abnormal quarterly bec report q1 2020 · type, size and frequency of bec attacks compared to q4...

Abnormal Quarterly BEC Report Q1 2020

2Abnormal Quarterly BEC Report: Q1 2020

Executive SummaryThe first Abnormal Security Quarterly BEC Report comes following a quarter that saw the entire world come to a standstill due to the COVID-19 pandemic. Businesses closed and enterprises had to quickly adjust to new work-from-home realities. This created an extremely opportunistic environment for attackers through which they quickly capitalized on the uncertainty, fear and panic created by the pandemic.

These attacks were among the most sinister in intent that we have ever seen and used lures like vaccines, PPE equipment, stimulus checks, PPP payments, layoff concerns, and the popularity of video conferencing tools. In the second and third weeks of March, attacks increased more than 430% – a spike we have never seen before in relation to an external event.

Simultaneously, we observed an increase in the quality of Business Email Compromise (BEC) attacks, along with the size of campaigns. Attackers are taking their time to identify the best attack vectors, shifting their focus slightly away from the C-Suite and towards employees working in finance who hold the key to routine payments, as well as to vendors, which we anticipate is an emerging and important trend in BEC.

BEC attacks are targeted, hand-crafted and incorporate heavy elements of social engineering. As such, BEC represents a relatively small portion of the total volume of email attacks and yet, they disproportionately represent the greatest financial risk of all email attacks. According to the 2019 FBI IC3 report, BEC was responsible for more than 50% of all cybercrime-related financial losses.

Undoubtedly, given the success of BEC attacks, cybercriminals will continue to use these methods. It is also highly likely that we will see an evolution of these attacks to make them even more valuable (and damaging). Abnormal Security will be tracking the trends, tactics and techniques of BEC on a quarterly basis. This is what we observed and learned in the first quarter of 2020.

Sincerely,

Evan Reiser

CEO and Co-Founder, Abnormal Security


Attackers are accelerating the size and scope of threat attacks

Our research indicates a discernible shift from individual to group attacks, with campaigns with more than 10 recipients up 27% compared with Q4 2019. On the surface this might look less sophisticated than an individual attack, but appearances can be deceiving. By targeting a group within an organization, the attacker increases the likelihood of a response from one individual, creating legitimacy across the other targets. In other cases, the attackers found it viable to use a particular pretext and attack multiple organizations with the same customized content.

Finance employees are the most at-risk of attacks

Historically, the prime targets of BEC attacks reside in the C-Suite where attackers look to take advantage of high-powered and very busy executives. However, our research has found that these attack targets have decreased by 37% between Q1 2020 and Q4 2019, while attacks on finance employees increased by 87% in the same period.

From paycheck to payment fraud

Paycheck and engagement fraud, popular attack routes for swift rewards, have declined by more than half in the past year. Today, we’re seeing an acceleration of invoice fraud attacks, increasing more than 75%. Even when an organization has established best-in-class security, third-parties represent a weak link, leading to an increase in vendor and customer account fraud attacks.

COVID-19 created multiple vectors for attacks

From offers of vaccines, equipment and treatments to stimulus payment spoofs, attackers worked diligently to expose every collective weakness during the global pandemic upheaval, with COVID attack campaigns increasing 436% between the second and third weeks of March, and a 173% increase through the course of Q1.

Key Takeaways01

02

03

04


Socially Engineered Attacks

Executive and employee impersonation attacks

Vendor impersonation attacks

Compromised vendor accounts

Compromised internal accounts

BEC losses continue to mount as uncovered by the FBI IC3 reports, but little data has surfaced about the types and tactics taken by cybercriminals when launching BEC attacks. Deployed as a native integration into the Microsoft Office 365 environment with customers leveraging a wide variety of email security tools, Abnormal Security has a unique opportunity to view and understand the types of BEC attacks that have slipped by defenses.

Q1 2020 State of BEC

Type, Size and Frequency of BEC Attacks

Compared to Q4 2019, the first quarter of 2020 saw an increase in the size and frequency of BEC attacks with a notable increase of large campaigns aimed at 10 or more recipients. When compared to Q1 2019, we found a decrease in individual BEC attacks and an increase in attacks with more than one recipient.

Attackers still maintained a targeted approach, but were strategically grouping targets in order to gain social validity and increase the chances of engagement. In other cases, the attackers had found it viable to leverage the same attack across a variety of targets. However, all of these attacks still bear the attributes of heavily socially engineered tactics toward specifically targeted organizations.

Appendix A contains an example of a campaign leveraged against multiple targets that was detected and prevented by Abnormal Security.

