Understanding BEC: How It Happens Even With MFA in Place

Understanding BEC: How It Happens Even With MFA in Place

  Courtney Pereira | 03/28/2024

Despite the widespread adoption of Multi-Factor Authentication (MFA), stories about its failure to secure accounts continue to circulate. However, it’s crucial to understand that in most scenarios, MFA isn’t being bypassed; rather, it’s often a case of misconfiguration.

The Misconfiguration Issue

A common mistake is configuring MFA to request the second authentication factor on a delayed basis, typically within a 4 to 8-hour window. This means a user could log into their email in the morning, complete both authentication steps, and then not be prompted for the second factor for the rest of the working day. This setup becomes particularly risky if there’s no adaptive security measure in place to detect unusual access attempts, such as logins from a foreign country or through an unfamiliar browser. In essence, this configuration dilutes MFA back to a single-factor system, significantly increasing the risk of account compromise.

How Compromise Occurs

Here’s a step-by-step breakdown of a typical account compromise scenario:

  1. The Phishing Email: You receive a phishing email, seemingly from your organization, stating the need for re-authentication to enhance security measures. The email appears legitimate, mirroring your company’s domain and possibly even including your IT administrator’s name.
  2. The Deceptive Link: Clicking on the link in the email redirects you to a fraudulent website, a convincing replica of your actual login page. While the login page itself can be easily duplicated, the domain name often contains subtle discrepancies.
  3. Credential Theft: Upon entering your username and password, the fraudulent site captures your credentials and simultaneously logs you into the legitimate site without prompting for the second authentication factor. This oversight is due to the lack of configuration for re-authentication under new or suspicious circumstances.
  4. Email Monitoring and Impersonation: With access to your account, the attacker sets up email forwarding to their own account. They monitor your communication patterns, payment schedules, and even replicate your writing style.
  5. Financial Fraud: The attacker identifies a regular payment or wire transfer and instructs the relevant party to redirect these to a new bank account, under the guise of your identity.
  6. Undetected Compromise: Your account continues to operate normally, receiving emails as usual, while some communications are covertly redirected, ensuring you remain unaware of any requests for verification regarding the new payment details.
  7. The Final Theft: Payments are redirected to the attacker’s account, which is promptly emptied and closed, often before you realize what has happened.

Recent Examples of BEC Attacks

The rise in BEC attacks has been alarmingly swift, with nefarious email impersonations accounting for nearly 99% of all reported threats. According to a Tripwire report, BEC scams have skyrocketed, showing an 81% increase in 2022 alone, with adjusted annual losses amounting to $2.7 billion, significantly overshadowing the financial impact of ransomware​​.

Microsoft’s Cyber Signals report highlights a 38% increase in cybercrime as a service (CaaS) targeting business emails between 2019 and 2022, indicating a surge in sophisticated BEC schemes. The use of platforms like BulletProftLink for creating industrial-scale malicious mail campaigns underscores the evolving tactics of BEC operators, who now leverage residential IP addresses to mask their activities and evade detection​​​​.

Preventative Measures

To mitigate the risk of such compromises, consider the following strategies:

  1. Ensure Proper MFA Configuration: Regularly review and adjust MFA settings to prompt for authentication under any suspicious circumstances.
  2. Strengthen Email Phishing Defenses: Implement robust email filtering systems to prevent phishing emails from reaching users in the first place.
  3. Promote Security Awareness: Regular security training can help users identify and respond to phishing attempts and suspicious activities effectively.
  4. Leverage DNS/Browser Security: Use DNS and browser security tools to prevent users from accessing malicious sites, thereby safeguarding their credentials from theft.

Cyvatar’s Technical Remediation to Prevent BEC

At Cyvatar, we understand that combating BEC requires more than just traditional defenses. We leverage cutting-edge technology and bespoke strategies to protect our clients:

  1. Advanced Email Security Solutions: We deploy sophisticated email security platforms that utilize machine learning and artificial intelligence to detect and block phishing attempts, spoofing, and other tactics used in BEC scams.
  2. Anomaly Detection Systems: Our solutions monitor for unusual behavior, such as sudden changes in email volume or access patterns, which can indicate a compromised account.
  3. Security Information and Event Management (SIEM): We implement SIEM systems that aggregate and analyze data from various sources within the organization. This allows for real-time detection of potential security incidents, including indicators of BEC.
  4. Regular Penetration Testing and Vulnerability Assessments: By continuously testing and assessing our clients’ digital infrastructures, we identify and remediate potential vulnerabilities before attackers can exploit them.
  5. Incident Response Plans: We help organizations develop and implement comprehensive incident response plans. These plans ensure that, in the event of a BEC attack, the organization can respond swiftly and effectively to mitigate damage.

Cyvatar is committed to providing businesses with the most advanced and effective defense mechanisms against BEC. Through our comprehensive approach, combining employee education, policy adjustments, and state-of-the-art technological solutions, we empower our clients to protect their assets and maintain their integrity in the digital world. Protecting your business from BEC is an ongoing process that requires vigilance, innovation, and the right partner. Cyvatar is here to secure your digital journey every step of the way. As BEC attacks continue to evolve and become more sophisticated, the importance of adopting a proactive and comprehensive cybersecurity posture cannot be overstated.

The recent examples of BEC attacks, as reported by sources like Tripwire and Microsoft, illustrate the complexity and adaptability of cybercriminals. These incidents not only highlight the financial implications but also reveal the psychological tactics employed by attackers to manipulate their targets. Cybercriminals leverage social engineering, exploiting trust and exploiting the routine nature of email communications to orchestrate their scams. This reality necessitates a shift in how organizations perceive email security, urging a move beyond conventional antivirus and email security tools towards more advanced solutions capable of detecting and mitigating nuanced threats.

Cyvatar’s approach to combating BEC involves not just technological solutions but also a strong emphasis on the human element. Education and awareness are pivotal. By training employees to recognize the signs of a BEC attempt, organizations can significantly reduce the risk of successful attacks. Furthermore, our technical remediation strategies are designed to adapt to the shifting landscape of cyber threats. Our advanced email security solutions, anomaly detection systems, and comprehensive SIEM implementations represent the frontline defense against BEC, but they are complemented by our commitment to ongoing vulnerability assessments and penetration testing to ensure that defenses remain robust against emerging threats.

By understanding the vulnerabilities within MFA configurations and adopting comprehensive security practices, organizations can significantly reduce the risk of Business Email Compromise (BEC) and protect their assets more effectively.

Circa Las Vegas

Thurs. Aug 5th

Cybersecurity Reunion Pool Party at BlackHat 2021