The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

This sneaky kind of cybercrime rules them all

Analysis by

with research by Aaron Schaffer

October 21, 2022 at 7:23 a.m. EDT
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! We don’t really cover it in today’s edition, but I partly suspect one of the reasons BEC (defined below) doesn’t get as much attention as other cybercrimes is because it has a lame-sounding acronym.

Below: Records indicate that an Indian intelligence agency bought equipment from NSO Group, and an undersea cable disruption causes issues on an island. But first:

This little-discussed kind of cybercrime accounts for billions in losses — and might still be growing

As ransomware steals the headlines, another kind of cybercrime is quietly making off with far, far more money — and there are signs it’s on the rise, too.

In “business email compromise,” or BEC, criminals pose as someone a victim trusts, such as their company’s CEO, sometimes by hacking them and taking over their email. The criminals send an urgent message to transfer money, which they then pilfer.

BEC regularly tops the FBI’s annual list of costliest internet crimes, which it collects from complaint data. In 2021, BEC accounted for approximately a third of the year’s $6.9 billion in cyber losses — around $2.4 billion. Ransomware lagged behind with just $50 million. An FBI alert from May said the amount of BEC losses and attempted theft increased as a result of the coronavirus pandemic, which forced companies to conduct more routine business virtually.

During the second quarter of this year, cybersecurity company Arctic Wolf said the rate of BEC cases it responded to doubled, from 17 percent to 34 percent

Adding to the risks of BEC, it’s also a kind of cybercrime that thrives on volume.

“We end up with a situation that is really death by 1,000 papercuts,” Pete Renals, principal threat researcher for Palo Alto Networks’ Unit 42, told me. (The company this year alone has aided in multiple Interpol and Nigerian Police Force operations to arrest BEC suspects.)

Why it works

There are a number of reasons BEC has proven so effective for so long.

Most of what the BEC criminals do is “really easy,” and the techniques have been honed over time such that “they’re really just rinsing and repeating at this stage of BEC evolution,” Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, told me.

It’s not hard to deploy malware that steals access to accounts and sends an email to a victim from that compromised account, he said. The part that’s harder is setting up the bank accounts to move money around, he said, but gangs have figured out how to manage that, too.

The criminals also don’t have to target big companies to be effective, Kalember said.

  • “The truth is, they really don’t need the big fish most of the time. We have seen them, in fact, be very, very active in much smaller organizations that simply happen to be in sectors where lots of money is moved around solely based on digital communications and between parties that don’t necessarily know each other all that well,” Kalember said.

It’s also a kind of crime that takes advantage of people’s trustworthy sensibilities, Daniel Thanos, vice president of Arctic Wolf Labs, told me. “Human nature sometimes is too trusting,” he said. “People also respond to urgency.” 

  • That doesn’t mean they’re entirely to blame; the criminals are crafty about making the emails look authentic, sometimes using information they gleaned from social media to tailor their messages, Thanos said.

Unlike other cyber-related crimes, the victims don’t always know they’ve been hit until much later, Renals said. A ransomware attack encrypts an organization’s systems, grinding everything to a halt immediately. Law enforcement can help get ransom payments back, but by the time someone realizes they’ve been scammed by a BEC criminal, the money’s usually long gone.

Under the radar

BEC doesn’t get as much attention in part because of the ways it’s not like ransomware. 

It’s not destructive, like a ransomware attack can be if it shuts down a hospitals’ systems. Because it doesn’t hit key systems, it’s not treated as any kind of national security threat, Renals said. Because of the “death by 1,000 papercuts” effect, the smaller heists that add up over time are also less likely to make news, he said.

Many of the thefts might not even get reported. That’s because being the victim of a BEC scam is potentially more embarrassing than suffering a ransomware attack, Renals said.

“With ransomware, they got into a vulnerability in your network. It happens,” he said. “With business email compromise … that is a very embarrassing story to say, ‘Hey, I got an email from the CEO that told me to transfer money and I did it.’ Nobody wants to own up to that because there’s more of a human aspect there.”

