Emphasis on stopping these largescale BEC attacks by defenders, which have cost companies in excess of $43 billion over several years, have forced hackers to shift gears, say researchers.
Instead of compromising a corporate email account and targeting a top C-suite person, hackers are simply signing up for QuickBooks and PayPal accounts for free and sending thousands of phony invoices with phony phone numbers to mid-level managers and purchasing people as well as attacking small businesses. And it's working.
Avanan, a Check Point Software Company, on Thursday outlined this new line of attack in a blog post.
While they could not determine how much money hackers have made from this new approach since they just started tracking this new variant last fall, the researchers said in the last two months they observed 160 emails using QuickBooks and more than 23,000 using PayPal. Today’s research outlines how Avanan blocked a hacker's attempt to use a legitimate QuickBooks account to defraud a company.
“What's different is that the threat comes from legitimate sources,” said Jeremy Fuchs, a cybersecurity researcher-analyst at Avanan. “Traditional BEC strategies rely on analyzing the text in a message and seeing if something is out of the ordinary. It depends on looking at the sender's address and seeing if something is amiss, which relies on the context of messages, and sender history. All of that gets thrown out the window. Their previous communication with QuickBooks will look the same as this current campaign. So you won't be able to rely on natural language processing, anomalies, or anything else. It requires a new approach.”
Fuchs said for its part, Avanan has phone number scam protection, where the artificial intelligence does a scan and very quickly can detect a fraudulent 800 number. They also have DLP on the back-end, where the software will block an invoice from being paid so an admin can look over the invoice one last time to make sure that it’s a legitimate invoice that should get paid.
Companies need to slow the process down, said Fuchs. In essence, the old training of looking for a domain name error like QuickBox versus QuickBooks doesn’t work anymore. Managers must scrutinize every invoice more carefully, Google the phone number to make sure it’s a legitimate business, and as an extra line of defense, use DLP to slow the process down and have the invoice checked before it gets paid.
“It will slow the process down, but in the long run it will save companies money,” said Fuchs. “If it works once and prevents you from paying out a huge invoice, it’s worth it.”
Rogue invoice fraud requires business teams to operate the correct checks and balances – processes that can’t always get solved with a quick tech solution, said Andrew Barratt, vice president at Coalfire. Barratt added that these type of attacks are more impactful to small businesses that might not crosscheck purchase orders against an invoice before paying it.
“It does require an attacker to try invoicing for a mass market service, so I’d expect to see these going out posing as Office 365 subscription payments or something else that there's a high probability of being a service consumed by a business,” said Barratt. “Part of the defense here is just good accounts payable hygiene. Make sure the invoice has the correct purchase order, that the renewal dates are known, and that the request for payment matches the expected time frame for an invoice.”
Patrick Harr, chief executive officer at SlashNext, pointed out that this kind of trusted services compromise happens with all threats – not just BEC. Harr said it’s very popular with BEC, malicious HTML attachment attacks, and credential phishing attacks – and that’s why training is only one piece of a cybersecurity strategy.
“Hackers use SharePoint, OneDrive, AWS, Hubspot, QuickBooks, PayPal to deliver attacks because they are coming from trusted domains and this increases the likelihood they will bypass traditional email technology that relies on blocklist and domain reputation, plus it will look legitimate to employees with security training,” said Harr. “These threats move fast. That’s because some technology can detect it, but it might take hours or days to make it to a threat database. Therefore, it’s important to have technology that has anti-evasion technology and can perform real-time scans to ensure these threats are stopped before wreaking havoc on an organization.”
Avanan’s Fuchs added that hackers are incredibly adept at adjusting as defenders move to stop them. So much money and technology have been put into defending earlier forms of BEC – and many products have gotten good at stopping it, said Fuchs.
“So hackers have to adjust, and they have here,” said Fuchs. “The cat-and-mouse game of cybersecurity--threat actors exploit a vulnerability, a patch is employed, and back and forth--is always fascinating to watch. It’s the next evolution, and now the onus is on security providers and end-users to harden their defenses.”