Targeted. Advanced. This are terms that have a very different meaning for lots of people.
Attacks start as “mass scale, attacks of opportunity”. Broad phishing campaigns, credential stuffing attacks provide a point of leverage into an email account into a large cross section of small businesses. This is high volume, low targeting effort that provides a foothold.
From there, attackers use commercially available toolkits to take over email systems, targeting admins and setting up rules so they can lurk in systems and read emails.
The attackers read emails from/to key staff, looking for an opportunity to target suppliers/clients with whom they conduct large financial transfers – preferably offshore. Offshore because when the fraud hits it is harder to recoup the funds and timezones and communication challenges work to the attackers benefit.
Shortly before the attack, they register a lookalike domain. This is used to impersonate the company. The attacker takes a thread of communication already in progress, and inserts an email appearing to come from the compromised firm with new payment details. To the recipient, this appears legit because it is part of an ongoing thread.
The victim transfers the money and the attack is complete.
So – was this targeted, advanced? Yes and no. The initial foothold was not. The tool chain the attackers use is sophisticated, but broadly available commercially. The persistence factor once they have a foothold is something we would consider “advanced” in the past but doesn’t require a high degree of technical sophistication.
And this is how small businesses find themselves victim of persistent, sophisticated attacks. It is worth it to the attackers because the returns are typically significant – typically low six figures – and it is CASH money. No credit cards to cash out, no PII to sell on the dark web. Rinse and repeat by thousands of businesses and you have returns in the hundreds of millions to billions of dollars.
But also fairly easy to block. Some simple steps:
1. Implement MFA for all users on your email systems.
2. Have a out of band, reverse direction validation process for all payment changes and creation.
3. User education – awareness training and phish testing.
4. Managed threat detection– a service like Kobalt.io’s managed threat detection can easily detect new account and system access from unexpected locations, detect account compromise before it grows to persistence.
Small businesses are not hidden from sophisticated attacks because they are small – they are swept up because of the pivot from scale based attacks to persistent, long term cash outs.