BEC also isn’t interesting in a technical way that might get a ton of attention from security researchers who would make headlines presenting about it at a high-profile cyber conference, Kalember said.

Some of the ways to defend against BEC are similar to the way anyone would defend against most cyberattacks, like using multi-factor authentication to protect email accounts.

Some sound more mundane, but can make a big difference. “Have an actual process that is validated and tested for how you authorize funds to leave your company,” Renals said. “No funds should ever leave you just based off an email, right? There should be someone you call, there should be a piece of paper that has to be signed and physically handed.”

The keys

India’s spy agency bought NSO equipment, documents show

Import data shows that India’s domestic intelligence agency received a shipment of hardware from NSO Group in 2017 that matches what has been used to run Pegasus spyware, the Organized Crime and Corruption Reporting Project’s Sharad Vyas and Jurre van Bergen report. While it doesn’t conclusively show that the agency purchased Pegasus, it adds to a growing body of evidence about India and the spyware.

“The consignment included Dell computer servers, Cisco network equipment, and ‘uninterruptible power supply’ batteries, which provide power in case of outages, according to a bill of lading obtained through a global trade data platform that draws on national customs documents,” they write. “The shipment, delivered by air, was marked ‘for Defence and Military Use’ and cost $315,000. That description — and the timing of the shipment — appeared to match the account given in January by the New York Times, which reported that Pegasus and a missile system had been ‘centerpieces’ of a major 2017 arms deal between Israel and India.”

Pegasus has infected at least seven phones in India, The Post previously reported. Indian authorities said at the time that “the allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever.” It also said lawful surveillance occurs through a “well established procedure.” NSO Group denied the “false claims” in reports by The Post and its media partners.

NSO Group and the spy agency, the Intelligence Bureau. didn’t respond to OCCRP’s request for comment.

Bitfinex hacking victims want stolen bitcoins back

U.S. authorities seized billions of dollars in stolen cryptocurrency whose value soared after a 2016 hack, but Bitfinex and its customers could battle in court over who the rightful owners are, CNBC’s Jessi Joseph and Eamon Javers report. Bitfinex says it made its customers whole by providing them with digital tokens they could sell after the hack, but some customers say what they were given wasn’t valuable and they didn’t have another choice besides accepting the funds.

“Essentially, Bitfinex wants the bitcoins that were stolen in the 2016 hack returned to the company and it will give a portion of that back to some of their customers in cash, not in bitcoins,” Joseph and Javers write. “But some of the hack victims still assert the bitcoins belong to them. And the idea that they could lose their bitcoins not once, but twice, seems impossible.”

People and entities who claim that their money was stolen will be able to submit claims to a court that will decide how the money will be distributed, Deputy Attorney General Lisa Monaco told CNBC. But authorities are still prosecuting a couple — Heather Morgan and Ilya Lichtenstein — who they say conspired to launder the cryptocurrency, and that could hold up the process.

Cable disruptions affect island’s internet service

Scottish First Minister Nicola Sturgeon said there was an emergency situation on Shetland after the disruption of an undersea cable, the BBC reports. People on the islands were not able to use some telephones or pay with credit cards at some shops, the outlet reported.

Faroese Telecom's head of infrastructure, Páll Vesturbú, told the BBC that the firm believes the cable disruption — and another one last week, which affected a cable connecting Shetland and Faroe — was caused by a fishing vessel.  

NATO has warned that undersea cables are vulnerable and some experts fear that Russia could target cables, which transmit most internet traffic, amid the war in Ukraine. In April, U.S. authorities in Hawaii said they had disrupted a “significant breach involving a private company’s servers associated with an undersea cable” by an “international hacking group.” They haven’t released additional information.

Cyber insecurity

MercyOne says it has begun restoring systems following ransomware attack (Des Moines Register)

Global cyberspace

Twitter purges foreign network of fake accounts trying to sway Israeli elections (Haaretz)

Hill happenings

Loeffler's texts post-2020 election go public, raising new investigative questions (Politico)

Government scan

Top DOJ official 'pleased' with multiagency and branch response to courts data breach (CyberScoop)

Secure log off

Thanks for reading. See you next week.