Crane Hassold, with Abnormal Security, recently joined Lindsey O’Donnell-Welch on the Decipher podcast to talk about why business email compromise attacks are still a top financially damaging threat today. This is a condensed and edited version of the conversation.
Lindsey O’Donnell-Welch: You've tracked and followed business email compromise attacks for awhile now. What does the current threat landscape look like?
Crane Hassold: So I've looked at BEC attacks for the past five years now. And a lot of the research that I've done has not just looked at the attacks themselves, but how the attacks unfold from beginning to end. So my team at Abnormal Security, one of the things that we do is actually engage with these attackers and communicate with them, and one of the unique aspects of BEC is that it requires an interaction with a victim in order to be successful. And so that interaction allows us to collect some more robust intelligence to understand how these attacks unfold over time, essentially allowing us to see the entire attack chain. And so what's really interesting about BEC is… that it definitely doesn't get the amount of attention that other types of cyber threats get. That's probably because they're relatively technically unsophisticated, it's pretty much just communicating with a financial executive, or an HR employee or something like that, and trying to persuade them using pure social engineering tactics to either send money or update their direct deposit information, or even send maybe some W2s. And compare that to something like ransomware; obviously, that has a little bit more visibility, and in some cases, depending on the attack, it may disrupt actual infrastructure. Whereas with BEC, a lot of that is behind the scenes. But when you look at the financial losses that have been attributed to BEC attacks, it's not even close. [BEC attacks led to] $1.8 billion in losses last year, and I think it's grown about 30 percent or so year over year. As we move into the end of this year into next year, we're talking about more than $2 billion a year going to be lost for BEC attacks. And when you compare that to even things like ransomware that get all attention, maybe if you take out a lot of the underreporting, and even if you insert into the equation things like remediation, you're talking about hundreds of millions of dollars, and it’s still a lot of money, but it really doesn't even touch the overall financial impact of BEC.
Lindsey O’Donnell-Welch: When you're looking at different BEC groups - and I know you've done a lot of work looking into how these groups collaborate, and how they work together - how does that break down?
Crane Hassold: So what's interesting is that most BEC groups today are still coming from West Africa, primarily Nigeria, which is sort of a central hub for BEC actors today. That being said, we have started to see some other actors and other places of the world, like Eastern Europe and Russia, Israel, that are sort of an emerging hotspot for BEC actors. But even when we see a lot of BEC actors in other countries, like the United Arab Emirates, Dubai, specifically, Malaysia, or even here in the US, even when we see BEC actors in those countries, they're usually Nigerian expatriates. So there's a big link to Nigeria, it's still there.
"What's really interesting about BEC is… that it definitely doesn't get the amount of attention that other types of cyber threats get."
When we look at how they work, there's a lot of specialization in how they operate. So you have a number of different roles, you have what are called the loaders, which are the ones that are actually going to be sending the emails, they're going to be the ones responsible for really driving the actual communication behind the scenes. You have things like pickers; pickers are the actors who are responsible for maintaining the email accounts, they're going to be receiving fraudulent funds. And a lot of those mules, at the end of the day, a majority of them, in fact, are actually victims of other types of scams, like romance scams. And so you have pickers that are in charge of making sure that that money is getting there and then passing it on. And then you have the spammers who are actually sending out phishing emails if it comes to vendor email compromise attacks. And what's interesting with the whole decentralization of the BEC ecosystem is that you have places online, especially apps, like WhatsApp and Telegram, where these actors are getting together and discussing tactics and recruiting one another to work together for a finite period of time before they go their own way. But that's how this whole process works. It's very rare that you see a structured, hierarchical group that's going to be working together for a very long period of time.
Lindsey O’Donnell-Welch: I'm curious about that recruitment process, too. Because you mentioned that some of these players are actually romance scam victims themselves. Are they unwitting victims? Or have they been convinced to go and do these malicious activities? How does that work out?
Crane Hassold: Yeah, that's a good question. Going to the romance victim side of things, that is a highly psychologically driven scam, where once an actor or a scammer gets to the point where they are going to be asking a romance victim to receive money, obviously, they're not going to be saying, “Hey, we're going to be receiving some fraudulent funds that I need, you either open up a bank account, or let me use your bank account,” there's going to be some pretext to it. And usually, that's something on lines of, “I need to receive money for a family member or I have a life insurance payout.” And there are a number of different pretexts they can use.
