By Tim Sadler, CEO, Tessian
In 2019, businesses lost a staggering $1.8bn because of Business Email Compromise (BEC). These types of attacks, whereby a trusted relationship is compromised through email impersonation or email account hacking, are becoming more common and also more successful. The reason? First, they are easier and cost-effective to carry out, making such attack methods attractive and lucrative for cybercriminals. Second, to improve the success rate of their scams, hackers are making it much more difficult for their victims to detect that they are being targeted.
In fact, just recently, researchers identified a cybercriminal gang called Cosmic Lynx that has carried out more than 200 BEC campaigns since July last year, in attempts to steal as much as $2.7m from Fortune 500 or Global 2000 companies. Believed to be the first reported case of a BEC gang operating from Russia, the group delivers sophisticated and creative email campaigns that target senior executives, tailoring their messages to discuss legitimate mergers and acquisitions.
Why Cosmic Lynx is cause for concern
BEC scams are not, traditionally, this group’s method of attack. However, as BEC offers a lucrative opportunity to steal millions of dollars in just a few emails, it appears that this Russian cyber gang is changing its tact.
One of the defining characteristics of Cosmic Lynx’s campaigns is that they are far more sophisticated than generic phishing scams. This is a well-researched operation, run by experienced hackers who have clearly done their homework. The hackers investigated companies that were completing an acquisition, identified a senior executive target, and impersonated the CEO of the target company in order to deceive their victim into wiring money to a fraudulent account.
To add another layer of perceived legitimacy, the hackers also impersonated an external lawyer at a well-regarded law firm to “facilitate the payment”, making it very difficult for the target to think that they are being scammed. Finally, the hackers ensured a high level of quality and diligence in their campaigns, paying particular attention to brands’ details, and making sure grammar and spelling were without error.
Social engineering campaigns like this can be devastating to businesses, and anyone in an organization can fall for the scams. As hackers up their game, businesses need to ensure all employees are aware of the threats in their inboxes and consider whether they have the security measures in place to detect the deception before it’s too late.
My company has DMARC so I should be protected against email impersonation, right?
Implementing Domain-based Message Authentication, Reporting & Conformance (DMARC) is a necessary first step for businesses to prevent hackers spoofing your company’s domain in its email attacks. Without it, an attacker can directly impersonate your company’s domain and users will think they are receiving an email from a legitimate (and trusted) source.
In the particular case of Cosmic Lynx, researchers found that the group has a strong understanding of DMARC and analyses the public DMARC records to select its targets and methods of attack. The problem is that, as DMARC records are publicly available, it’s very easy for hackers to identify companies that do not have email authentication protocols in place, allowing them to directly impersonate a company’s domain and pose as the CEO.
But even if your company does have a DMARC policy in place, attackers can also assess how strictly you’ve configured it. If your company has a strict email policy in place, the attacker can still carry out an advanced spear-phishing attack by registering a look-a-like domain, banking on the fact that a busy employee may miss the slight deviation from the original domain. This highlights why companies cannot rely on the email authentication protocol as a silver bullet to prevent email impersonation scams.
The other problem is that while your organization might have DMARC in place, your external contacts may not. This means that while your organization’s domain is protected against direct impersonation, your employees may be vulnerable to impersonation of external contacts like partners, customers, or lawyers. Again, this knowledge has worked to Cosmic Lynx’s advantage; they impersonated external lawyers from real UK law firms to add another layer of legitimacy to their scams.
How do I protect my company from BEC?
Of course, security teams put rules and policies in place to stop malicious messages landing in inboxes but, as we’ve seen, hackers find ways around these rules. Another solution is to train employees on the threats. And security training helps to raise awareness, but solely relying on training means relying on your employees to spot every scam and every threat. This is unrealistic; businesses cannot expect busy and stressed employees to get it right 100% of the time, especially when hackers make their deceptions so difficult to detect.
To prevent BEC attacks, you need to detect the impersonation but it’s a difficult problem to solve. To accurately detect it, you need to understand what is being impersonated. You need to be able to answer the question, “for this user, at this point in time, given this context, is the sender really who they say they are?”.
Machine learning can help, though. By using machine learning algorithms to analyse historical email communications and understand each and every employees’ relationships over email, you can start to build a picture of normal (and abnormal) behaviour. When an employee receives an email that looks out of the ordinary, they can be alerted in real-time to the threat and given advice on what to do next.
The example of Cosmic Lynx has shown that more and more cyber-criminal gangs are turning to BEC to achieve their objective of scamming businesses out of hundreds of thousands of dollars. Companies need an advanced, multi-layered solution to this increasingly sophisticated problem. By using machine learning to protect people on email, and by solving the problem at the human layer, businesses can start to tackle the rising threat of BEC.
About the Author
Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our products use stateful machine learning to protect people using email and to prevent threats like spear-phishing, accidental data loss due to misdirected emails, data exfiltration, and other non-compliant email activity. We’ve raised $60m from legendary security investors like Sequoia and Accel and have over 150 employees located in New York and London.