Phishful Of Dollars: BEC Remains Top Of The Charts

Business email compromise (BEC) is not going away. Since we initially wrote about BEC back in April 2016, we have continued to report on threat actors using tried and trusted BEC techniques to trick their victims. For example, in May 2015 two separate reports emerged of the theft of $495,000 USD from US Investment company Pomeroy Investment Corp, as well as a spear-phishing scam which resulted in the theft of W-2 information pertaining to 13,000 current and former employees of the Brunswick Corporation. In April 2016 Reuters reported that an unidentified American company had been the victim of BEC which led to the theft of almost $100 million USD.

More recently, Tillage Commodities Fund – a U.S.-based investment company – filed a lawsuit against SS&C Technologies – a provider of financial services technology solutions – as a result of a BEC attempt. Attackers purportedly used a typosquatted email address, spoofing Tillage, to send emails to SS&C employees, who administered the Tillage fund, requesting that wire transfers be made to bank accounts of purported technology companies in Hong Kong. The attack resulted in the theft of $5.9 million from the Tillage fund.

Broadly speaking, we have observed four different types of BEC strategies:

Business Email Compromise

Figure 1: Four main types of BEC attack

In the case of Tillage and SS&C, the attackers appear to have used a variation of the ‘Supplier Swindle’ strategy, effectively tricking SS&C employees into wiring funds to alternative fraudulent accounts. Of broader significance here is the choice of SS&C as a vector for an attack on Tillage Commodities. It is likely that Tillage had been targeted given their reliance on an intermediary party (SS&C) who was responsible for the administration of Tillage assets. This goes to show that despite typo-squatting being a well-established and commonly used tactic, threat actors deem third parties to be vulnerable targets.

Given the relative simplicity of the attacks and the huge potential profits to be made, BEC will highly likely continue to pose a threat to companies and organizations for the foreseeable future. As more and more historical data breaches come into circulation, threat actors will likely use the exposed information for malicious purposes such as such as social engineering, phishing scams, and account takeovers, all of which could be used to facilitate a BEC attack – these techniques are outlined in our recent blog looking at the Industrialized Uses of Breached Data. With this in mind, organizations are advised to adopt a combination of people, process and technology measures to mitigate against BEC attacks, some of which are discussed in our previous blog.

Previous Post
Swotting Up On Exploit Kit Infection Vectors
Swotting Up On Exploit Kit Infection Vectors

Exploit kit users need to drive web traffic to their landing pages. Without traffic, they can’t exploit vul...

Next Post
Five Tips To Make Your Passwords Better
Five Tips To Make Your Passwords Better

While security is everyone’s responsibility, it’s not always easy to get right. Our “Security Best Practice...


Join 150k subscribers and get the latest news & threat intel in your inbox.

First Name
Last Name
State- optional
Job Title
Thank you!
Error - something went wrong!