Criminals are increasingly moving away from malware in favour of compromising business email to scam organisations out of money, security researchers are warning.
Last month the FBI said social engineering had reaped attackers A$3 billion since October 2013, with over 17,000 business affected across 79 countries.
Fraudsters are now taking the time to map the relationships between individual employees in a company and trick them into enacting fraudulent money transfer requests from a CEO or financial controller.
"They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy," the FBI said last month.
In a presentation at the AusCERT 2016 conference today, myNetWatchman operations chief Donald ‘Mac’ McCarthy said criminals were even going so far as to buy business profiles from the likes of Dun & Bradstreet with stolen credit cards to learn more about the organisations they target.
“It’s no longer about sending you a compromised HTML email,” McCarthy said.
“They’ve started to take the time to understand the relationships within the stakeholders. This will achieve the effect of Eastern European malware, without malware.
"Malware has a huge problem with behavioural match, because it’s not a human inputting the demands. They scrape a page and they run what they need to run.
"Malware [also] has a hard time getting two people to do the same thing at the same time. [And] If I write a piece of malware I have no idea when someone is going to write a set of signatures that will detect it."
He warned that companies were making themselves vulnerable by displaying profiles and contact details of senior executives on their websites.
“That really gives the attacker everything they need to know,” McCarthy said.
Once an attacker successfully compromises an account through an initial recursive phishing email purportedly from another company employee, they start hunting for certain terms like ‘invoice’, ‘bank’, and ‘president' to understand the financial relationships within the business.
The attackers then are able to play on these relationships to trick the financial controller into moving money into a mule account.
“They rely on individual relationships. The banker or the financial advisor/controller moves the money. The attackers don’t need any infrastructure whatsoever other than a free email account for straight wire transfer fraud,” McCarthy said.
He cited the case of a wife of an unnamed Hollywood actor who had $287,490.53 stolen after attackers got into her account and figured out her relationship with her financial advisor to spoof a property down-payment.
In another case, US business Gateway Distributions lost $35,450 after attackers used email addresses for executives displayed prominently on the company’s website to compromise accounts, McCarthy said.
The majority of business email compromise attackers come from West Africa, according to McCarthy. His company has identified 42,000 attackers globally engaged in this type of social engineering.
But from a financial impact perspective, he argues it's not possible to accurately quantify the impact of the problem.
"[The $3 billion figure] is just those attacks that have been reported," McCarthy said.
"In the US if a publicy traded company falls victim to this there are SEC regulations that require them to report it."
But there are no similar requirements for small business, he said, and if a business is "trying to make a name for yourself it's probably not in your interest to report that you've just lost half your investors' money", making it difficult to quantify financial loss.
"We don't really know how big the problem is. But we know it's at least $1 billion in the US and $3 billion globally," McCarthy said.
Educating employees on the regions in which your company does business is key, McCarthy said, skilling them to spot a transaction headed to Hong Kong when your business deals only in the US and Europe.
He said some companies are tying portions of an individual's bonus to whether an employee avoids clicking phishing links and passes phishing training throughout the year.
"This is absolutely not a problem where you need to go and spend a bunch of money on appliances," McCarthy said.
"This is not truthfully that much of a technical problem.
"It's a business process. If you structure your business process to counter this threat and you structure it well, it's going to survive more than this threat. That just costs you time."