NTT Ltd’s October Threat Report highlights BEC attacks and, takes a look at the OZIE Team. Business Email Compromise (BEC) attacks have soared during the lockdown. The Anti-Phishing Working Group (APWG) reported that the average BEC attack in Q1/2020 was $54,000. In Q2, that soared to $80,183.
Jon Heimerl, Sr Manager, Global Threat Intelligence Team at NTT Ltd, says that between 2016 and 2019, 166,349 BEC incidents led to over US$26 billion in losses. It means that on average, customers lose up to $156,300 per attack. Some attackers such as the Russia-based Cosmic Lynx are bilking customers for an average of $1.27 million per attack.
Enter the OZIE Team
Jacob Faires, Senior Analyst, Security Threat Intelligence, Global Threat Intelligence Center, NTT Ltd, provides details on OZIE Team. It is a BEC group based in Nigeria. Faires estimates that OZIE Team has targeted 852,541 domains.
Each attack is fairly simple and follows a similar pattern:
- Gather target email addresses from public and private sources.
- Send malspam to a targeted group. Generally, a country/region or industry.
- Use keylogger data of successfully compromised victims to access email accounts.
- Identify lucrative transactions.
- Gain access to the conversation in a way that enables the actor to change bank account information.
- Commit wire fraud.
Nothing about OZIE Team is sophisticated. It uses commodity malware that Faires says is purchased from sites such as HackForums.net and private discord groups. Malware is purchased using Bitcoin, Bitcoin Cash and Perfect Money.
The malware that NTT has seen used by OZIE Team includes Agent Tesla and Hawkeye keyloggers. The also use malspam with email subject lines reading Quotation Request or Proforma Invoice. To evade detection, the Cassandra and Atilla crypters have been used. In 2020, NTT says there was a significant increase in the number of malware tools used by the group. This was to mask an increase in activity and reduce the chance of detection.
Who is OZIE Team targeting?
Unlike some BEC groups, OZIE Team has focused on four main industries:
- Food Distribution
By limiting the number of industries, it allows the group to gather domain knowledge. This enables them to create emails that are more accurate and believable. It also rotates its attacks on a two-week cycle. It is believed to be another anti-detection mechanism to avoid ease of use in tracking campaigns.
Faires details one such attack that was active over several months. During this period, OZIE Team were able to steal over $290,000 from a company in Mexico. It thought it was dealing with a company based in Texas. Instead, OZIE Team were able to insert themselves in the middle of the business conversation. As such, they could change the banks accounts details of where money was to be sent.
What is a BEC Attack?
In short, it is a phishing attack using social engineering to steal money. It persuades people to send money to bank accounts controlled by the attackers. The attacks often exploit weaknesses in the processes and procedures of an organisation. For example, an email pretending to come from the CEO or CFO asking for an invoice to be paid urgently. It will often claim that the director is unavailable so the person receiving the email cannot verify it.
Another tactic is to say that the monies are needed to secure goods that the company needs urgently. If the attack targets an existing business relationship, it will say that bank accounts have been changed and provide new details.
Despite the warnings of these attacks, they continue to happen. They are not just targeted at ordinary employees. Directors, CFOs and CEOs are just as likely to be the target. Cybercriminals use the stolen email and login credentials of directors to launch attacks. In 2016, an Austrian Aeronautics company lost over €43 million in one attack. It used the stolen credentials of the CEO and persuaded the company to wire over €50 million for an acquisition project. Although part of the payment was stopped, the rest of the money was lost.
Heimerl provides more information on the effectiveness and evolution of BEC attacks over the last several years. He explains how attacks have become more automated and effective. Additionally, as more and more malware is available cheaply through marketplaces, the barrier for entry is falling.
In a recent podcast Heimerl commented on BEC attacks saying: “I think it’s a good example of saying how the pandemic has changed the way people work. If I’m working at home now when I used to sit in the office next to my boss, I could walk next door and ask him or I could yell through the wall or whatever made sense.”
Enterprise Times: What does this mean?
Make something profitable and easy, and there will always be a queue of people waiting to do it. That is the case with BEC attacks. What was once something that took time, was carefully researched and highly targeted has now become commonplace. BEC attacks now account for more than 50% of all losses to cybercriminals.
What is worrying about the rise of BEC attacks is that they are getting easier and more profitable. Most of the headline attention is on ransomware as the impact of an attack is so public and widespread. However, most cybercriminals using ransomware are tailoring their attacks to get the fastest possible payment. Additionally, the moves by the US to warn off banks and cyber insurers from paying ransoms is likely to slow the profits.
By comparison, BEC attacks are not paid for in cryptocurrency. They appear to be just a typical business transaction. It makes them very difficult for banks and victims to spot and stop. The only real way to deal with them is to improve processes inside organisations to ensure payments are verified. Too many people rely on just email. A phone call to a supplier would expose many BEC attacks as would checking with a bank when details change.
For now, groups such as OZIE Team continue to reap over $708 million every single month.