Crane Hassold, with Abnormal Security, recently joined Lindsey O’Donnell-Welch on the Decipher podcast to talk about why business email compromise attacks are still a top financially damaging threat today. This is a condensed and edited version of the conversation.
Lindsey O’Donnell-Welch: You’ve tracked and followed business email compromise attacks for awhile now. What does the current threat landscape look like?
Crane Hassold: So I’ve looked at BEC attacks for the past five years now. And a lot of the research that I’ve done has not just looked at the attacks themselves, but how the attacks unfold from beginning to end. So my team at Abnormal Security, one of the things that we do is actually engage with these attackers and communicate with them, and one of the unique aspects of BEC is that it requires an interaction with a victim in order to be successful. And so that interaction allows us to collect some more robust intelligence to understand how these attacks unfold over time, essentially allowing us to see the entire attack chain. And so what’s really interesting about BEC is… that it definitely doesn’t get the amount of attention that other types of cyber threats get. That’s probably because they’re relatively technically unsophisticated, it’s pretty much just communicating with a financial executive, or an HR employee or something like that, and trying to persuade them using pure social engineering tactics to either send money or update their direct deposit information, or even send maybe some W2s. And compare that to something like ransomware; obviously, that has a little bit more visibility, and in some cases, depending on the attack, it may disrupt actual infrastructure. Whereas with BEC, a lot of that is behind the scenes. But when you look at the financial losses that have been attributed to BEC attacks, it’s not even close. [BEC attacks led to] $1.8 billion in losses last year, and I think it’s grown about 30 percent or so year over year. As we move into the end of this year into next year, we’re talking about more than $2 billion a year going to be lost for BEC attacks. And when you compare that to even things like ransomware that get all attention, maybe if you take out a lot of the underreporting, and even if you insert into the equation things like remediation, you’re talking about hundreds of millions of dollars, and it’s still a lot of money, but it really doesn’t even touch the overall financial impact of BEC.
Lindsey O’Donnell-Welch: When you’re looking at different BEC groups – and I know you’ve done a lot of work looking into how these groups collaborate, and how they work together – how does that break down?
Crane Hassold: So what’s interesting is that most BEC groups today are still coming from West Africa, primarily Nigeria, which is sort of a central hub for BEC actors today. That being said, we have started to see some other actors and other places of the world, like Eastern Europe and Russia, Israel, that are sort of an emerging hotspot for BEC actors. But even when we see a lot of BEC actors in other countries, like the United Arab Emirates, Dubai, specifically, Malaysia, or even here in the US, even when we see BEC actors in those countries, they’re usually Nigerian expatriates. So there’s a big link to Nigeria, it’s still there. “What’s really interesting about BEC is… that it definitely doesn’t get the amount of attention that other types of cyber threats get.” When we look at how they work, there’s a lot of specialization in how they operate. So you have a number of different roles, you have what are called the loaders, which are the ones that are actually going to be sending the emails, they’re going to be the ones responsible for really driving the actual communication behind the scenes. You have things like pickers; pickers are the actors who are responsible for maintaining the email accounts, they’re going to be receiving fraudulent funds. And a lot of those mules, at the end of the day, a majority of them, in fact, are actually victims of other types of scams, like romance scams. And so you have pickers that are in charge of making sure that that money is getting there and then passing it on. And then you have the spammers who are actually sending out phishing emails if it comes to vendor email compromise attacks. And what’s interesting with the whole […]