A new report from Barracuda notes a big jump in dangerous Business email compromise attack compared to last year, probably because Work From Home environments make these attacks more difficult for employees to check out by themselves.
Business email compromise [BEC] attacks have almost doubled compared to last year, likely as a direct result of the COVID-19 pandemic. That’s a key takeaway from a new report by Barracuda on the evolution of email threats, which is being released today.
The report identifies 13 types of email threats, running from spam, malware and data exfiltration at the least complex end, to BEC, conversation hijacking, lateral phishing and account takeover at the more complex.
“Different vendors use different labels when talking about these threats,” said Don MacLennan, SVP, Email Protection, Engineering and Product Management, Barracuda. “We saw a need to educate the market, and thought we could best do this through a vendor-neutral framework. All the different vendors, including us, use our own terms, so we have structured a common order to how we all talk about these things, which translates all our proprietary language, and makes it clear what we are all referring to. That shows that there are 13 specific types of threats. We think this is helpful for educating the market.”
Business email compromise attacks, for example, are also known as whaling, CEO fraud, or wire-transfer fraud. They are one type of spear phishing, in which the bad guys typically impersonate an employee or contact of the organization, and request either a wire transfer or personally identifiable information from people in a position to provide them. They are hard to detect because they rarely include a URL or malicious attachment. A year ago, Barracuda identified BECs as composing 7% of all spear-phishing attacks last year. They have risen to 12% this year.
“We saw BECs surge in the last half of the calendar year,” MacLennan said. “We are not sure exactly why, but the trend is clear. BEC is an attempt to impersonate an employee to get another employee to do a desired behavior. They use a display name that’s identical. They buy a domain name that is similar to one that person would belong to, which looks the same, but with perhaps one letter different. It doesn’t necessitate using malware.”
Notably, while 71% of spear-phishing attacks overall contain malicious URLs, only 30% of BECs contain a link at all, in order not to arouse suspicion.
MacLennan suggested that aside from the fact that these attacks have a good success rate if they are well done, they may be gaining in popularity because of Work From Home.
“Because most of us work remote now, that makes it easier for this type of attack,” he said. “In the past, if you got an odd email from a colleague, the easiest way to verify it was walk down the hall and ask the person if they sent the email. Remote work made this a lot harder, so made this problem worse for us. As we keep deepening our machine learning algorithms, it forces bad guys into new tactics.”
One thing that is not new is bad guys attempting to take advantage of recent developments, and fine turning this by using telemetry to measure the success of their attacks.
COVID-related scams have become increasingly popular for less targeted and less sophisticated ‘spray and pray’ attacks, that focus on fake cures and donations. 72% of COVID-19-related attacks are scamming, which is double the 36% of overall attacks.
“The COVID scams have been a distinct trend this year,” MacLennan said.
Criminal tactics have also evolved this year.
“Typically the call to action is to click on an URL, usually for credential harvesting,” MacLennan added. “In the past we could render a verdict by inspecting the link, so they have been using link shorteners like bit.ly, and we have to follow from what it was shortened from. That’s more difficult, and the products have to adapt to following a chain of links.”
Most of the sophisticated attacks continue to work in HTML.
“It’s very unusual to see plain text emails in these. Still, they do have a wide variety of skills, and what they can afford to utilize. The less sophisticated attacks haven’t changed a lot.”
To defend against this, MacLennan said machine learning tactics continue to evolve as well.
“We constantly expand the context,” he said. “With BECs, you have to establish a pattern of known good communication as a baseline. Who do you email frequently? Do you always hear from them, never hear from them, or somewhere in between. Then we create a social graph, and superimpose normal content and behavior on top of that, using sophisticated natural language processing. That way we can determine if the email is asking things to be done which are against the pattern, even if the email doesn’t have obvious malicious intent.”
The growing sophistication of these attacks, combined with the limitations of customer resources in ecosystems which are strained to protect against a variety of threats, mean that most customers can’t protect themselves properly against this kind of threats without assistance. MacLennan said that channel partners play a key role here.
“Customers are now at the point where they don’t have the capability to stay current with these threats, because of the scarcity of resources, so they are turning to the partner ecosystem for help with risk management. The partner ecosystem is being asked to step up, and provide more consultation and domain expertise. Partner-offered managed services have been growing extremely fast, to perform these services on customers’ behalf.”