{"id":3700,"date":"2023-05-19T09:08:09","date_gmt":"2023-05-19T09:08:09","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-insider\/?p=3700"},"modified":"2024-01-31T17:30:02","modified_gmt":"2024-01-31T17:30:02","slug":"shifting-tactics-fuel-surge-in-business-email-compromise","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-insider\/reports\/cyber-signals\/shifting-tactics-fuel-surge-in-business-email-compromise\/","title":{"rendered":"Shifting tactics fuel surge in business email compromise"},"content":{"rendered":"
\n

Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion<\/a>. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated.<\/p>\n

This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS)<\/a> and has caught federal law enforcement\u2019s attention because it allows cybercriminals to evade \u201cimpossible travel\u201d alerts used to identify and block anomalous login attempts and other suspicious account activity.<\/p>\n

We are all cybersecurity defenders.<\/strong><\/p>\n

\n

Microsoft\u2019s Digital Crimes Unit has observed a 38 percent increase<\/strong> in Cybercrime-as-a-Service targeting business email between 2019 and 2022.<\/p>\n<\/div>\n

Threat Briefing<\/h3>\n

 <\/p>\n

Inside the rise of BulletProftLink\u2019s industrial-scale BEC service<\/p>\n

Cybercriminal activity around business email compromise is accelerating. Microsoft observes a significant trend in attackers\u2019 use of platforms, like BulletProftLink, a popular platform for creating industrial-scale malicious mail campaigns. BulletProftLink sells an end-to-end service including templates, hosting, and automated services for BEC. Adversaries using this CaaS receive credentials and the IP address of the victim.<\/p>\n

BEC threat actors then purchase IP addresses from residential IP services matching the victim\u2019s location creating residential IP proxies which empower cybercriminals to mask their origin. Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent \u201cimpossible travel\u201d flags, and open a gateway to conduct further attacks. Microsoft has observed threat actors in Asia and an Eastern European nation most frequently deploying this tactic.<\/p>\n

Impossible travel is a detection used to indicate that a user account might be compromised. These alerts flag physical restrictions that indicate a task is being performed in two locations, without the appropriate amount of time to travel from one location to the other.<\/p>\n

The specialization and consolidation of this sector of the cybercrime economy<\/a> could escalate the use of residential IP addresses to evade detection. Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts. Threat actors are using IP\/proxy services that marketers and others may use for research to scale these attacks. One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second.<\/p>\n

While threat actors<\/a> use phishing-as-a-service like Evil Proxy, Naked Pages, and Caffeine to deploy phishing campaigns and obtain compromised credentials, BulletProftLink<\/a> offers a decentralized gateway design, which includes Internet Computer public blockchain nodes to host phishing<\/a> and BEC sites, creating an even more sophisticated decentralized web offering that\u2019s much harder to disrupt. Distributing these sites\u2019 infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex. While you can remove a phishing link, the content remains online, and cybercriminals return to create a new link to existing CaaS content.<\/p>\n

Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBI\u2019s Recovery Asset Team initiated the Financial Fraud Kill Chain on 2,838 BEC complaints involving domestic transactions with potential losses of over $590 million<\/a>.<\/p>\n

Although the financial implications are significant, wider long-term damages can include identity theft if personally identifiable information (PII) is compromised, or loss of confidential data if sensitive correspondence or intellectual property are exposed in malicious email and message traffic.<\/p>\n

Business email compromise phishing mail by type<\/p>\n

\"Pie
\nData represents a snapshot of BEC phishing by type January 2023 through April 2023<\/sup><\/p>\n

Top targets for BEC are executives and other senior leaders, finance managers, human resources staff with access to employee records like Social Security numbers, tax statements, or other PII. New employees perhaps less likely to verify unfamiliar email requests are also targeted. Nearly all forms of BEC attacks are on the rise. Top trends for targeted BEC include lure, payroll, invoice, gift card, and business information.<\/p>\n

BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering<\/a> and the art of deception. Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking a direct action like unknowingly sending funds to money mule accounts, which help criminals perform fraudulent money transfers.<\/p>\n

Unlike a \u201cnoisy\u201d ransomware attack<\/a> featuring disruptive extortion messages, BEC operators play a quiet confidence game using contrived deadlines and urgency to spur recipients, who may be distracted or accustomed to these types of urgent requests. Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and inbox success rate of malicious messages.<\/p>\n

Although there have been several high-profile attacks that leverage residential IP addresses, Microsoft shares law enforcement and other organizations\u2019 concern that this trend can be rapidly scaled, making it difficult in more cases to detect activity with traditional alarms or notifications.<\/p>\n

Variances in login locations are not inherently malicious. For example, a user might access business applications with a laptop via local Wi-Fi, and simultaneously be signed into the same work apps on their smartphone via a cellular network. For this reason, organizations can tailor impossible travel flag thresholds based on their risk tolerance. However, the industrial scale of localized IP address for BEC attacks creates new risks for enterprises, as adaptive BEC and other attackers increasingly take the option of routing malicious mail and other activity through address space near their targets.<\/p>\n

Recommendations: <\/strong><\/p>\n