In many cases, your company may not be the intended victim of a cybercrime, but instead is used as a pawn to gain confidence and access to a company you do business with. This strategy is called an island-hopping cyberattack, and it's the latest twist on the business email compromise scam.
BEC is defined as a scammer who pretends to be the CEO or other person of responsibility in a company for the purpose of committing fraud in the form of "approving" wire transfers, asking for gift cards to be purchased and so on. But, in recent years, the BEC technique has expanded to employ island-hopping. Two 2019 BEC attacks demonstrate the new type of BEC. In one, a school system in Kentucky was contacted by one of its vendors about nonpayment of an invoice. Its records showed it had paid the invoice -- to a party posing as that vendor. The school system lost $3.7 million to the scam. In a similar case, a church lost $1.75 million from its renovation fund. It thought a request for payment came from its contractor, but instead a scammer had gained access to the church email system and then altered the contractor's banking and wire transfer directives.
In short, cybercriminals now realize the value of using an initial victim organization as a tool to attack a second.
Island-hopping shares four key elements with other BEC scams:
- Phishing still reigns. Phishing remains one of the top -- if not No. 1 -- most effective cyberattack vectors.
- Cybercriminals need to establish credibility. To trick users into engaging with email content, links and attachments, attacks need to use tactics like domain impersonation, spoofing sites, doing due diligence and having emails come seemingly from known persons.
- People trust those they know. If you see an email coming from someone you normally work with about a topic you both regularly engage about, why would you think anything is wrong? You wouldn't. So, if bad guys can look like someone you know, your defenses stay down.
- This is a business. The bad guys aren't going to be satisfied with just taking one company for a ton of money. They want a repeatable process they have mastered -- like any business -- because that's what they're good at.
Island-hopping cyberattacks are the easiest way for a cybercriminal to gain the confidence of a potential phishing victim to help launch an attack ending in fraud and be able to repeat the process once the initial attack is complete.
The island-hopping cyberattack technique is used in 50% of all cyberattacks, according to Carbon Black's 2019 report on global threats, "The Year of the Next-Gen Cyberattack." In most cases, email is used as the medium to "hop" from one company to another. This is for two reasons: First, the medium of email allows for malicious attachments and links to be easily delivered to the next target organization. Second, it eliminates the need to use domain impersonation to establish credibility -- because the bad guys are using a compromised account in Company A.
How to not get 'hopped'
What measures should organizations take to ensure they don't become a victim of an island-hopping cyberattack or become the pawn organization that gets hopped? Let's walk through an attack kill chain that ends in fraud and, next, address each step in the scam and how to thwart it.
To thwart the kind of attack illustrated above, a few things should be in place:
- Company A gets phished. Stopping phishing attacks involves tools such as email scanning, DNS scanning, security awareness training and endpoint-based antimalware. The goal is to have a layered approach that stops that initial attack one way or another.
- Company A is compromised. If this is an on-premises attack, endpoint protection products that detect rogue processes running on endpoints are a great way to keep malware from being installed. If this is a cloud-based attack, the use of multifactor authentication will help ensure cybercriminals can't get back in.
- Lateral movement occurs in Company A. The bad guys need to find elevated accounts that allow them to move around until they can identify an appropriate account with access to financial transactions, usually in accounts receivable or finance. Access to email and whatever accounting application is in use usually follows. Monitoring of logons for abnormal use by either a user activity monitoring (UAM), SIEM or a threat analytics tool would be helpful in spotting that the CFO is logging onto a machine he normally doesn't on a Sunday at 3 a.m.
- Diligence occurs. The bad guys needs to find transactions that they can take advantage of. Unless you have detailed UAM in place that records exactly what users are doing within an application, you probably won't have much visibility into this.
- Company A emails Company B. Here's where the fraud starts. The bad guy uses a compromised email account -- sometimes this is a fictitious account the bad guy creates, posing as someone in accounts receivable -- to communicate with an accounts payable counterpart to attempt to modify banking details. The onus here falls on Company B to have a process in place to validate the request via a medium other than email and with a known person at Company A. Because the fraudulent request doesn't contain any content that is malicious and appears to be regular business communications, no security tool is going to trigger alarms. So, it's up to the people involved to remain vigilant. Proactive security awareness training can be helpful here.
- Company B makes the fraudulent payment. At this point, it's probably too late, but having accountability checks in the payment process, particularly when payment details were recently changed, is prudent.
Avoiding getting involved in island-hopping cyberattacks
As you can see, the solution to stopping these attacks is truly a mix of people, process and technology. There are other examples of island-hopping -- such as when a single compromised email account in Company A sends an email anyone and everyone in Company B to gain access to Company B. Regardless of the threat actions, the initial efforts use the same tactics to compromise Company A. Having the proper people, processes and technical controls in place is critical to stop attacks like this before they ever start.