Ransomware Gangs are Weaponizing Their Stolen Data and Making BEC Attacks Easier

Business email compromise (BEC) attacks have been increasing. According to the Federal Bureau of Investigation (FBI), BEC attacks are the costliest type of cybercrime and resulted in $43 billion in losses between June 2016 and December 2021. In 2021 alone, 19,954 complaints were received by the FBI’s Internet Crime Complaint Center (IC3) and almost $2.4 billion was lost to the scams. Abnormal Security reports an 84% annual increase in BEC attacks targeting its customers between the first and second halves of 2021.

BEC, also known as email account compromise (EAC), is a scam where legitimate business email accounts are compromised and are used to send emails internally and to suppliers to trick people into disclosing sensitive information or, most commonly, making fraudulent wire transfers. Fraudulent transfers of hundreds of thousands or millions of dollars are often made. By the time the scams are identified, the funds have often been withdrawn from the attacker-controlled accounts and cannot be recovered.

In order to obtain such high payments, companies need to be researched. This stage of the attack is the most time-consuming, but given the potential profits from such an attack, it is time well spent. To get the highest returns, the scammers need to identify vendors used by a targeted company and discover when payments are due to be made. If information can be gained about mergers and acquisitions, or invoices and contracts obtained, they can create convincing campaigns and can time their attacks to make their requests for transfers more believable.

According to a new report from Accenture’s Threat Intelligence team, the increase in ransomware attacks is fueling the increase in BEC attacks. Ransomware gangs now typically steal sensitive data prior to file encryption, and that information is posted on the gangs’ data leak sites to pressure victims into paying. The data can include financial records, invoices, contracts, client information, employee information, communications, and even credentials for accessing accounts, which can be downloaded by BEC actors. That information is exactly what BEC scammers need to identify their targets and conduct convincing scams.

“A threat actor can increase the likelihood that a social engineering ploy will succeed by determining a target’s internal language, such as company-specific acronyms and phrases, allowing threat actors to avoid use of non-standard company language, a tell-tale sign of fraud,” explained the researchers. “Dedicated leak site data further reduces the likelihood of a target discovering a social engineering ploy by allowing actors to better adhere to internal organizational pathways. For example, it facilitates following typical, anticipated communication channels and command chains.”

Accenture said it observed more than 4,000 attacks on businesses and government agencies between July 2021 and July 2022 where sensitive data was posted to the data leak sites of the 20 most active ransomware gangs. Using the data published on the leak sites can be difficult and time-consuming, due to the vast quantities of data uploaded. Accenture reports that many ransomware operations now provide the stolen data in an easily usable format, and have moved from dark web Tor sites to publicly accessible sites on the clear web. Some threat actors are also now offering indexed, searchable data. That makes it even easier for fraudsters to use the data in their attacks.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news