BEC Is the next ransomware: Ransomware attackers will turn their eyes to BEC

By Dain Oh, The Readable
June 8, 2022 9:28AM PDT

RSA Conference 2022 ― San Francisco ― While business email compromise (BEC) attacks are relatively less well known than ransomware attacks, they will soon dominate the threat landscape, an expert of threat intelligence (TI) said Monday.

"It has a much higher return on investment, or ROI, than other types of cyber-attacks," Director of TI Abnormal Security Crane Hassold said during a track session at the RSA Conference, referring to BEC attacks.

Crane Hassold, Director of Threat Intelligence at Abnormal Security, is delivering a presentation at the RSA Conference on June 6, 2022. Photographed by Dain Oh

Abnormal Security defines BEC as a spear phishing attack that involves the impersonation of a trusted individual to trick a person into making a financial transaction or sending sensitive materials. Hassold, in other words, described BEC attacks as being "financial supply chain compromise attacks."

The emphasis on the risk of BEC over that of ransomware comes as the ROI for ransomware attacks is dramatically sinking due to government regulations of cryptocurrency going into effect around the world. Hassold asserted that ransomware has been driven by three primary factors: an easy access, which is normally referred to as "Ransomware as a Service (Raas)," high incentives through extortion, and cryptocurrency to scale up an attack.

The increasing pressure by law enforcement on ransomware gangs is another reason why cyber criminals are likely to turn their attention to BEC attacks. Ransomware threat actors are centralized mainly in Russia and Eastern Europe. According to the 2022 Abnormal Ransomware Victimology Report, the Conti (30.4%) and Lockbit (20.1%) ransomware groups, both closely related to Russia and Eastern Europe, consist of 50.5% of the entire active ransomware group attack volume.

Contrary to popular belief, BEC attacks were more commonly reported than ransomware attacks. Ransomware is visible while BEC attacks are not usually exposed, Hassold said. In 2021, over 19,900 businesses reported that they suffered BEC attacks, while only 3700+ attacks were reported regarding ransomware. Furthermore, in terms of losses, BEC attackers made $2.4 billion, while ransomware attackers made $49 million during the same period.

BEC has become a major threat to business entities since its first notable incident was exposed in 2015. Ubiquiti Networks, a San Jose based networking technology firm, suffered from a BEC attack which resulted in a $46.7 million losses. Through the report submitted to the U.S. Securities and Exchange Commission (SEC) on August 4, 2015, the firm admitted that "it had been the victim of a criminal fraud," and the "incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department." During the attack, the company transferred $46.7 million in total to third parties’ accounts overseas.

The volume of BEC attacks remains almost the same even though law enforcement is going after BEC gangs. "Every single day, [law enforcement officers] are arresting people for BEC attacks, but the overall volume is not going down because BEC is difficult to disrupt," said Hassold. "Because of the decentralized nature of the threat, you could arrest hundreds, if not thousands of these guys, and you would actually not make that big of a noticeable difference in the overall volume that we see."

Hassold expects that ransomware attackers will turn into BEC threat actors in the near future. "[Financially motivated attackers] are going to pivot somewhere else," he said. "In the next 12 to 18 months, we might see the essential convergence of ransomware actors to create this sophisticated, hybrid social attack. Ransomware actors are not blind to the fact that the amount of money to be made in BEC is there."

The cover image of this article was photographed by Dain Oh.

Dain Oh is an award-winning cybersecurity journalist based in South Korea and the founding editor-in-chief of The Readable by S2W. Before joining S2W, she worked as a reporter for The Electronic Times, the top IT newspaper in Korea, covering the cybersecurity industry on an in-depth level. She reported numerous exclusive stories, and her work related to the National Intelligence Service led to her being honored with the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology in a unanimous decision. She was also the first journalist to report on the hacking of vulnerable wallpads in South Korean apartments, which later became a nation-wide issue.