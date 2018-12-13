Sophisticated zero-day attacks may be a cyber-criminal’s first weapon of choice in the movies, but in real life, an email or a phone call can often be enough to get the information you need. Social engineering, the art of manipulating people to achieve your goals, has long been a mainstay in the hacker’s arsenal. Now, cyber-criminals are applying the concept to surgically extract money from companies as part of a technique called business email compromise (BEC). In a BEC attack, a criminal sends an email impersonating a senior company executive. The mail, sent to someone with access to a company’s financial accounts, demands that they solve an urgent business problem by sending a third party payment. When the panicked employee sends the payment, supposedly to a supplier or service company, it actually goes straight into the attacker’s account. “One of the primary reasons BEC attacks have become such a growing problem is because the skill level needed to execute them is low and the return for successful attacks is significant,” says Crane Hassold, senior director of threat research at Agari, which sells AI-based email protection solutions. Just how successful are these attacks? The FBI counted global losses exceeding $12.5bn between October 2013 and May 2018, from nearly 80,000 reported cases worldwide.

Why Now? BECs may have grown over the last few years, but the first email was sent in 1971 and most people were using emails to do business by the early 2000s. So why has it become a phenomenon now? “Social media has played a big part,” says Dr Jessica Barker, co-founder of UK security consulting firm Cygenta. Sites like LinkedIn, Twitter and Facebook have enabled attackers to research their targets and understand their relationships and the way that they communicate, she adds. The rise in cryptocurrency has also made money laundering and fast international transfer far easier, according to Justin Forbes, penetration testing lead in the CERT division of Carnegie Mellon University’s Software Engineering Institute. “Wire transfer is still what I’m seeing as the primary vector to get money out,” he says. “Cryptocurrency has enabled the ability to move things a lot faster afterwards.” There are several levels of BEC attack. The least sophisticated is a simple email impersonation attack, in which criminals send emails impersonating a C-suite executive from the wrong address. In many cases, these addresses can use a common consumer domain such as Gmail, but they can be highly effective, because the attacker can pretend that they are an executive sending from a personal email address, says Lance Spitzner, director of the Securing the Human awareness training operation at SANS. “There’s a tremendous sense of urgency, and the bad guys are trying to pressure or intimidate you, and rush you into making some kind of mistake,” he says. “They will usually keep the email message short and to the point, to avoid making any mistakes and to heighten the sense that the executive is rushed for time,” he adds. If someone queries the request, “the person will email back and say ‘I’m sorry, but I’m getting on the train – you have to process this right now.’”

Hot States & Impulsive Acts Using psychological tricks to manipulate someone’s behavior is a key technique in social engineering. Barker draws on a behavioral economics theory when describing two sides to the brain; the cognitive side that thinks things through carefully before acting, and the impulsive side which is driven by feelings and mood. The social engineer uses a series of techniques to trigger that latter behavioral mechanism. “If you flatter someone, if you tempt someone, if you make someone curious or angry, if someone is tired or stressed, they’re more likely to be in that hot state where they act rather than think,” she explains. The likelihood of a successful attack increases when combining that hot state with a convincing story. Forbes identifies a more sophisticated attack which compromises the victim’s business email account. Attackers often use credential stuffing techniques here, trawling publicly available dumps of compromised emails and passwords. When they find a match with a business email address, they will try logging into the executive’s email account using the dumped password. If the executive reused their passwords, they may score a hit. “Then they’ll compromise that user’s email account and send a request to transfer money to a bank account that they control,” he says. As the request arrives from the executive’s legitimate email address, it won’t trigger any phishing alerts. Then, there are malware infections that also happen to include a BEC attack as part of their payload. These infections, delivered via conventional methods such as spear phishing and infected attachments, can launch a range of attacks including remote access tools and keyboard loggers. Forbes has also seen them include a particularly sneaky attack that uses malware to set automatic rules in a victim’s email account. “If they know they’re commonly sending a specific routing number and bank ID, they’ll set a rule to auto-replace that,” he says. When the user enters the details of a legitimate payment transfer, it will switch them to the attacker’s account details, effectively rerouting payments at the source.

