Microsoft has observed a thirty-eight percent increase in cybercrime-as-a-service (CaaS) offerings for launching business email compromise (BEC) attacks between 2019 and 2022.
“Cybercriminal activity around business email compromise is accelerating,” the company said in a report. “Microsoft observes a significant trend in attackers’ use of platforms like BulletProftLink, a popular service for creating industrial-scale malicious email campaigns. BulletProftlink sells an end-to-end service including templates, hosting and automated services for BEC. Adversaries using this CaaS receive credentials and the IP address of the victim.”
CaaS offerings also help attackers avoid detection by security technologies designed to flag suspicious behavior.
“BEC threat actors then purchase IP addresses from residential IP services matching the victim’s location creating residential IP proxies which empower cybercriminals to mask their origin,” Microsoft says. “Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent ‘impossible travel’ flags, and open a gateway to conduct further attacks. Microsoft has observed threat actors in Asia and an Eastern European nation most frequently deploying this tactic. Impossible travel is a detection used to indicate that a user account might be compromised. These alerts flag physical restrictions that indicate a task is being performed in two locations, without the appropriate amount of time to travel from one location to the other.”
Microsoft notes that these attacks rely primarily on social engineering rather than exploiting technical vulnerabilities.
“BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception,” the report says. “Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking a direct action like unknowingly sending funds to money mule accounts, which help criminals perform fraudulent money transfers.”
New-school security awareness training can enable your employees to thwart targeted social engineering attacks.
Microsoft has the story.