Ransomware Data Theft Epidemic Fuelling BEC Attacks

Written by

A surge in corporate data stolen by ransomware gangs is inundating the cybercrime underground with exactly the sort of information fraudsters need to launch convincing business email compromise (BEC) attacks, according to Accenture.

Between July 2021 and July 2022, Accenture’s Cyber Threat Intelligence team (ACTI) claimed in a new report to have observed over 4000 corporate and government victims with data posted to leak sites representing the 20 most active groups.

This consists mainly of financial data, personal employee and client information, and communication documentation.

Such information can be used to good effect to help the early social engineering/reconnaissance stages of a BEC attack, which Accenture claims is “the most important and traditionally the most difficult” part of a campaign.

“A threat actor can increase the likelihood that a social engineering ploy will succeed by determining a target’s internal language, such as company-specific acronyms and phrases, allowing threat actors to avoid use of non-standard company language, a tell-tale sign of fraud,” it explained.

“Dedicated leak site data further reduces the likelihood of a target discovering a social engineering ploy by allowing actors to better adhere to internal organizational pathways. For example, it facilitates following typical, anticipated communication channels and command chains.”

Threat actors can also use the stolen data to improve the timing of their attacks, by launching them “during acquisitions or vendor contract renewals, while traveling, or when other information is available only through insider knowledge,” Accenture claimed.

Data stolen by ransomware actors may also include invoices, which will help BEC scammers make their money transfer requests look more legitimate. Plus, compromised corporate credentials make account hijacking even easier, adding further legitimacy to BEC attempts.

The bad news is that the data exfiltrated by ransomware groups is increasingly being made available to potential buyers in a user-friendly format, further reducing barriers to its use.

“ACTI assesses that the utility of dedicated leak site data has historically been limited by the difficulty of interacting with large quantities of poorly stored data. This has been cumbersome, time-consuming, and costly for actors, thereby creating a natural barrier for widespread abuse of the data, until now,” Accenture said.

“ACTI found that several groups are making their dedicated leak site data more accessible by moving away from Tor domains and toward publicly accessible sites. Moreover, sites like ALPHV and Industrial Spy offer searchable indexed data, including sensitive data such as employee personally identifiable information and financial data. Because it facilitates and speeds access, this searchability is enormously beneficial to malicious actors seeking to weaponize data for secondary attacks.”

What’s hot on Infosecurity Magazine?