But by the time it gets to that point, enough trust has been developed between the romance victim and the scammer that the victim will usually comply with really whatever they're going to be asking for, they won't really ask any questions. And so in most cases, they are unwitting to what's actually going on. That being said, there certainly have been some times that we've seen some romance victims that have been contacted by law enforcement, and they've been made aware of what's actually going on. And yet they still work with the scammer. The psychology of romance victims is fascinating, the fact that it's so hard to convince them that the person that they're actually talking to is not real, and is actually conning them for a variety of different reasons. So we're talking about romance scam victims, how that recruitment happens when it comes to the actors themselves and who's involved in BEC attacks and other types of scams.
What’s really interesting is a vast majority of these scammers are very young, many of them are highly educated. So a lot of the scammers that I've even talked to personally have really good college educations from a variety of different backgrounds. And one of the big reasons that they go into BEC or other types of scams is that when you look at places like Nigeria, the unemployment rate over there is so high, that there really is no other opportunity for them to make a living, other than getting into this cybercrime game that has essentially been going on for 30 years in places like Nigeria. And so social engineering has become a normal way to make a living there.
It started out in the 90s with those Nigerian prince scams, which are still around today, so there's still some money to be made there. But what we saw is about five years ago, 2015 or 2016, you started to see a lot of these actors shift from targeting individuals to targeting employees at businesses. And from a social engineering perspective, a lot of the same concepts are still being used there. But it's all about making a living. And there is certainly a minority of these actors that are doing it for the glory, to make a ton of money. You have people out there like Hushpuppi who was arrested a few years ago in Dubai, that did it for a lifestyle type of thing. And you certainly have a good number of the scammers that are out there for that, but then for a lot of these guys, they're not doing it for anything else. They need to make money somehow and provide for themselves and their family.
“About five years ago, 2015 or 2016, you started to see a lot of these actors shift from targeting individuals to targeting employees at businesses.”
Lindsey O’Donnell-Welch: Right. That's always an interesting thing to keep in mind when you're looking at these different types of attacks. One other thing that sticks out to me too, is it doesn't seem like it would cost a ton of money to set up this type of attack. I guess it does seem like there would be a lot there in terms of investing in the social engineering aspect of it. And I'm sure that attackers need to play the long game to build up that trust. But how long typically are these types of attacks playing out and what's needed on the attacker’s side when they're trying to maintain and operate these types of campaigns?
Crane Hassold: So because BEC attacks and most other cybercrime attacks are financially motivated, if you think about this like a business, right, they want to make the largest amount of profit that they can. And when you look at BEC, the ROI, the return on investment, for those attacks is so much higher than other types of cyberattacks out there, to the point where at some point - and we have been saying this for years - the Eastern European and Russian cybercriminal organizations are going to start thinking to themselves “why am I spending all this time and money setting up my infrastructure for my malware, or hiring developers, when I can just send someone an email, tell them to send me money, and they'll do it?” And we have started to see some of those more sophisticated groups pivot over to BEC, I think just for that exact same reason, because the amount of money that they can make with less work is definitely there with BEC. When you look at what's required in order to send a BEC email, essentially, you have to identify who you're actually going to email.
And what's really interesting is almost exclusively across the board for all of the groups that I've looked at, the same online services, commercial services, or legitimate services that sales and marketing teams use all around the world to identify sales prospects, the exact same services are being used by these groups to identify targets for BEC attacks. And they'll either sign up for a free one week trial, or even use a compromised credit card and buy a subscription to one of these services. But all they have to do is run a very easy search using one of the dozens of different characteristics that are available on these in the services and it dumps out essentially a raw lead sheet of all the contact information and names for the people that they're going to contact with that, then supplement that with additional open-source intelligence to understand who they're going to be impersonating, which is going to be a CEO or some other executive. And then all you have to do from there is email people. And based on what I've seen, almost exclusively, I have seen a very, very, very small percentage of these actors that are actually using automated mechanisms to send these emails, almost all the times they're actually sending emails manually, one at a time, to their targets. And so when you look at that, it's literally just setting up a Gmail account, or some other generally free webmail account, and sending emails from that on a manual basis. But everything else is pretty straightforward from there, so the amount of overhead that you need, in order to send a BEC email, is very, very minimal.
Lindsey O’Donnell-Welch: That seems frighteningly easy, and definitely not good. But I remember when we talked a couple years ago, you were talking about attackers from Russia starting to look at this type of attack. And you were mentioning that this was something that was just starting to transpire. And now as you mentioned before, this is a type of attack that different actors are looking at from beyond even Nigeria. So it sounds like it's spreading. Are you seeing different tactics increase due to this spread into other different geographic regions?
