Researchers at Intel 471 have observed cybercriminals outsourcing talent for business email compromise (BEC) attacks. This tactic lowers the bar of entry for BEC attacks, which are extremely effective at raking in large amounts of money.
“In February, an actor on a popular Russian-language cybercrime forum announced he was searching for a team of native English speakers for the social engineering elements of BEC attacks after they had obtained access to custom Microsoft Office 365 domains,” the researchers write. “Additionally, another actor on a different forum asked for the same thing in June, posting help wanted ads that essentially outsourced the social engineering work behind BEC, while the actor would take care of the related technical aspects.
The researchers note that this enables the criminals to overcome the language barrier, since typos and poor grammar often tip off users to the scam.
“Actors like those we witnessed are searching for native English speakers since North American and European markets are the primary targets of such scams,” Intel 471 says. “The use of proper English is very important to these actors, as they want to ensure the messages they send to their victims — mainly high-level employees of an organization — do not raise any red flags.”
Criminals are also outsourcing the money laundering aspect, which further lowers the bar for these attacks.
“Another skill actors on the cybercrime underground are looking to outsource is laundering the money stolen via BEC schemes so it becomes untraceable and usable,” the researchers write. “Intel 471 observed a Russian language actor place an ad on a cybercrime forum, looking to launder sums as large as $250,000 through a cryptocurrency tumbler — a service that blends multiple transactions and disperses money to intended recipients in incomplete installments, which makes it significantly more difficult to trace. The six-figure sum suggested the scams targeted large companies.”
The researchers conclude that employee training is a valuable layer of defense against these attacks.
“As a first line of defense, proper training for an organization’s email users is essential to neutralize the threat of BEC,” they write, “Awareness of the techniques threat actors employ and key indicators that an email or sender is fraudulent or inauthentic can help reduce the threat of BEC.”
New-school security awareness training can enable your employees to thwart sophisticated social engineering attacks.
Intel 471 has the story.