Massive growth in the volume of Business Email Compromise or BEC attacks was linked to a surge in successful phishing campaigns, according to data from Secureworks
Published: 16 Mar 2023 16:00
The volume of Business Email Compromise (BEC) attacks doubled during the course of 2022 thanks to several high-profile and successful phishing campaigns, replacing ransomware as the most commonly observed financially motivated cyber attack vector, according to data compiled from hundreds of incidents responded to by the Secureworks Counter Threat Unit (CTU).
Secureworks said its figures demonstrate that although talk of advanced AI-driven threats might be dominating the security landscape, successful cyber attacks had rather more humble origins. It described the current landscape as “less ChatGPT, more Chad in IT”.
A BEC attack is a form of compromise where cyber criminals latch on to an employee with access to company funds and convinces them to transfer money to them, most usually by convincingly impersonating a line manager, supervisor, or other senior figures in the organisation.
Often, such attacks take place at the end of a financial quarter, and the phishing lures may invoke a sense of urgency, referencing time sensitive or confidential matters that must be attended to immediately. In some commonly seen examples, the manager may claim to need Amazon gift vouchers for an employee incentive or reward scheme.
Secureworks found that BEC was involved in 33% of incidents where it was able to establish the initial access vector (IAV), up from 13% in 2021.
“Business email compromise requires little to no technical skill but can be extremely lucrative. Attackers can simultaneously phish multiple organisations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models,” said Mike McLellan, director of intelligence at Secureworks.
But this is not to say that other IAVs are not proving just as profitable. Exploiting vulnerabilities in internet-facing systems was also seen in approximately a third of incidents in which the CTU sprang into action. Typically, threat actors rely on publicly disclosed vulnerabilities, such as ProxyLogon, ProxyShell or Log4Shell.
McLellan said: “Cyber criminals are opportunistic – not targeted. Attackers are still going around the parking lot and seeing which doors are unlocked. Bulk scanners will quickly show an attacker which machines are not patched. If your internet-facing applications aren’t secured, you’re giving them the keys to the kingdom. Once they are in, the clock starts ticking to stop an attacker turning that intrusion to their advantage.”
Ransomware incidents drop
Meanwhile, in common with other observers, Secureworks saw the total number of ransomware incidents drop by a massive 57%, likely due to a combination of factors, likely changing tactics among ransomware gangs, and increased law enforcement activity around high-profile attacks.
McLellan cautioned that this second factor could be skewing the data to some extent, as given the impact of high-profile ransomware incidents, cyber criminals may be turning their fire on smaller businesses who might be less likely to engage incident response assistance, and therefore would not show up in the CTU statistics.
Financially motivated attacks were seen to account for most of the incidents investigated by the CTU, representing 79% of the sample, a drop on previous years and likely a result of the disruption caused by Russia’s war on Ukraine.
Finally, intrusions backed by hostile state APTs rose 3% year on year to 9%, with 90% of this activity attributable to China – despite the noise around Russia.
“Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same,” said McLellan.
“For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage. The intent is different, but the ransomware itself isn’t. The same is true for IAVs; it’s all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to.
“Once a state-sponsored actor is through that door, they are very hard to detect and even harder to evict. As states such as China, Russia, Iran, and North Korea continue to use cyber to advance the economic and political goals of their countries, it is even more important that businesses get the right controls and resources in place to protect, detect and remediate attacks.”