“Consistent with recent trends, it finds that the success of today’s most pernicious email scams is growing less dependent on technical prowess, and more on social engineering techniques that leverage human emotions like anxiety or curiosity.”
62% of BEC scams last quarter involved gift cards, the most common being:
Google Play store
Threat groups in Eastern Europe may become a larger issue in the upcoming months as attacks from Czech-based webmail platforms have been on the rise.
Out new this week are the following resources and recommendations.
Thanks for looking over my first week’s post! I began this on the later side of the week but want to have each of these published on Friday. If you have anything that you think would make a great addition to this week please email me at the address provided.
Apologies for the combined weeks! The blog may not have been updated but there is a new part of the site that focuses on Romance Scams and the home page has a nice facelift!
Let’s jump into it.
Some of the biggest news in the last few week came from Barbara Corcoran of Shark Tank. After loosing $388,xxx in a business email compromise, money was stopped and returned to her.
New Attacks and Methodologies
Cofense reported that attackers have been using a scheme to harvest passwords by advising that users “Update their Office 365” using a Google Docs Form.
Tax season is underway in the US and we all know what that means:
Per SCMagazine, if you receive a W2 attached in an email “The attached W2 file could be a genuine form that the attacker is hoping you’ll fill out and return, because it would give them information that may be used for further frauds and scams. Alternatively, the W2 may be a malware payload that’s triggered when you try to open the attachment.”
SpamTitan reported that activity has been seen in the form of both W2 and W9 malicious documents.
Proofpoint cautions to not only look for malicious documents but also “legitimate tax-focused websites that are compromised to deliver malware”.
Samuel West wrote a LinkedIn article about how scammers and attackers are using fears about the Coronavirus to manipulate victims.
Crane Hassold of Agari discussed Exaggerated Lion, a BEC group that favors physical checks and compromising G-Suite. Particularly, their research into how this group interacts with “Tier 1” romance scam victims was interesting: “The group’s history of check fraud and romance scams has resulted in a vast network of check mules across the United States. Over the course of our research into Exaggerated Lion, we have uncovered the identities and locations of 28 check mules, including seven “Tier 1” mules who are long-standing romance scam victims that are trusted with large sums of money and who interact more extensively with the main Exaggerated Lion actors.” The full report can be downloaded from Agari.
Interpol’s “ASEAN Cyberthreat Assessment 2020” report details not only phishing and BEC but also ransomware, cryptojacking, and other threats (report downloadable at the bottom of the page).
Patrick Peterson, Founder and CEO of Agari and Teresa Walsh, Head of Financial Services Information Sharing and Analysis Center Inc. (FS-ISAC) presented at RSA on “Disrupting BEC Attacks Utilizing Kill Chain”.
I found this a little late but Keith Turpin from Universal Weather and Aviation’s Blackhat presentation was posted on YouTube last month titled “Phishing for Funds: Understanding Business Email Compromise”.
The Ping Podcast focused on spear-phishing and Office 365 in an interview with Matt Brennan of SonicWall. This was a good introductory conversation on BECs but had a little sales pitch in there.
I did not find any upcoming in the immediate week but did discover that Agari has a historical record of their webinars on various threat groups posted online.
DarkReading has a related Webinar on “Preventing Credential Theft & Account Takeovers” coming up on March 10.
Please feel free to drop a comment below with any upcoming webinars, additions to this, or questions!
Hello everyone! My name is Ang and I work as a Digital Forensics and Incident Response (DFIR) Team Lead. My team specializes in investigations and research into Business Email Compromise.
We identified after some time that there were great resources in the community for wider DFIR needs but that the intel regarding BECs was somewhat spread out. This website will be maintained to provide support to victims, education to researchers, and current news. As all things, we expect this to evolve over time and warmly welcome feedback and contributions.
That being said, I’ll keep this introductory post short and get to the important stuff. If you would like to reach me for any reason please contact me in one of the ways below: