One of the most damaging forms of cybercrime is also one that requires very little technical knowledge to pull off.
Business email compromise, or BEC for short, cost U.S. companies $1.8 billion in losses in 2020, representing 43 percent of all cybercrime losses for the year. Yet despite the low bar of entry, actors involved in BEC have a very limited presence on the cybercrime underground, especially in relation to actors conducting more popular forms of cybercriminal activity.
Scant interest notwithstanding, Intel 471 has observed a number of actors using popular cybercrime forums to recruit or outsource functions related to BEC scams. Much like other forms of cybercrime, those behind BEC scams seek partnerships with those that have the necessary skill set to access organizational networks or conduct social engineering schemes used to intercept wire transfers.
In February, an actor on a popular Russian-language cybercrime forum announced he was searching for a team of native English speakers for the social engineering elements of BEC attacks after they had obtained access to custom Microsoft Office 365 domains. Additionally, another actor on a different forum asked for the same thing in June, posting help wanted ads that essentially outsourced the social engineering work behind BEC, while the actor would take care of the related technical aspects.
Actors like those we witnessed are searching for native English speakers since North American and European markets are the primary targets of such scams. The use of proper English is very important to these actors, as they want to ensure the messages they send to their victims — mainly high-level employees of an organization — do not raise any red flags.
Another skill actors on the cybercrime underground are looking to outsource is laundering the money stolen via BEC schemes so it becomes untraceable and usable. Intel 471 observed a Russian language actor place an ad on a cybercrime forum, looking to launder sums as large as $250,000 through a cryptocurrency tumbler — a service that blends multiple transactions and disperses money to intended recipients in incomplete installments, which makes it significantly more difficult to trace. The six-figure sum suggested the scams targeted large companies.
While BEC-linked behavior has been limited on the cybercrime underground, the sporadic solicitation for outsourcing has caused some actors tied to prior BEC scams to come out of the woodwork as recently as the past 60 days. A Nigerian-based actor that was linked to BEC scams in 2019 has resurfaced over the past few months. He has responded to several of the advertisements described above, as well as posting several ads of his own offering BEC services and partnerships. Multiple posts made by the actor on several cybercrime forums were asking for help in obtaining email database access and credentials from Italy and the U.S., which suggests the actor was in the reconnaissance stage of planning BEC attacks. In chats viewed by Intel 471 analysts, the actor has claimed he’s pulled in $100,000/year from launched BEC attacks.
As a first line of defense, proper training for an organization’s email users is essential to neutralize the threat of BEC. Awareness of the techniques threat actors employ and key indicators that an email or sender is fraudulent or inauthentic can help reduce the threat of BEC.
To prevent potentially malicious emails from reaching the inboxes of employees at all, an email authentication protocol such as domain-based message authentication, reporting and conformance (DMARC) may be implemented. These protocols work to differentiate legitimate, verified emails from fraudulent and unverified emails and spoofed domains, which may be used to launch a BEC campaign.
The BEC footprint on underground forums is not as large as other types of cybercrime, likely since many of the operational elements of BEC use targeted social engineering tactics and fraudulent domains, which do not typically require technical services or products that the underground offers. Many BEC attacks do not require access to a victim’s network, use no malicious payload and simply may employ a spoofed email domain with a single letter differing from that of the business being targeted. While it may not be as popular as credential theft or ransomware, the intelligence we’ve discovered shows that criminals will use the underground for all types of schemes, as long as those forums remain a hotbed of skills that can make criminals money.