To some degree or another, we all pretty much use the Cloud. Even if you do not have a direct with an Internet Service Provider (ISP), you still use it even if you have a Facebook, Twitter, or LinkedIn account. After all, where would they be accessible, they have to be stored on some sort of database and Web Server somewhere, right?
But, one term you may not have heard of before is “. . . as a Service”. This is a huge buzzword with the Cloud. One the biggest ones out there is “Software as a Service”. This is simply meaning that once you open up your own personal account with ISP, your soft will be able to purchase software packages (such as E-Mail, Content Management Systems, etc.) on demand and within seconds.
The best news about this is that through the Software as a Service model (which is actually abbreviated SaaS), your software packages come literally at a fraction of the price it would cost retail. Take for example Microsoft Exchange. If you were to buy it at the retail level, it would cost literally thousands of dollars. But getting it as a SaaS or hosted offering, you can get it as low as $20.00 per month, depending upon you sign up with.
While this is of course very advantageous to individuals and businesses, it can also be a highly profitable business for the Cyber attacker. There is now a trend which is picking up in which they can offer their services literally “. . . as a Service”. But of course, this so-called “Cyber-attack as a Service” is not publicly available . . . they can only be procured via the Dark Web.
One such area which is being offered as a service is Business E-Mail Compromise, or BEC for short. I have written about this before, and essentially, it involves using a combination of both Phishing and Social Engineering in order to get money wired from a business or corporation into a fraudulent account, which is located overseas, such as in China, Russia, or even North Korea.
Just consider these stats:
*It has cost Corporate America alone $12 Billion in the last five years;
*Over 12 Million E-Mail archives have been misconfigured, thus leaving the doors wide open for the Cyber attacker;
*Because of the above stat, BEC is ow one of the most favored attack vectors, especially in the finance industry, just consider these numbers:
- 27,000 invoices, 7,000 purchase orders, and 21,000 payment records have been easily accessed by a Cyber attacker;
- 33,568 Finance Department E-Mail addresses have been exposed to a Cyber attacker;
- Of the above, 83% of those accounts have weak passwords associated with them (such as “password”, or “1234”, etc).;
- The most sought after financial domains include those of “ap@,” “ar@”, “accounting@,” “accountreceivable@,” “accountpayable@” and invoice@.
In fact, the above domains have become so valuable that it was reported that one Cyber attacker even offered up to $5,000 for the username and password combination for just one E-Mail account. Now given how lucrative the BEC Cyber threat has become, the Cyber attacker of today is now cutting down the work that they do to launch a BEC Cyber threat, and outsourcing it to others who want to earn a piece of the pie. This is now becoming known as “BEC as a Service” on the Dark Web.
In fact, one could procure this kind of service for as low as $150.00/month. Results and financial gain are promised within a week. But an even more lucrative proposition is if you actually help the Cyber attacker in harvesting E-Mail accounts that can be easily compromised. In fact, it has been discovered that one Cyber attacker was trying to recruit workers whom were unhappy, terminated, fired, or laid off from their current position in an effort to get access not only to these particular accounts, but even the entire E-Mail server as well.
The reward for that? A 20% cut of all of the money that could transferred into an illegal banking account.
What can an organization do to protect themselves?
Well, if you think about it, the only logical way in which somebody would want to rent out “BEC as a Service” are those kinds of employees just described up above. This would be a form of an Insider Attack, and your best bet would be to immediately delete all of their accounts and purge them from your servers once you have let an employee go.
At least this will provide some assurances that they will not have easy access to your E-Mail servers and other associated systems. Be especially careful of contractors making use of Network Attached Storage (NAS) devices; make sure that that you have encryption deployed on them. Other steps you can take:
*The strategies for recovering from a BEC Attack should be clearly stipulated in your Business Continuity and Disaster Recovery planning;
*Make sure that you have multiple layers of authorization involved in any sort of wire transfer;
*Work with your financial institution to make sure that the right controls are put in place – remember, once a wire transfer has been initiated, it cannot be reversed!!!
*Always be on the look out for exposed E-Mail addresses, especially those of your C-Level Execs, after all, they will be the first target that the Cyber attacker will go after;
*Implement controls so that your E-Mail archives are not publicly exposed.
Of course, these are all easier said than done. But with “BEC as a Service” now becoming more popular, you really need to be watchful of your employees – as they can still be considered as the weakest link in the Security Chain.