Microsoft warns of new threat in business email compromise (BEC) and account takeover attacks
Microsoft Security researchers have discovered that cybercriminals are buying locally generated IP addresses to hide the origin of their login attempts, enabling them to circumvent the common “impossible travel” security detection. Impossible travel flags are triggered when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other. This method of attack evades the impossible travel flag and allows cybercriminals to bypass security systems and collect compromised credentials, gaining access to accounts from anywhere.
Cybercrime-as-a-service (CaaS) with BulletProofLink
The attackers use a combination of platforms, including BulletProftLink, a service for creating industrial-scale malicious email campaigns, and residential IP services to avoid detection of fraudulent login attempts. BulletProftLink provides cybercrime-as-a-service (CaaS) by selling an end-to-end service that includes templates, hosting, and automated services for committing BEC. At the same time, the abuse of residential IP addresses enables higher volumes of BEC attacks, the researchers warn.
High volume BEC attacks with residential IP addresses
According to Microsoft, residential IP service providers have up to 100 million IP addresses that can be rotated or changed every second. With the possession of localized address space, usernames and passwords, BEC attackers can obscure movements, circumvent impossible travel flags, and conduct further attacks. Asian and Eastern European threat actors are reportedly the ones most frequently deploying this tactic.
Escalating numbers of Business Email Compromise (BEC) campaigns
These warnings come amid a rising number of BEC campaigns where nearly all forms of BEC attacks are on the rise. According to the FBI’s report, it logged more than 21,000 complaints of BEC, amounting to adjusted losses of more than $2.7 billion in 2022. Compared to exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit email traffic and lure victims into providing financial information. Based on the researchers’ report, the top lures are payroll topics, invoices, gift cards, and business information.
Top targets of BEC cybercriminals and their methods of attack
The top targets for BEC cybercriminals are executives and senior leaders, finance managers and human resources staff with access to employee records such as social security numbers, tax statements, and other personally identifiable information. Attackers also target new employees who may be less likely to verify unknown sender email addresses by using socially engineered attacks. Microsoft researchers revealed that attackers breached the security vendor Dragos by targeting a new employee with a socially engineered attack that allowed them to log in to the company’s employee-onboarding process.
Protection and Mitigation Strategies Against Local IP Tactics
Organizations need to use more than geo-location for evaluating the authenticity of login attempts. Digging into the full behavioral analysis is the way to go. Therefore, it is highly recommended for enterprises to configure mail systems to flag messages sent from external parties and enable DMARC and notifications when email senders are not verified. Organizations can also discourage fraudulent activities by:
- Blocking senders with unconfirmed identities.
- Reporting spam and phishing emails in email apps.
- Setting strong authentication policies, including multifactor authentication (MFA).
Employee training in identifying fraudulent and malicious emails should be commonplace among organizations. Constant training and awareness will increase the chances of preventing BEC attacks.
Editorial
The world is moving towards a digital framework, and the increase in remote work has made the importance of email security paramount. Microsoft’s warning of increased BEC attacks should serve as a signal to every company to evaluate the security and safety measures they have in place. Like the concept of the Break-In-Chain, where we take preventive measures by installing different mechanisms and layers to create a safer and better environment, we need to do the same to our email security framework. Furthermore, it would be useful to organize strategic trainings and awareness programmes for identifying fraudulent emails; it also enables employees to have an overall idea and understanding of the risks and threats that exist in the online world.
Advice
Considering the evolving threat landscape, organizations need to stay vigilant against BEC attacks, starting from the identification of fraudulent emails to implementing multifactor authentication (MFA) and meticulous security policies that would enhance email security. Enterprises need to keep in mind that evaluating the authenticity of login attempts needs a full behavioral analysis, instead of relying on geo-location. Additionally, every employee in the organization should undergo constant training and awareness programmes, and that secure email practices should be ingrained in every employee.
<< photo by Ivan Babydov >>
