When it comes to sharing threat intelligence with one another, organizations tend to play the game differently. Some prefer to play the “secret squirrel game,” where attribution is something so sacred that names of actors can only be whispered behind closed doors. In other cases, data is bought on the dark underbellies of the Internet and then sold back to organizations as threat intelligence. For others, like the Agari Cyber Intelligence Division, information is shared amongst trusted individuals who can use it to stop cybercrime and bring criminals to justice.
That said, with the rise in business email compromise (BEC) attacks, there is a need for increased threat intelligence sharing amongst the community. Keeping information behind closed doors will do more harm than good, allowing this new generation of cybercriminals to stay one step ahead of those looking to oust them. To understand more about why this transition is needed, let’s take a look at how cybercrime (and the intelligence sharing related to it) has evolved.
Advanced persistent threat (APT) attacks are network attacks where a person or group gains unauthorized access to a network and remains undetected for an extended period of time. These types of attacks are common in cases of espionage, where organizations are typically chosen as targets because of the technology being produced or because of the people behind that technology. In one scenario, cybercriminals may go after several organizations to gain information on something like a nuclear program, targeting not only the company developing the technology itself but also all contractors who worked on the project and anyone else involved.
Sharing intelligence on these types of attacks, while informative to those directly involved, provides little value to those in a different industry or even to a company in the same industry, but focused on a different type of technology. As such, much of the intel around APT attacks is often shared secretly clustered around specific people in a single industry.
As cybercriminals move toward broader-based attacks, intelligence sharing must become more open. Crimeware is a good example, as many industries are very interested in the developments surrounding crimeware such as Trickbot, Emotet, or other banking trojans. These families of malware target customers, and the finance industry, in particular, has to bear the brunt of the losses. If a customer is infected and has a credit card number stolen, it can cost the institution thousands of dollars to refund the money and provide support to clean up fraudulent activities.
Traditionally, actors behind these trojans cast their nets far and wide in order to try to compromise as many users as possible—both within and outside of the financial services industry. As such, cyberintelligence organizations work to share information on the malware across numerous organizations, ensuring that every industry that may be affected by the trojans is aware of developments.
While intelligence sharing around malware attacks has made strides in recent years, the rise of business email compromise threats requires a new kind of sharing network. When cybercriminals pick targets for their BEC attacks, there is little rhyme or reason to how victims are selected—an attack trait that showcases how dangerous these scams can be. These groups will use lead generation services to find potential targets, and while they may target the Fortune 500 today, their next focus may be educational institutions or charities.
In the traditional sense of how the security industry tracks actors, BEC is an absolute mess. Any one of more than a dozen targeting methods can be used at any particular time, and the same actors who carry out business email compromise scams can simultaneously use romance scams to trick their victims into money laundering, credit card fraud, or loan fraud—all of which benefit the scammer. These actors are not limited in their techniques, and often engage with victims in other ways including re-shipping schemes, mystery shopper scams, and fake check fraud.
Perhaps the most complicated aspect of business email compromise is that the threat actors share techniques and information with one another. Want to purchase some W2’s to file for tax fraud? There is a scammer in Nigeria who’s selling them. Have a good method for cashing out or a new script to engage with an executive assistant? There is someone in South Africa willing to hand over the techniques that are working well for them. This informality of information sharing among BEC actors makes attribution extremely difficult to tie crimes together, as one scam is helping facilitate another. After all, there are enough scams to go around.
The fact of the matter is that scammers across the world are sharing their successful BEC tactics with each other. The cyber intelligence community needs to do the same in order to be successful at stopping them. Sharing information on who and what we know and working with others to track them is how we are going to make the biggest impact. We can play the “secret squirrel game” amongst ourselves all day long, but in the end, that is not how we are going to win this game we call BEC.
When intelligence is reported to a provider, it not only protects that organization but also others who were not able to detect the threat. And because those BEC actors are also involved in romance scams and rental scams, reporting intelligence keeps lonely hearts from becoming money mules and those potential renters from losing thousands of dollars. Business email compromise is big business—it is all of our responsibility to protect humanity from that evil.
For more information on the work the Agari Cyber Intelligence Division is doing, check out the ACID website.