Email Security Blog

Thinking Differently About BEC: Sharing Intel for the Greater Good

Ronnie Tokazowski April 10, 2019 Business Email Compromise

When it comes to sharing threat intelligence with one another, organizations tend to play the game differently. Some prefer to play the “secret squirrel game,” where attribution is something so sacred that names of actors can only be whispered behind closed doors. In other cases, data is bought on the dark underbellies of the Internet and then sold back to organizations as threat intelligence. For others, like the Agari Cyber Intelligence Division, information is shared amongst trusted individuals who can use it to stop cybercrime and bring criminals to justice.

That said, with the rise in business email compromise (BEC) attacks, there is a need for increased threat intelligence sharing amongst the community. Keeping information behind closed doors will do more harm than good, allowing this new generation of cybercriminals to stay one step ahead of those looking to oust them. To understand more about why this transition is needed, let’s take a look at how cybercrime (and the intelligence sharing related to it) has evolved.

Secrets Live Behind APT Intelligence Tracking

Advanced persistent threat (APT) attacks are network attacks where a person or group gains unauthorized access to a network and remains undetected for an extended period of time. These types of attacks are common in cases of espionage, where organizations are typically chosen as targets because of the technology being produced or because of the people behind that technology. In one scenario, cybercriminals may go after several organizations to gain information on something like a nuclear program, targeting not only the company developing the technology itself but also all contractors who worked on the project and anyone else involved.

Sharing intelligence on these types of attacks, while informative to those directly involved, provides little value to those in a different industry or even to a company in the same industry, but focused on a different type of technology. As such, much of the intel around APT attacks is often shared secretly clustered around specific people in a single industry.

Gaining Industry Knowledge with Crimeware Intelligence Tracking

As cybercriminals move toward broader-based attacks, intelligence sharing must become more open. Crimeware is a good example, as many industries are very interested in the developments surrounding crimeware such as Trickbot, Emotet, or other banking trojans. These families of malware target customers, and the finance industry, in particular, has to bear the brunt of the losses. If a customer is infected and has a credit card number stolen, it can cost the institution thousands of dollars to refund the money and provide support to clean up fraudulent activities.

Traditionally, actors behind these trojans cast their nets far and wide in order to try to compromise as many users as possible—both within and outside of the financial services industry. As such, cyberintelligence organizations work to share information on the malware across numerous organizations, ensuring that every industry that may be affected by the trojans is aware of developments.

Opening Communication with BEC Intelligence Tracking

While intelligence sharing around malware attacks has made strides in recent years, the rise of business email compromise threats requires a new kind of sharing network. When cybercriminals pick targets for their BEC attacks, there is little rhyme or reason to how victims are selected—an attack trait that showcases how dangerous these scams can be. These groups will use lead generation services to find potential targets, and while they may target the Fortune 500 today, their next focus may be educational institutions or charities.

In the traditional sense of how the security industry tracks actors, BEC is an absolute mess. Any one of more than a dozen targeting methods can be used at any particular time, and the same actors who carry out business email compromise scams can simultaneously use romance scams to trick their victims into money laundering, credit card fraud, or loan fraud—all of which benefit the scammer. These actors are not limited in their techniques, and often engage with victims in other ways including re-shipping schemes, mystery shopper scams, and fake check fraud.

Perhaps the most complicated aspect of business email compromise is that the threat actors share techniques and information with one another. Want to purchase some W2’s to file for tax fraud? There is a scammer in Nigeria who’s selling them. Have a good method for cashing out or a new script to engage with an executive assistant? There is someone in South Africa willing to hand over the techniques that are working well for them. This informality of information sharing among BEC actors makes attribution extremely difficult to tie crimes together, as one scam is helping facilitate another. After all, there are enough scams to go around.

An Appeal to the Cyber Intelligence Community

The fact of the matter is that scammers across the world are sharing their successful BEC tactics with each other. The cyber intelligence community needs to do the same in order to be successful at stopping them. Sharing information on who and what we know and working with others to track them is how we are going to make the biggest impact. We can play the “secret squirrel game” amongst ourselves all day long, but in the end, that is not how we are going to win this game we call BEC.

When intelligence is reported to a provider, it not only protects that organization but also others who were not able to detect the threat. And because those BEC actors are also involved in romance scams and rental scams, reporting intelligence keeps lonely hearts from becoming money mules and those potential renters from losing thousands of dollars. Business email compromise is big business—it is all of our responsibility to protect humanity from that evil.

For more information on the work the Agari Cyber Intelligence Division is doing, check out the ACID website.

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

laptop with envelope and security badge-secure email

November 24, 2021 John Wilson

TLS for Email: What is it & How to Check if an Email Uses it

Transport Layer Security (TLS) is encryption to secure email messages between sender and receiver to…

Laptop with multiple paddle locks with key holes

November 11, 2021 John Wilson

SMTPS: How to Secure SMTP with SSL/TLS (Which Port to Use)

We’re going to go over what SMTP is, whether it’s truly secure enough (or if…

Man with laptop with large red email warning screen pop up

November 5, 2021 John Wilson

Spear Phishing Emails: What They Are & How to Prevent Them

Spear phishing is more focused than normal phishing. To protect against this type of phishing,…

mobile image