There’s a reason why the FBI estimates that the average loss caused by Business Email Compromise (BEC) to be $130,000 per company. Employees are not familiar with current social engineering strategies, and the network setup is not equipped enough to keep the threat from getting in the network. And this same situation is clearly depicted in an ongoing BEC campaign targeting companies in the US, Middle East, and Asia.
The attack, which has been traced back to Lagos and Kuala Lumpur, targets companies from several industries such as real estate, manufacturing, and construction.
Figure 1. Regional breakdown of companies targeted by ongoing BEC Campaign
|Asia Pacific||Europe and Middle East||North America|
United Arab Emirates
Table 1. Countries Affected by the Olympic Vision BEC Campaign
Business Email Compromise has increasingly become a big threat to enterprises in the past years, prompting the FBI to issue a public announcement to warn companies. As the name suggests, the scheme involves cybercriminals compromising a company’s business email, more specifically the accounts of employees involved in conducting wire transfers. The cybercriminals use their access to the employees’ email accounts to intercept existing transactions or trigger new ones, all in order to divert funds into accounts that they control.
Business Email Compromise attacks are notorious for relying on social engineering lures. In one type of Business Email Compromise scheme, the attacker even pretends to be a company executive and instructs the company accountant to transfer funds to the attackers’ account, under the guise of a confidential business deal.
Figure 2. Email sent by cybercriminals using a victim’s email account in a Business Email Compromise attack
As mentioned, the average loss caused by BEC is substantial. The potential gain for cybercriminals is a stark contrast of their expenses in conducting the attack, which often involves run-of-the-mill backdoors that cost less than $50 to purchase online, and basic company and personnel research online.
In this attack, for example, cybercriminals used a keylogger called Olympic Vision and sent it to their targets as an email attachment. In our monitoring of BEC attacks, such emails often contain a message with a sense of urgency to convince the target to open the attached file.
Figure 3. Initial email sent by BEC scammers to convince their target to install a backdoor
Figure 4. BEC scammers convincing the target to wire funds to an account that they control
Olympic Vision is the fourth malware we’ve seen used in Business Email Compromise campaigns, after Predator Pain, Limitless, and HawkEye. Similar to other BEC malware, Olympic Vision is capable of stealing a variety of information from its target, and comes with a small price tag – its toolkit can be bought for $25. Further details about the malware can be found in our Olympic Vision technical brief.
We looked at the trail of Olympic Vision keyloggers being used in the wild to check for organized activity, and were able to trace the identities of the actors, and positively identified two Nigerian cybercriminals – one operating from Lagos, and the other from Kuala Lumpur. The involvement of Nigerian cybercriminals in this Business Email Compromise campaign is reminiscent of the HawkEye BEC campaign we were able to monitor last year. The campaign, which mainly targeted small businesses, was also run by two Nigerian cybercriminals. We are in the process of working with law enforcement to crack down on the mentioned operators of this BEC campaign.
Defenses against Business Email Compromise
With the effectivity of Business Email Compromise strongly depending on social engineering techniques, educating employees on the nature of the scheme can go a long way in protecting the organization against it. It is also important to set up solutions that can help detect and block BEC-related emails and malware should they get into the network.
Medium and large enterprises using Trend Micro products are protected from this threat. The Olympic Vision variants and BEC-related emails are blocked by the endpoint and email security capabilities of the Trend Micro Smart Protection Suites and Network Defense solutions.
Besides these solutions, we also recommend starting with some best practices to protect your company, one of them being healthy email habits (such as careful scrutiny of all received emails before replying, or double-checking with outside sources about the sender). We’ve outlined such practices and more in our entry, Battling Business Email Compromise Fraud: How Do You Start?
More BEC Malware
For information on our investigations on past BEC campaigns, check out our past research below:
- Predator Pain and Limitless: Behind the Fraud
- Cybercriminal Sharpshooters: Nigerian Scammers Use HawkEye to Attack Small Businesses
With additional analysis from Jaaziel Carlos, Junestherry Salvador, Lord Remorin and Joey Costoya.
Updated March 16, 2016, 11:54 PM PST to clarify details on Trend Micro solutions against this Business Email Compromise campaign.