How to deal with internal BEC

BEC attacks that use compromised mailboxes are especially dangerous. Here’s how we learned to identify them.

In recent years, business e-mail compromise (BEC) attacks have become more frequent. Their objective is to compromise business correspondence for the purpose of committing financial fraud, extracting confidential information, or harming a company’s reputation. In our previous post about the types of BEC and ways to deal with them, we mentioned e-mail hijacks. Today, however, we’re talking about the most dangerous type of BEC attack — the internal BEC. We recently developed and implemented a new technology to protect against this particular threat.

Why an internal BEC is more dangerous than an external one

Internal BEC attacks differ from other attack scenarios in that fraudulent e-mails are sent from legitimate addresses within one company. In other words, to initiate an internal attack, an attacker has to have gained access to an employee’s mail account. That means you cannot rely on e-mail authentication mechanisms (DKIM, SPF, DMARC) to prevent one; nor will standard automatic antiphishing and antispam tools, which look for inconsistencies in technical headers or altered addresses, help.

Usually the letter from the compromised mailbox contains a request to transfer money (to a supplier, contractor, tax office), or send confidential information. And it’s all seasoned with some fairly standard social-engineering tricks. The cybercriminals try to rush the recipient (if we don’t pay the bill today, the company will get fined!), make threats (I asked you to make the payment last month, what the hell are you waiting for?!), adopt an authoritative tone that brooks no delay, or use other ploys from the social-engineering playbook. Combined with a legitimate address, it can create a very convincing impression.

Internal BEC attacks can also deploy e-mails with links to fake sites whose URLs differ from the target organization’s address (or another trusted page) by just one or two letters (an upper-case “i” instead of a lower-case “L,” or vice versa, for example). The site might host a payment form or questionnaire asking for confidential information. Consider receiving an e-mail something like this from your boss’s address: “We decided to send you to the conference. Book the ticket from our account ASAP so we can get the early-bird discount.” Together with a link that looks like the site of the most important event in your industry, that looks pretty convincing. What are the odds you’ll take the time to carefully study each letter in the name of the conference if everything, down to the e-mail signature seems fine?

How to protect the company from internal BEC attacks

Technically, the e-mail is perfectly legit, so the only way to recognize a fake is to judge the content. By running many crooked messages through machine-learning algorithms, it is possible to identify traits that, in combination, can help determine whether a message is real or part of a BEC attack.

Fortunately (or not), we have no shortage of samples. Our mail traps pick up millions of spam messages around the world every single day. They include a considerable number of phishing e-mails — which are not internal BEC, of course, but employ the same tricks and have the same goals, so we can use them for learning. To start with, we train a classifier on this large volume of samples to identify messages containing signs of fraud. The next stage of the machine-learning process operates directly on the text. The algorithms pick out terms for detecting suspicious messages, on which basis we develop heuristics (rules) our products can use to identify attacks. A whole ensemble of machine-learning classifiers is engaged in the process.

But that’s no reason to sit back and relax. Our products can now detect far more BEC attacks than before, but having gained access to an employee’s e-mail account, an intruder can study their style and try to imitate it during a unique attack. Vigilance is still critical.

We recommend that you look long and hard at messages requesting a financial transfer or disclosure of confidential data. Add an extra layer of authentication by phoning or messaging (in a trusted service) the colleague in question, or speaking to them in person to clarify the details.

We use the heuristics our new anti-BEC technology generates in Kaspersky Security for Microsoft Office 365, and we have plans to implement them in other solutions as well.