Key Findings

· BEC attacks per 1kmb1 increased by 28% in Q1 2020 over Q4 2019· Over the same period, campaigns aimed at 10 or more participants increased by 17%· Average campaign size (number of attacks per campaign) increased by 9%· The number of individual attacks also increased by 14%· Targeted attacks steadily and consistently increased, while large campaigns were more sporadic

1 1kmb = 1000 mailboxes. Charts are normalized for comparative purposes.

3

BEC Campaign Volume

Campaign Volume

Email Attacks Volume

Figure 1: BEC Campaign Volumes - Q4 2019 and Q1 2020

Figure 3: Fewer campaigns, with more emails per campaign - Q1 2019 vs Q1 2020

Figure 2: Fewer campaigns, with more emails per campaign - Q1 2019 vs Q1 2020

0.5

BEC Campaign Volume

0.4

0.3

0.2

0.1

0.0Oct 2019 Nov 2019 Dec 2019 Jan 2020 Feb 2020 Mar 2020

2.0

1.5

1.0

0.5

0.0

Campaign Volume

2019-01-20

2019-01-27

2019-02-03

2019-02-10

2019-02-17

2019-02-24

2019-03-03

2019-03-10

2019-03-17

2019-03-24

2019-12-29

2020-01-05

2020-01-12

2020-01-19

2020-01-26

2020-02-02

2020-02-09

2020-02-16

2020-02-23

2020-03-01

2020-03-08

2020-03-15

2020-03-22

2020-03-29

3

week

2

1

0

Email Attacks Volume

2019-01-20

2019-01-27

2019-02-03

2019-02-10

2019-02-17

2019-02-24

2019-03-03

2019-03-10

2019-03-17

2019-03-24

2019-12-29

2020-01-05

2020-01-12

2020-01-19

2020-01-26

2020-02-02

2020-02-09

2020-02-16

2020-02-23

2020-03-01

2020-03-08

2020-03-15

2020-03-22

2020-03-29

4

BEC Attacks on C-Suite

Attacks on Finance Employees

Figure 4: BEC Attacks on C-Suite

Figure 5: Attacks on Finance Employees

Most Targeted Employees

Historically, the prime target of BEC attacks have been executives in the C-Suite - a technique known as whaling - but our data suggests this is changing. We observed an 87% increase in weekly attacks targeting employees in finance roles. Figures 4 and 5 show the relative decline of attacks targeting the C-Suite and the increase over the same period of attacks aimed toward the Finance department.

Key Findings

· While C-Suite executives remain the primary targets of socially-engineered BEC, the relative number of attacks aimed at C-Suites declined by 37% in Q1, on average.

· Attacks on employees in Finance increased by 87% per week.

BEC Attacks on C-Suite

0

50

100

150

Oct 2019 Nov 2019 Dec 2019 Jan 2020 Feb 2020 Mar 2020

Attacks on Finance Employees

0

25

20

15

10

5

Oct 2019 Nov 2019 Dec 2019 Jan 2020 Feb 2020 Mar 2020


Cybercriminals may be taking to supply chain attacks to leverage the trusted relationship of external third parties, where the bulk of communications are likely to be conducted on email. Business invoices also represent much larger amounts of money when the attack succeeds.

An example of an invoice fraud attack can be found in Appendix B. In this particular example: · An attacker, impersonating the billing department of a vendor, asked for payment information to be updated.

Over the course of an extended email exchange, the attacker convinced the Accounts Payable team to change bank routing information from the valid bank to the attackers bank.

· By cc’ing relevant parties within an organization, the attacker likely attempted to secure the latest vendor invoice to obtain the payee’s bank information for future fraud attempts.

Key Findings

· While attack volume was relatively constant in Q1 2020 relative to Q1 2019, campaign volume for engagement and paycheck fraud attacks declined significantly. This is a reflection of these attacks becoming less targeted between these two periods.

· Payment fraud campaigns, however, increased substantially. (Paycheck fraud e.g.: someone trying to change their direct deposit account information; Payment fraud4 e.g.: someone posing as an employee attempting to direct a payment to an unknown vendor)

Types of BEC attacks

When we take a deeper look at the types of BEC attacks, several trends emerge. First, single recipient attacks in Q1 2020 decreased as compared to Q1 2019. This, in turn, led to a decrease in engagement and paycheck fraud2 attacks, which are typically attacks targeted at individuals. Conversely, invoice fraud3 attacks increased substantially, with attackers posing as vendors, suppliers or customers attempting to re-direct payments. Multiple variations of supply chain attacks exist, from both the customer and vendor angles.