Crane Hassold: Yes, the biggest thing that I've seen when it comes to actors in other parts of the world, especially Eastern Europe, Russia, and Israel, the biggest difference that you see in those emails is that they are more sophisticated from a social engineering perspective, meaning that they are clearly spending more time crafting an initial communication to a target, than a lot of the other BEC actors out there. A lot of the West African BEC actors that we see, their emails are very, very similar. They're very short. And in many cases, those red flags that we teach people to look out for, the spelling errors and grammatical errors are going to be there in a West African BEC email. That being said, when you look at these actors from other places in the world, those emails are just gonna be longer. The English language that's being used is going to be much better, even to the point where I've always thought that there must be some collaboration with native speakers of different languages to actually translate some of these emails because there's almost no grammatical or spelling errors. And then they're also more complex in the fact that a lot of the emails will hand off a target to different personas, so they may start off by impersonating the CEO of an organization and then pass the employee off to another persona that might be impersonating an actual attorney from UK. Let's say you might be brokering an acquisition or some other deal and they need to work with that person. And so there's a lot more complexity in those BEC attacks than what we see with other types of attacks from West African actors.
Lindsey O’Donnell: Yes. Well, with all this innovation that you're seeing on the bad actor side, what are you seeing with companies that are looking to defend themselves against this? Are you seeing the ability to keep up here? Are you feeling optimistic or pessimistic?
Crane Hassold: You know, I'm probably biased based on where I currently work. But the biggest challenge with BEC attacks today is that historical infrastructure and historical legacy defenses that have been put into place to defend employees against certain email based cyberattacks were developed to identify more technically sophisticated attacks, like malware and malicious payloads and things like that. What they weren't really good at is identifying attacks that did not contain a malicious link or malicious attachment, which is essentially what BEC is today. The attackers, I understood that that's why they evolved and adapted their tactics to move into the BEC space, but the biggest thing when it comes to defending against BEC attacks, is understanding the nature of cyber threats today. And the fact that when most people think of cyberattacks, they think of these technically sophisticated attacks, like ransomware, when the case is that's not actually what is happening today. A lot of it is driven purely through social engineering, and your email defenses that are defending your employees against cyberattacks need to take that into account. And so having a layer of security that is really well equipped to identify and detect social engineering attacks is imperative in order to be able to defend yourself against those attacks, because other legacy secure email gateways just aren't doing a great job of defending against and identifying them.
Lindsey O’Donnell-Welch: When you look at these types of attacks, what are some trends that you see going into 2022 that you think are important to keep in mind and keep an eye on looking forward?
“I think we're going to start seeing a lot more sophisticated actors entering the BEC space because of the disruption that seems to be coming down the pike with ransomware.”
Crane Hassold: I've thought about this, what the future of the cyber threat landscape looks like over the next 12 to 18 months. And I think what's really interesting is, obviously ransomware has been in the news, and it's been a big focus not only within our community, the size of the cyber threat community, but also from a federal government perspective, because of a lot of the disruption that happened earlier this year. So a lot of attention has been paid on ransomware. But when you look at ransomware, the primary drivers of the ransomware landscape today are ransomware as a service, which allows more lower level cybercriminals to enter the ransomware space because they can just essentially lease or rent malware infrastructure. Also the extortion side of ransomware, which essentially provides some additional motivation for targets, for victims, to pay, instead of just retrieving backups. But the biggest factor that I think drives ransomware today is cryptocurrency. Without cryptocurrency, the scale of ransomware payments that we see today would not be possible, even if it were something like a wire transfer. The amount of friction that's required in order to make a multimillion dollar wire transfer prevents that from happening quickly and anonymously.
And so what I think you've started seeing, especially in the US, is some discussion about regulation of cryptocurrency, which I think if it's done properly, will essentially diminish the overall return on investment, the ROI, for ransomware attacks. And once you've done that, you've mitigated a lot of the financial incentive to do those ransomware attacks. But the question is if you do that, what happens next, because these actors aren't just going to go away, because it's all financially motivated, they still want to make money. What I think is going to happen is you're going to start seeing this shift for these actors that have been dabbling in ransomware and network access as a service, pivoting over to the BEC space, because they've seen the amount of money that can be made over there, and they have infrastructure, that they can just sort of adapt a little bit. So instead of using malware to gain access to networks, they can use that to gain access to email, and use a lot of the same vendor email compromise tactics that we've been seeing with a lot of these West African scammers just doing that at a different scale. And so I think we're going to start seeing a lot more sophisticated actors entering the BEC space because of the disruption that seems to be coming down the pike with ransomware. And once you essentially have this more sophisticated group of actors moving into the BEC space, I think it's going to become a little bit more concerning, essentially, what you could end up having is this hybrid of attack that has the scale and sophistication of ransomware, combined with the money mule networks, and financial impact of BEC. And I think that, if it does come to fruition, it is a pretty concerning threat to think about on the horizon.