Cybersecurity basics still the key for preventing business email compromise

Business email compromise is up, and people are still falling for phishing attacks that give cyber criminals access to corporate email systems.
Written by Stilgherrian , Contributor

Well-organised cybercriminals lust after the big bucks, so hijacking business systems for cryptocurrency mining is on the decline, and business email compromise (BEC) is now the thing.

Sure, surreptitious mining continues to be feasible when the goal is shifted from the now processor-heavy Bitcoin to Monero and other currencies. But the payoff can still be bigger elsewhere, according to Chris Tappin, a Sydney-based principal consultant with Verizon's Threat Research Advisory Centre (VTRAC).

"If you're going to commit cybercrimes and you're going to get access to someone's web server, there's more you can do now which has got a better return, which is going off and compromising email accounts," Tappin told ZDNet this week.

"To compromise a web server and run software on it, you've got to have fairly good access to it. So to only do some cryptocurrency mining, it's a bit of an anticlimax," he said.

"Crypto mining gets a lot of media time, but we're not seeing in our dataset that it's as much of a concern as things like the business email compromise."

Tappin is referring to the dataset that informs Verizon's annual Data Breach Investigations Report (DBIR), now in its twelfth year. This year, the much-respected report is an analysis of 41,686 security incidents, with information contributed by 73 organisations.

It reveals that attacks by nation-state actors are up. Nation states and parties affiliated with them now represent 23% of data breaches. That's certainly a worry.

But for this writer, the DBIR's numbers around business email compromise are a bigger worry.

For incidents involving an actual data breach, the use of stolen login credentials was by far the most common way to break in, with a web application being the most common pathway.

"Utilising valid credentials to pop web applications is not exactly avant garde," Verizon wrote.

"The reason it becomes noteworthy is that 60 percent of the time, the compromised web application vector was the front-end to cloud based email servers."

Last month, the FBI reported that business losses to BEC scams had doubled in 2018 and the attacks are becoming more sophisticated. Cyber criminals scored $1.3 billion from US companies alone.

Global losses hit $12.5 billion, the FBI reported, which is $3 billion more than Trend Micro's prediction.

According to Tappin however, the real figure is probably much higher as "many" BEC losses don't get reported.

"A lot of those obviously don't get disclosed they, just get tidied up. We've worked on several very large ones that there was never any consideration of disclosing those to law enforcement," Tappin said.

"It was just written off as a business loss and everyone kind of carried on and didn't want to talk about it, and was quite embarrassed by what happened."

Phishing remains the number one method for stealing login credentials.

"We're seeing more of these targeted phishing campaigns -- spear phishing, whaling, whatever you want to call it -- where specific individuals are targeted," Tappin told ZDNet.

"Things like two factor authentication or multi-factor authentication are really still the priorities for kind of businesses both in Australia and globally."

Then, as always, there's the human factor.

We've know for years that phishing works, and continues to work, because it exploits weaknesses in human psychology and organisational culture -- even on matters of national culture.

When employees fall for a phish, they're usually away from their desks, using mobile devices which don't necessarily display the email in full.

Cyber criminals are now smart enough to target the right people in the organisation: people with authorisation over payments and their executive assistants. And they're smart enough to try to get to their targets when they're likely to be on their mobile device.

"For me the thing that people should be focusing on with their security spend is the boring stuff," Tappin said.

Have you trained users about phishing? Have you gone back to the principal of least privilege? Have you got an incident response plan? Have you ever tried it out?


Editorial standards