. Due to this emergency, customers are transferring substantial amounts of money into these new accounts, leaving both company and customer vulnerable to malicious activity during the process. These are the perfect conditions for threat actors to steal several million dollars (and perhaps much more!).
What is Business E-mail Compromise (BEC)?
Threat actors commonly leverage e-mail access to conduct business accounting fraud, conduct highly targeted phishing attacks, gain access to sensitive information, and elicit trusting coworkers to perform actions on their behalf. BEC is a scam targeting both businesses and individuals performing transfers of funds, according to the US Federal Bureau of Investigation (FBI). It is commonly carried out when a threat actor compromises legitimate business e-mail accounts through social engineering or computer intrusion tactics, techniques, and procedures (TTPs) to conduct unauthorized transfers of funds. In 2021 alone, BEC scams resulted in nearly 20,000 complaints and a loss of $2.4 billion. For example, threat actors have targeted the mortgage industry, specifically targeting the home buying/refinancing workflows whose employees use e-mail for nearly all transactions, usually overworked, and under trained in cybersecurity issues such as BEC.
Data Theft – threat actors target the HR department and steal company information.
CEO Fraud – threat actors spoof or hack into a CEO’s e-mail account, then e-mail employees instructions to make a purchase or send money.
Account Compromise – threat actors use phishing or malware to get access to a finance employee’s e-mail account. Then the scammer e-mails the company’s suppliers fake invoices that request payment to a fraudulent account.
False Invoice Scheme – threat actors may pose as a legitimate vendor and will send a fake invoice to be paid.
Lawyer Impersonation – threat actors gain unauthorized access to an e-mail account at a law firm. Then they e-mail clients an invoice or link to pay online.
In addition to social engineering TTPs, threat actors can also use legitimate credentials to access business e-mail within an organization to impersonate targets and garner sensitive information over unsecure/unencrypted e-mail correspondence.
We know that threat actors exploit credential requirements in many ways; they can:
Take advantage of weak password strength requirements or weak account lockout thresholds
Capture and then crack hashes
Take advantage of accounts that reuse compromised credentials
Use the default credentials that remain unchanged in a variety of web applications and systems processes
Threat actors do not often use sophisticated hacking tools and techniques to gain access to business e-mail and networks; along with social engineering techniques, threat actors don’t “hack” in, they log in with legitimate user credentials.
How does BEC work?
BEC allows threat actors to read, send, and receive e-mails under the guise of that user or many users at once. Threat actors frequently seek out their targets through open-source research like a company website or professional social media platforms such as LinkedIn to figure out whose identity they can use in the scam. Once the threat actor gains initial access, they will seek to determine their target based on who is able to send and/or receive money (Threat actors generally seek and target a junior employee who’s responsible for inputting the numbers into a bank’s portal). In a subsequent e-mail conversation, the threat actor will impersonate one of the parties by spoofing the e-mail domain and then try to solicit their target’s trust and ask them to send money, gift cards, or information. These e-mails usually contain an attached PDF with wire instructions and are often proceeded by a follow-up e-mail that says, “Sorry, use these account and routing numbers instead.”
Targets of BEC
Executives and leaders – details of these individuals are generally available on the company website.
Finance employees – these individuals have banking details, payment methods and account numbers readily available and are prime targets.
HR managers – these individuals typically retain sensitive employee data like social security numbers, tax statements, and contact information.
New or entry-level employees – typically these individuals will not be able to verify an e-mail’s legitimacy with the sender.
Why does this matter?
For all intents and purposes, a threat actor using credentials looks like a legitimate user. Coupled with the absence of malware, this type of attack is extremely difficult to detect.
Over the past 6 months, only 2.5% of Horizon3.ai customers experienced BEC in their environment with proof of exploitation. However, NodeZero successfully executed credential-based attacks over 6,000 times (out of the 34,000 times in which NodeZero successfully executed an attack compromising at least one host), and to significant effect. For more detail and recommendations regarding credential-based attacks, please see our Year in Review 2022 report.
For example, NodeZero was also able to execute a BEC on a large US based security systems provider by successfully chaining the following weaknesses together (See NodeZero’s attack path below):
Credential Dumping of Security Account Manager (SAM) Database and Local Security Authority (LSA) Secrets
Azure Multi-Factor Authentication Disabled
Credential Reuse and cracked Weak or Default Credentials
In this case, NodeZero found that this privileged user had the same credentials for local admin and domain user on the company’s Azure account, and from the domain user account was able to pivot laterally for further access. MFA was not enabled, so NodeZero proceeded to gain access into their Azure cloud environment and then get into Outlook. With this valid domain account, NodeZero accessed 25 business e-mails, and as proof, NodeZero showed the customer the subject lines of the e-mails it was able to access.
From here, an attacker could login legitimately as a company employee, create an email, and send it to the customer base, and in the case of a banking collapse or change of accounting, could direct the customer to change their invoicing and remit payments for vendor services to the attacker’s personal account. Both the company and the customer lose money and trust.
What can we do about it?
Horizon3.ai recommends:
Require the use of multifactor authentication for logging into external environments and segmented networks when possible.
If you’re using Azure AD, you can enable Azure AD Password Protection to automatically ban well-known bad passwords.
Assess and analyze your employee’s passwords to ensure they meet your minimum requirements
Institute password policies that include sophistication and length requirements as described in the latest recommendations from NIST Special Publication 800-63B. NOTE: Horizon3 recommends a 12-character (min) for users and more for privileged users, just as several other companies do.
When creating a temporary password for a new user or a user that requires an account unlock, require the password to be used within a specific timeframe before the account becomes disabled.
Do NOT allow passwords that have been in previous breaches, are contextually based on the company name, their personal name or login, or their role
Implement a configuration management process that directs default credentials (including and especially empty, null, or “guest” defaults) are changed before systems are deployed in a production environment.
Implement good access controls to include the principle of “least privilege.”
Disable the accounts of current or former employees who no longer require access.
Always, verify that each of the above guidelines are implemented, enforced, and effective by attacking your teams, tools, and rules using NodeZero.
And lastly, increase training for employees on basic cyber security, including the dangers of credential reuse and weak or easily guessed passwords and social engineering TTPs to look out for and avoid.
How can NodeZero help you?
Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
__cfruid
session
Cloudflare sets this cookie to identify trusted web traffic.
_GRECAPTCHA
5 months 27 days
This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent
1 year
Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
OptanonConsent
1 year
OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
AnalyticsSyncHistory
1 month
LinkedIn - Used to store information about the time a sync took place with the lms_analytics cookie
bcookie
2 years
LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie
2 years
LinkedIn sets this cookie to store performed actions on the website.
lang
session
LinkedIn sets this cookie to remember a user's language setting.
li_gc
2 years
LInkedIn Used to store consent of guests regarding the use of cookies for non-essential purposes
lidc
1 day
LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory
1 month
LinkedIn sets this cookie for LinkedIn Ads ID syncing.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie
Duration
Description
_calendly_session
21 days
Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_V462VSRXXS
2 years
This cookie is installed by Google Analytics.
6suuid
2 years
6sense is a B2B predictive intelligence engine for marketing and sales.
CONSENT
2 years
YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
pardot
past
The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
5 months 27 days
A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC
session
YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt.innertube::nextId
never
This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests
never
This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.