Average BEC attempts are now $80k, but one group is aiming for $1.27m per attack
BEC scammer groups are growing more brazen. The average sum that a BEC group will try to steal from a targeted company is now around $80,000 per attack, according to an industry report published on Monday.
The number is up from $54,000, the average sum that BEC groups tried to obtain from victims in Q1 2020, as reported by the Anti-Phishing Working Group (APWG), an industry coalition made up of more than 2,200 organizations from the cyber-security industry, government, law enforcement, and NGOs sector.
One of the largest industry group of its kind, the APWG has been releasing quarterly reports on the state of phishing operations since 2004.
Most of these reports have usually centered on email phishing attacks that focus on stealing login credentials and distributing malware. However, since the mid-2010s, BEC fraud has been slowly taking more and more space in APWG's reports, as BEC fraud has become today's top cybercrime trend.
BEC, or Business Email Compromise (BEC) scams, usually begin with phishing, with an email sent to a company's employee. The end goal is to dupe the employee into paying fake invoices or transferring funds to an account controlled by the attackers.
Over the course of the past years, there have been multiple criminal groups who engaged in BEC scams. Some groups targeted huge payouts in the realm of hundreds of millions of dollars, only to be arrested and prosecuted, but the vast most groups usually operate under the radar, at a sweet spot where the sums are low enough to dissuade companies from following through with investigations and legal actions, but still big enough to net the groups a profit.
Enter Cosmic Lynx
But according to Agari, a cyber-security firm that's a member of the APWG, in Q2 2020, the BEC threat landscape is seeing yet again another major gang that likes to go after big payouts —namely, a newly discovered Russia-based BEC group named Cosmic Lynx.
Per a report earlier this year, Agari says this group has been active since July 2019, and has targeted 46 entities across six continents in more than 200 distinct campaigns. The group is unique not only because it operates from Russia —outside of West Africa, where most BEC gangs are located— but also because the level and scale at which it operates.
"The average amount requested by Cosmic Lynx in its attacks is an astounding $1.27 million," Agari said in the APWG report.
This makes Cosmic Lynx stand apart from the vast majority of other BEC scammer groups active today, who are more than content with extracting meager profits of just a few tens of thousands of US dollars as long as it allows them to pass under law enforcement's radar.
However, the new Cosmic Lynx group doesn't appear to be afraid of prosecution, or at least prosecution in western countries, and is brazenly attempting to trick companies into sending over huge payments.
Crane Hassold, Senior Director of Threat Research at Agari, believes that going forward more BEC scam groups will eventually appear in Russia because of the way Russian authorities shield cybercrime groups from prosecution in western states.
Furthermore, the benefits for Russian cybercrime groups are also very palpable, as "the return on investment for basic social engineering attacks is much higher than launching more sophisticated (and more expensive) malware-based attacks," according to Hassold.
The Agari exec is definetly not wrong, and his prediction is quite sensible, as BEC attacks are quite a lucrative deal nowadays, with the FBI reporting that BEC scams accounted for half of the cyber-crime losses reported in 2019, a whopping $1.77 billion from the $3.5 billion total.
💯 This. If you don’t have an understanding of and plans to detect, disrupt, and recover from ransomware and BEC, let the nation state stuff idle until you do. https://t.co/PjtmSuLRZW
— Paul Melson (@pmelson) August 31, 2020