Gone Phishing: Stealth Hits the Corner Office

By Alex Artamonov, Systems Engineer and Cybersecurity Specialist | Nov 8, 2019 | CISO Magazine

Mimicking the boss, in most organizations, is the very definition of insubordination. But ordering supplies or a job requisition in the top dog’s name is “BEC” – business email compromise – a growing (and worrying) cybersecurity trend that is too much of a euphemism for my liking.

BEC is polite language for CEO fraud, where, via email, someone (not necessarily an actual employee or underling but rather a bad actor posing as one) invokes senior management to get a recipient to take some action, typically sending money and/or downloading an attached Excel file that just happens to contain malware.  It’s a virtual way of walking through the front door, with employees unwittingly clearing the path.

While phishing itself isn’t new, CEO fraud is a relatively recent arrival on the hacking scene.  How insidious is this new-fangled extortion-like scheme?  The FBI puts cumulative losses to businesses from BEC in at $13 billion. According to CPO Magazine, BEC has hit more than 80,000 companies globally in the last five years.

Growing BEC incidents

Perpetrators are once again several steps ahead of their marks: “As BEC continues to drive record-high losses, cybercriminals are devising new tactics for swindling corporate targets out of millions,” Dark Reading recently noted.  “The number of reports describing BEC incidents has rapidly grown from a monthly average of nearly 500 in 2016 to more than 1,100 in 2018, the Financial Crime Enforcement Network (FinCEN) says in its July 2019 Financial Trend Analysis. The total value of attempted BEC threats climbed from an average of $110 million per month in 2016 to $301 million per month in 2018.”

The source of an enormous percentage of these messages is surprisingly obvious, per Help Net Security:84 percent of BEC messages used free webmail services for distribution; 12 percent used spoofed company domains and 4 percent elected to employ misspelled or lookalike domain names to deceive recipients.

So why is BEC getting worse?  Why aren’t organizations wising up, and what should they be doing to stanch the bleeding?  Is this a case of collective naiveté, or is there something more pernicious about CEO fraud?

It’s getting worse in part because hackers abhor a vacuum.  While there are a handful of proven strategies and common-sense policies that organizations need to adopt – now – to begin to gain the upper hand on CEO fraud, actions are by their very nature reactive, chewing up precious time as bad actors go about their mischief.  More and more of them are going the BEC route; they exploit any new form of attack while the getting is good–and their M.O. is to propagate the pain by sharing the how-to’s of CEO fraud on hacker forums.

Authentication strategies

It’s also getting worse because the user community has let its guard down… if it was ever even up.  Still, there are three accessible, cost-effective email authentication strategies for the taking; users simply need to deploy them:

• SPF Records– A Sender Policy Framework (SPF) record identifies legitimate mail servers – those that are allowed to send email on behalf of your domain.  Adding an SPF TXT record detects and prevents spammers from sending messages with forged “From” addresses on your domain.  It’s basic and, increasingly, is becoming a requirement for antispam filters.
• DKIM Signatures– DKIM (DomainKeys Identified Mail) Signatures permit senders to associate a domain name with an email message, essentially affirming its authenticity. A sender creates the DKIM by “signing” the email with a digital signature, which is located in the message’s header.  Like SPF records, DKIM signatures are a snap to add.
• Personal Digital Certificates– Think of a Digital Certificate as an electronic “password” that enables an individual or an organization to exchange data securely over the Internet using the public key infrastructure (PKI).  As with the other two methodologies, the cost of deployment is low.

So, while these approaches aren’t especially new, they’re suddenly growing in popularity because they work, and organizations ignore them at their peril.  When all three are in force–and all should be–it’s possible to knock off nearly 99 percent of BEC threats.

But the simplicity and availability of these solutions don’t mean we’re out of the woods.  IT has typically put the burden on antispam filters, a view I believe is misplaced.  While these filters are aimed to some extent at fraudulent emails, that’s not why they exist.  An organization can be hip-deep in spam filters and still get burned.  If someone’s email is compromised, it’s still possible to log in and send hacked-but-seemingly legit emails to colleagues, and antispam won’t save them.

Using two-factor authentication might, however, which is why Microsoft has recently taken up the cause, modifying Office365 in a way that acknowledges just how big a deal CEO phishing has become.  As Krebs on Security reported in June: “It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers that help companies manage their Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.”  And in early August, Microsoft made it official.

While every technical effort to address CEO fraud is welcome, the human factor must be front and center.  That means educating users to be both vigilant and skeptical. Make it second nature to take a moment to ask why a message was sent or why a request was made.  CEO phishing can’t be beaten by rote instructions but by attitude, and by an understanding that change is a constant.  What’s true today won’t be true tomorrow.

Read in CISO Magazine