Wednesday, February 28, 2018

Trust no one

We don’t know if this is a real story, but Trojan horse is one of the best known literary fantasies of all time.  We all have heard about that tale in which hundreds of warriors hide inside a big horse made of wood in order to penetrate the Trojan walls. 

There’s a malicious force that hides behind the cybersecurity of a million of companies and it’s called Business Email Compromise (BEC). Like the Trojan horse, the BEC uses your trust as its biggest weapon and introduces itself into your devices without asking. Agari says that a very few companies are free of this threat. 96% of organizations has been the target of BEC attacks between June and December of 2017. On average, organizations were BEC attacked 45 times along that amount of time. 

If that wasn’t enough, FBI makes the threat more real by making public the costs of these kinds of attacks. BEC attacks were responsible for the loss of more than 5 thousand million dollars between 2013 and 2016. One of the main keys to these attacks is the social engineering, thanks to the identity fraud in trust identifications to ask for cable payments or confidential data like in the W-2 tax forms. 

BEC is an effective vector because its lack of charging ability makes it almost impossible for email conventional security to detect it or to prevent it. Markus Jakobsson, Agari’s chief scientist, says that trust is like gasoline for these attacks “At its core, business email compromise is a social engineering attack that leverages familiarity, authority and trust, which can result in billions of dollars of losses to businesses.”

Social Networks and free cloud email servers make easy for cyberthieves to identify their victims. It’s as easy as creating an email account that looks like a trustworthy one and then they create a believable trap that receptor trusts. The key to these attacks is the trust that the receiver has in the entity or person that is stealing the identity. 

BEC attacks go much further than a simple email and they can be seen in a great variety of forms, from lying in the name or look-alike domains to domain impersonation. We have to be aware that BEC attacks are different than phishing or spear-phishing attacks because there’s not a useful load like a malicious file or a malicious URL. 

These kinds of attacks are widespread; conventional cybersecurity solutions are not efficient against BEC. Analyzing the advanced attacks based on emails, Agari noticed that 81% of BEC attackers used the name as a lie, 12% used domain spoofing and 7% used similar domains to lie without being noticed.  

Conventional safety solutions for email, like SEG, ATP or TAP, try to identify attacks by monitoring malicious loads, attached files, URL and other ways of inappropriate behavior. Attackers can lie to these protections by telling them they’re human beings, partners or trustful companies as they’re not using malicious loads. 

“Business email compromise has become a pervasive threat that targets nearly every organization, often slipping past conventional email security solutions undetected,” said Greg Temm, chief information risk officer, FS-ISAC. “BEC opens organizations up to financial losses and could put customers’ investments at risk. Urgently deploying effective security controls and educating employees are some of the best ways to deal with this type of attack.”

The most effective weapon to battle these kinds of attacks is to maintain your eyes wide open and to confirm the belonging of every suspicious email. If you have any doubts it’s as easy as calling and confirming that the email is real. Save yourself a disappointment.


Post a Comment