In our predictions report for 2019, “Mapping the Future: Dealing with Pervasive and Persistent Threats,” we foresaw an increase in the rate of BEC (business email compromise) attacks: “Business email compromise will go two levels down in the org chart.” From the report:
“Business email compromise (BEC) remains a very potent and lucrative means of funneling money from companies. We believe that as a result of the focus on C-level officers as targets of fraud in news articles about BEC,14 cybercriminals will attack employees further down the company hierarchy. For instance, cybercriminals will target the CxO’s secretary or executive assistant, or a high-ranking director or manager in the finance department.”
The risk may be even greater than that, however.
2014 was a peak year for huge data breaches. Yahoo, Starwood, and Facebook each lost in the hundreds of millions of user identities. This vast treasure trove of identity information offers the holders of that data the opportunity to aggregate and model the organizational structure of most major corporations in the US. This data provides a massive set of identity information in a common format. That common format makes big data analytics easy to apply.
From the Yahoo and Starwood data, researchers have a census of Internet users who travel. The travel profile indicates which users have corporate accounts, and which corporations they work for. From Facebook, researchers can determine social relationships among employees of a particular company. By using a professional LinkedIn subscription, researchers can supplement these data points with detailed organizational structure, reporting relationships, and career paths. LinkedIn has suffered no breach, as far as we know. The information LinkedIn holds is available to all premium subscribers.
To date, most business email compromise (BEC) attacks have mimicked a CEO asking a CFO to draft a check or approve an invoice. With the more detailed information from the 2014 hacks, the next generation of BEC can mimic a manager from a remote office requesting privileged access for an employee from an administrator in an IT service center. So an IT technician or administrator might receive an email like this:
Joseph Needham in my group has replaced Ffloyd Farkle, who left abruptly for a better job across town. Because Ffloyd was our local admin, I can’t update any permissions for my team. Can you grant Joseph (employee number 123456) the same set of permissions Ffloyd had? I sent in a ticket but things haven’t been moving as quickly as they should, and the quarter end is looming. Thanks for your attention to this matter.
In this case, Joseph is a real local admin but he hasn’t actually left the business. Chuck Itall is a real manager, but his account was compromised silently. He is on a business trip and out of contact for the next day or so. Floyd is a real employee whose account was also compromised, but he’s not available because he may be on vacation (from his Facebook postings). Ted is an actual employee in central IT administration.
Ted has to choose if he is going to grant the emergency request and wait for the ticket to come through, or ignore the request and incur the wrath of the remote manager Chuck. Suppose you were Ted. Would you grant the permissions or not?
As these hostile threat actors become more proficient analyzing and updating their trove of identity data, they will continuously improve the accuracy of their databases. By more targeted spear phishing campaigns, these threat actors will deepen and confirm their models of target organizations. This has happened in specific industries. In the 2010 – 2014 years, threat actors targeted LinkedIn profiles with the honorific “Esq.,” leading to numerous hacks of law firms. In those cases, spam and phishing gave relatively easy access to threat actors. The result put critical confidential information on mergers and acquisitions, and pre-patent intellectual property, at risk. The larger-scale hacks of 2014 opened a broader range of targets to threat actors.
Organizations can take steps to reduce their attack surfaces. First, make sure that individuals who can grant enhanced permissions know what to do when they get an unexpected request. Build a reliable system to verify such requests. Consider how users might ask for enhanced permissions, and deploy processes with adequate audit and logging for real-time alerting and later analysis.
To view the entire report, see https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2019
Let me know what you think! Either comment below, or contact me @WilliamMalikTM .