2 Paycheck fraud: a cybercriminal attempting to change the direct deposit account information3 Invoice fraud: a cybercriminal attempting to re-direct an legitimate invoice payment or receive payment for an fraudulent invoice.4 Payment fraud: a cybercriminal attempting to direct a payment to an unknown vendor

6

Engage -66.86%

Paycheck fraud -52.45%

Payment fraud +75.8%

BEC Attacks Types

Invoice Fraud Attacks

week

0

1

2

3

2019

-01-

2019

-01-

2019

-02-

2019

-02-

2019

-02-

2019

-02-

2019

-03-

2019

-03-

2019

-03-

2019

-03-

2019

-12-

2020

-01-

2020

-01-

2020

-01-

2020

-01-

2020

-02-

2020

-02-

2020

-02-

2020

-02-

2020

-03-

2020

-03-

2020

-03-

2020

-03-

2020

-03-

Attack Type Engagement Giftcard Fraud Invoice Fraud Paycheck Fraud

BEC Attack Types

Figure 6: BEC attacks types over time

week

0.0

0.1

0.2

0.3

2019

-01-

20

2019

-01-

27

2019

-02-

03

2019

-02-

10

2019

-02-

17

2019

-02-

24

2019

-03-

03

2019

-03-

10

2019

-03-

17

2019

-03-

24

2019

-12-

29

2020

-01-

05

2020

-01-

12

2020

-01-

19

2020

-01-

26

2020

-02-

02

2020

-02-

09

2020

-02-

16

2020

-02-

23

2020

-03-

01

2020

-03-

08

2020

-03-

15

2020

-03-

22

2020

-03-

29

Invoice Fraud Attacks

Figure 7: Payment fraud attacks increasing over time


Q1 2020 Spotlight: COVID-19No report on cyber attacks in 2020 would be complete without acknowledging the attacks that attempted to capitalize on the global COVID-19 pandemic. We detected the first known COVID-related attacks on January 22. When the virus took hold in the U.S., we saw COVID attack campaigns explode, increasing by 436% between the second and third weeks of March 2020 alone.

Through the course of Q1, we saw a 173% increase in COVID-19 related attacks, as malicious threat actors utilized techniques such as social engineering, email spoofing, and brand impersonations to deceive users.

Making these attacks more onerous was that the majority of the attacks Abnormal caught were scams that leveraged trusted entities, using compromised and spoofed accounts in order to scam users and companies out of money, steal their credentials, or install malware on their device.

In general, attackers used fear, uncertainty, and urgency around COVID-19 to deliver targeted attacks. Attackers aligned with the broader news cycle to impersonate trusted entities at key times, such as the Centers for Disease Control (CDC), university health task forces, and the Public Health Agency of Canada (amongst many others) to increase the likelihood that recipients would engage with their emails.

Timeline of COVID-19 Attacks

· February: Attacks impersonating the Centers for Disease Control and Prevention appeared, under the guise of providing details of active COVID-19 cases in recipients’ areas.

· Early March: The same week Abnormal caught a scam requesting donations to a military group supporting the WHO, the first COVID-19 related credential phishing attacks appeared as news of the pandemic became mainstream.

· Late March: As the financial impact of the pandemic took hold, Abnormal detected attacks impersonating major multinational financial institutions offering financial relief in an attempt to steal credit card information from victims.

· Early April: Once the federal government approved the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) in April, we also saw attacks exploiting the stimulus by impersonating financial institutions to gain access to users’ bank credentials.

week

Cam

paig

ns p

er 1

000

mai

lbox

es

0

1

2

3

4

Weekly COVID-19 Related Campaigns

2020-01-19

2020-01-26

2020-02-02

2020-02-09

2020-02-16

2020-02-23

2020-03-01

2020-03-08

2020-03-15

2020-03-22

2020-03-29

2020-04-05

Weekly COVID-19 Related Campaigns

Figure 8: Growth of COVID-19 related campaigns

https://abnormalsecurity.com/blog/abnormal-attack-stories-4-coronavirus-phishing-attacks/

https://abnormalsecurity.com/blog/abnormal-attack-stories-7-coronavirus-credit-card-theft/

https://abnormalsecurity.com/blog/abnormal-attack-stories-7-coronavirus-credit-card-theft/

https://abnormalsecurity.com/blog/abnormal-attack-stories-stimulus-payment-attack/

https://abnormalsecurity.com/blog/abnormal-attack-stories-stimulus-payment-attack/


Key Findings

· Between the second and third weeks of March, COVID-19 related attack campaigns increased 436%.· A large percentage of attacks detected and prevented by Abnormal were spam, but there was also a large

number of credential phishing attacks.· Based on subject lines, overall:

· 2.34% of attacks were related to finance or stimulus relief.· 2.28% of attacks were related to personal protective equipment (these are all spam).· 0.34% were related to vaccines, treatments or a cure.

