“About five years ago, 2015 or 2016, you started to see a lot of these actors shift from targeting individuals to targeting employees at businesses.”
Lindsey O’Donnell-Welch: Right. That’s always an interesting thing to keep in mind when you’re looking at these different types of attacks. One other thing that sticks out to me too, is it doesn’t seem like it would cost a ton of money to set up this type of attack. I guess it does seem like there would be a lot there in terms of investing in the social engineering aspect of it. And I’m sure that attackers need to play the long game to build up that trust. But how long typically are these types of attacks playing out and what’s needed on the attacker’s side when they’re trying to maintain and operate these types of campaigns?
Crane Hassold: So because BEC attacks and most other cybercrime attacks are financially motivated, if you think about this like a business, right, they want to make the largest amount of profit that they can. And when you look at BEC, the ROI, the return on investment, for those attacks is so much higher than other types of cyberattacks out there, to the point where at some point – and we have been saying this for years – the Eastern European and Russian cybercriminal organizations are going to start thinking to themselves “why am I spending all this time and money setting up my infrastructure for my malware, or hiring developers, when I can just send someone an email, tell them to send me money, and they’ll do it?” And we have started to see some of those more sophisticated groups pivot over to BEC, I think just for that exact same reason, because the amount of money that they can make with less work is definitely there with BEC. When you look at what’s required in order to send a BEC email, essentially, you have to identify who you’re actually going to email.
And what’s really interesting is almost exclusively across the board for all of the groups that I’ve looked at, the same online services, commercial services, or legitimate services that sales and marketing teams use all around the world to identify sales prospects, the exact same services are being used by these groups to identify targets for BEC attacks. And they’ll either sign up for a free one week trial, or even use a compromised credit card and buy a subscription to one of these services. But all they have to do is run a very easy search using one of the dozens of different characteristics that are available on these in the services and it dumps out essentially a raw lead sheet of all the contact information and names for the people that they’re going to contact with that, then supplement that with additional open-source intelligence to understand who they’re going to be impersonating, which is going to be a CEO or some other executive. And then all you have to do from there is email people. And based on what I’ve seen, almost exclusively, I have seen a very, very, very small percentage of these actors that are actually using automated mechanisms to send these emails, almost all the times they’re actually sending emails manually, one at a time, to their targets. And so when you look at that, it’s literally just setting up a Gmail account, or some other generally free webmail account, and sending emails from that on a manual basis. But everything else is pretty straightforward from there, so the amount of overhead that you need, in order to send a BEC email, is very, very minimal.
Lindsey O’Donnell-Welch: That seems frighteningly easy, and definitely not good. But I remember when we talked a couple years ago, you were talking about attackers from Russia starting to look at this type of attack. And you were mentioning that this was something that was just starting to transpire. And now as you mentioned before, this is a type of attack that different actors are looking at from beyond even Nigeria. So it sounds like it’s spreading. Are you seeing different tactics increase due to this spread into other different geographic regions?
Crane Hassold: Yes, the biggest thing that I’ve seen when it comes to actors in other parts of the world, especially Eastern Europe, Russia, and Israel, the biggest difference that you see in those emails is that they are more sophisticated from a social engineering perspective, meaning that they are clearly spending more time crafting an initial communication to a target, than a lot of the other BEC actors out there. A lot of the West African BEC actors that we see, their emails are very, very similar. They’re very short. And in many cases, those red flags that we teach people to look out for, the spelling errors and grammatical errors are going to be there in a West African BEC email. That being said, when you look at these actors from other places in the world, those emails are just gonna be longer. The English language that’s being used is going to be much better, even to the point where I’ve always thought that there must be some collaboration with native speakers of different languages to actually translate some of these emails because there’s almost no grammatical or spelling errors. And then they’re also more complex in the fact that a lot of the emails will hand off a target to different personas, so they may start off by impersonating the CEO of an organization and then pass the employee off to another persona that might be impersonating an actual attorney from UK. Let’s say you might be brokering an acquisition or some other deal and they need to work with that person. And so there’s a lot more complexity in those BEC attacks than what we see with other types of attacks from West African actors.
Lindsey O’Donnell: Yes. Well, with all this innovation that you’re seeing on the bad actor side, what are you seeing with companies that are looking to defend themselves against this? Are you seeing the ability to keep up here? Are you feeling optimistic or pessimistic?
Crane Hassold: You know, I’m probably biased based on where I currently work. But the biggest challenge with BEC attacks today is that historical infrastructure and historical legacy defenses that have been put into place to defend employees against certain email based cyberattacks were developed to identify more technically sophisticated attacks, like malware and malicious payloads and things like that. What they weren’t really good at is identifying attacks that did not contain a malicious link or malicious attachment, which is essentially what BEC is today. The attackers, I understood that that’s why they evolved and adapted their tactics to move into the BEC space, but the biggest thing when it comes to defending against BEC attacks, is understanding the nature of cyber threats today. And the fact that when most people think of cyberattacks, they think of these technically sophisticated attacks, like ransomware, when the case is that’s not actually what is happening today. A lot of it is driven purely through social engineering, and your email defenses that are defending your employees against cyberattacks need to take that into account. And so having a layer of security that is really well equipped to identify and detect social engineering attacks is imperative in order to be able to defend yourself against those attacks, because other legacy secure email gateways just aren’t doing a great job of defending against and identifying them.
Lindsey O’Donnell-Welch: When you look at these types of attacks, what are some trends that you see going into 2022 that you think are important to keep in mind and keep an eye on looking forward?