adimas - Fotolia
Business email compromise and email account compromise are on the rise, and threat actors are equipped with new tactics that take impersonation to the next level.
In just the first half of 2019, email security vendor Proofpoint observed 15 million unauthorized login attempts, 400,000 of which successfully compromised accounts. According to Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, both business email compromise (BEC) and email account compromise (EAC) have effectively become the most expensive problem in all of cybercrime.
In response to the rising threats, Proofpoint recently announced a new solution bundle that integrates and combines several of its security products to better address BEC/EAC attacks. The products include Proofpoint's secure email gateway, advanced threat protection, threat response, email authentication, security awareness training and cloud account protection.
"People don't realize that unless you do a number of steps to authenticate your email, pretty much anyone can send an email as you," Kalember said. "Over the last couple of years, attackers have diversified their tactics. One set is all about pretending to be you and another set that are all about just becoming you by taking over cloud accounts."
Emphasis on EAC is another part that's recently changed, which threat actors infiltrate through common tools such as password spraying and brute force attacks. The difference now is that attackers are utilizing malicious third-party applications that connect Office 365 or G Suite accounts and abuse the access and permissions.
"This is the new tactic, and it's a tricky one because you basically see a log-in -- not to a fake Microsoft or Google, but the real Microsoft or Google -- and the attacker is trying to get you to install an application that is on the app store that connects to Office 365 or G Suite. You're logging into the real account, but the application itself is impersonating something that's legitimate," Kalember said. "The way they are able to use that access is because everything is about Office 365. It's everything. Your calendar, contacts, inbox, sent items, files, everything is behind that one credential and that whole cloud attack surface has enabled them to learn so much about their targets. These are relatively recent developments even if the tools have been around for some time."
Kalember said effective BEC/EAC prevention requires looking at a whole set of tactics used by threat actors. To that end, the vendor also introduced new features for Proofpoint Cloud App Security Broker (Proofpoint CASB); the features include automated detection and remediation for suspicious third-party apps that connect to Office 365 and G Suite accounts and risk-based access control that can detect if a device is unmanaged and restrict access for accounts logging in from such as device.
"On the EAC side of things, if I'm going to look for that malicious third-party application, I can't look at it in my email gateway," Kalember said. "The right place to look is on Office 365. If someone abuses the functionality within Office 365 in a way a typical BEC/EAC actor would, none of that goes through email gateway."
Multiple pieces of the integrated solution set were from Proofpoint acquisitions: technology from FireLayers, email fraud protection from Return Path, and Nexgate, which helps search for lookalike domains.
"We weren't able to do this before now, because we didn't have all those pieces," Kalember said. "Things like third-party applications are a relatively new development. Being able to isolate clicks so people don't enter their credentials into phishing sites no one has seen before. All of those things require bolt integration and, in both cases, components of a different acquisition."
BEC/EAC attacks on the rise
According to the FBI, half of cybercrime losses in 2019 were BEC alone. More cyberinsurance payouts happened because of BEC than ransomware.
Experts say BEC/EAC attacks are evolving and further leveraging cloud services. Email security vendor Agari Data last month published threat research on a BEC campaign it called "Exaggerated Lion" that primarily abused G Suite to host and launch attacks. The report claimed threat actors targeted 3,000 individuals employed by more than 2,000 companies between April and August of last year.
Matt Valites, outreach lead at Cisco Talos Intelligence Group, said his team has seen more brazen activity from threat actors compromising email accounts. For example, he said Cisco Talos researchers observed new activity around the Emotet botnet last summer. "What they do is, they get onto a machine and they steal email credentials and send them to the [command and control] server," he said. "But along with the credentials, they also steal some of the email threads from those mailboxes."
The threat actors then use the email credentials and thread they just stole to make the impersonation even more believable, Valites said. "They'll respond in thread to a conversation, looking like it's coming from the original person but it's coming from a completely different person and IP space," he said. "And if they're stealing email content, it's only a matter of time before they figure out what else they can do with it."
With the threat vector broadening and attackers using new tactics, Kalember said new investments in email security are required to keep up with the trend.
"I don't think anyone in the industry had all the pieces, because by and large as an industry, there's still greater money spent on network security, which isn't relevant to solving this problem at all," he said. "BEC/EAC won't stop, but if people defend themselves, then they don't become the source [for additional attacks]."
Security news editor Rob Wright contributed to this article.