2020-02-09 2020-02-16 2020-02-23 2020-03-01 2020-03-08 2020-03-15 2020-03-22 2020-03-29 2020-04-050.0

0.5

1.0

1.5

2.0

2.5

COVID-19 Campaign Attack Types

Spam

BECScam

Credential Phishing

Other

Malware

Extortion

Campaigns per 1000 mailboxes

Spam

Credential Phishing

Extortion

Scam

Other

BEC

Malware

0 2 4 6 8



COVID-19 Related Campaigns: Q1 2020

Figure 9: COVID-19 campaign attack types over time

Figure 10: Overall attack types leveraging the COVID-19 theme


What was the attack?

• Setup: This is an attack that we’re seeing with more frequency. Email delivery failure notices are not uncommon, so this notice wouldn’t look out of place in an employee’s inbox.

• Email Attack: The attacker crafted a convincing-looking email delivery failure notice and sent it to their target. The email was crafted with specific information related to the organization they were targeting, including the organization’s domain and the email addresses of the recipient in the email copy, as an automated system would be expected to include.

• Payload: The URL prompted the user to click on several links to “resolve the issue” with the email they allegedly sent that got bounced back. This led to a link impersonating an Office 365 login page. Given that the user might have expected this behavior after receiving the bounce-back, they might not have been suspicious about re-entering their credentials on that fake site.

• Result: This attack was an attempt at stealing the user’s credentials.

Why is this attack effective?

• Targeted Details: the attacker crafted a custom email delivery failure email that used real information from the target’s organization (the domain and the recipient’s email address) in the copy of the email itself, as would be expected from a real email delivery failure notice.

• Deliberate Ambiguity: This delivery failure notice notably does not specify which email supposedly bounced back, which makes it more likely that the target of this email would click the links to find out which email supposedly was not delivered.

• Call to Action: Tied to the previous point, the attacker uses specific calls to action to spur the recipient into action (clicking the link and entering their credentials). It asks the target to check and update the email address of the intended recipient of this fictional undelivered email. Thus, the target is both intrigued about which email supposedly wasn’t delivered, and has a clear action to investigate.

• Expected Behavior: The URLs in this email attack lead to a (fake) Office 365 login page, which the embedded link instructs the page to fill with the intended target’s email address, giving the landing page further credibility. Given that this email delivery failure notice is ostensibly coming from Office 365, this wouldn’t be behavior that is entirely unexpected for the user, and they may not think twice about entering their credentials

Appendix A

Attack Example: Fake Email Delivery Failure

• Email Gateway: None • Email Security: Office 365

• Victims: Internal Employees• Payload: Malicious Link

• Platform: Office 365• # Mailboxes: Between 1,000 and 5,000


Appendix B

Attack Example: Account Update / Invoice Fraud Attack Feb 4, 2020 to April 8, 2020

Overview

On April 8, 2020, Abnormal Security detected an attempted invoice fraud targeting a telecommunications provider, preventing more than $700,000 from being lost. The attacker’s sophisticated operation lasted over 9 weeks. This case study details the sequence of events leading up to the actual attempt.

Disclaimer: All parties have been anonymized for this case study.

Attack Summary

The actor targets a telecommunications company (hereby referred to as “TCC”) by impersonating a vendor. The vendor is a real company, but is being impersonated by the attacker (hereby referred to as “Impersonated-DC”) using domain impersonation. Over the course of 2 months, the attacker convinces TCC to change banking details and redirect the payment of a legitimate invoice to the attackers account. The amount of the invoice in question is worth over $700,000.

Constituents

Attacker Personas: Impersonated Datacenter Provider (aka “I-DC”)

Target Organization: Telecommunications Company (aka “TCC”)

• Clara Cooper (CFO)• Amanda Steineman• John Hickey• Dylan Kessler• Chris Force

• Megan: Accounts Payable• Erin: Accounts Payable• Ryan: Accounts Payable• Paul: Accounts Payable• Tina: Supply Chain Administrator

Attack Timeline

Hello AP,We are in the process of ending our relationship with our old bankers and the account will be closing Today.Could you please send me an update form for EFT/ACH transfers as I would like to uppdate our company bank details with you to receive all future payments.However, Please cancel all EFT/ACH payments scheduled to our old account as it would not be received by us.Your prompt response would be appreciated.Thank you,Carla CooperChief Financial Officer<Redacted> Network LLC

Feb 4, 2020

Feb 14, 2020

Feb 18, 2020

Feb 27, 2020

Feb 28, 2020

Mar 4, 2020

Mar 6, 2020

Mar 23, 2020

Mar 24, 2020

Mar 26, 2020

Apr 1, 2020

10:04 AM

12:25 PM

1:01 PM

Attacker poses as CFO, emails from I-DC account notifying TCC of a change in banks and requests updated forms for EFT/ACH.

Megan from Accounts Payable at TCC responds requested

Carla Cooper – “CFO”, requests confirmation on the timeframe required to update banking information and the date/amount for the next remittance.

Tiffany from Accounts Payable replies: 7 business days to update bank details with a goal of 2 business days. She requests confirmation of the remittance address.

Carla Cooper – “CFO”, replies with remittance address. The address is the REAL address of the vendor being spoofed.

“Accounts Receivable” sends TCC a W9 Form. The W9 form has a different business name than the vendor being spoofed.

Carla Cooper – “CFO”, replies with completed electronic authorization form

Carla Cooper – “CFO”, repeats request for confirmation that forms have been received and information updated. Asks for confirmation that payment will be received today.

Carla Cooper – “CFO”, replies, claiming the new business name is a dba for the original vendor name. Asks again for when payment will be made.

Tina, the Supply Chain Administrator notices a mismatch between the Vendor (ACH form) and the new business name (W9 form) and requests clarification.

Tina, updates the entries in the vendor database, clearing the path for the current invoice to be paid.

Carla Cooper – “CFO”, requests confirmation that forms have been received and information updated.

Paul from Accounts Payable at TCC informs Spoofed-DC that the W9 has been sent to Vendor Management.

Ryan from Accounts Payable cannot locate the vendor in system. He requests a copy of a W9 or current invoice.

From: Carla CooperSent: Tuesday, February 4, 2020 9:18 AMTo: Accounts Payable Help DeskCC: Amanda Steineman, John Hickey, Dylan Kessler, Chris ForceSubject: ACH Information Update

From: Accounts Payable Help DeskSent: Tuesday, March 23, 2020 2:49 PMTo: Accounts ReceivableCC: Carla Cooper, Amanda Steineman, John Hickey, Dylan Kessler, Chris ForceSubject: RE: ACH Information Update

Hello Carla,

I forwarded your W9 to our Vendor Maintenance team. To update banking information, please fill the attached electronic authorization form out.

Once received, as long as they don’t find any discrepancies, the update shouldn’t take very long, but our data manager will reach out directly if they have any further questions.

It looks like we pay you monthly so the next payment should be 4/1.

Thank you,

Paul

Apr 8, 2020

Attacker Target



Feb 4, 2020

Feb 14, 2020

Feb 18, 2020

Feb 27, 2020

Feb 28, 2020

Mar 4, 2020

Mar 6, 2020

Mar 23, 2020

Mar 24, 2020

Mar 26, 2020

Apr 1, 2020

10:04 AM

12:25 PM

1:01 PM

















Hello Carla,




Thank you,

Paul

Apr 8, 2020

Attacker Target


Feb 4, 2020

Feb 14, 2020

Feb 18, 2020

Feb 27, 2020

Feb 28, 2020

Mar 4, 2020

Mar 6, 2020

Mar 23, 2020

Mar 24, 2020

Mar 26, 2020

Apr 1, 2020

10:04 AM

12:25 PM

1:01 PM

















Hello Carla,




Thank you,

Paul

Apr 8, 2020

Attacker Target

About Abnormal SecurityThe Abnormal Security cloud email security platform protects enterprises from targeted email attacks. Powered by Abnormal Behavior Technology (ABX), the platform combines the Abnormal Identity Model, the Abnormal Relationship Graph and Abnormal Content Analysis to stop attacks that lead to account takeover, financial damage and organizational mistrust. Though one-click, API-based Office 365 and G Suite integration, Abnormal Security sets up in minutes, requires no configuration and does not impact email flow. Backed by Greylock Partners, Abnormal Security is based in San Francisco, CA. Please visit www.abnormalsecurity.com and follow the company at @AbnormalSec.

© 2020 Abnormal Security Corporation. All rights reserved. www.abnormalsecurity.com Abnormal Security Corporation 797 Bryant Street San Francisco, California 94107

http://www.abnormalsecurity.com

https://twitter.com/AbnormalSec

abnormal quarterly bec report q1 2020 · type, size and frequency of bec attacks compared to q4...

Documents