Threat groups continue using business email compromise (BEC) and similar social engineering tactics to bypass increasingly sophisticated security protections and infiltrate organizations’ IT environments, according to cybersecurity startup Todyl.
It’s part of an ongoing shift among cybercriminals away from traditional malware to exploiting human error and communication channels to compromise businesses and gain access to their data and applications, the company wrote in a report this week.
Todyl researchers wrote that during the course of the year, they’ve seen a 558% increase in BEC, adversary-in-the-middle (AITM), and account takeover attacks, and recently detected a massive but under-the-radar campaign targeting Microsoft 365 services.
An investigation uncovered the huge identity attack infrastructure aimed at compromising user accounts that the researchers said included thousands of hosts spread across multiple local and regional internet service providers (ISPs) in the United States and across the globe, including Canada, Europe, and Asia.
They found that 37% of the known ISPs used by the threat group – which Todyl is calling the Söze Syndicate – are located in New Jersey, with another 15% in Germany and 9% in the UK. The rest are spread across New York, California, and Florida and in such countries as France, The Netherlands, Norway, Switzerland, and Singapore.
“The sheer volume of hosts is staggering, and managing such a large fleet requires significant capital and automation, pointing to a well-funded and operationally mature group,” they wrote. “They also leveraged trusted proxy services like Cloudflare to hide their phishing lures and malicious login pages, enabling them to bypass web security gateways and URL filters, further underscoring their advanced capabilities and sophistication.”
A Stealthy but Significant Threat Group
The Söze Syndicate’s activities have accelerated over the past three months and at one point accounted for 65% of all attempted BEC cases seen by Todyl researchers. Most of the victims were pre-infected and newly onboarded organizations, with the attacks targeting vary small businesses and mid-market companies in such sectors as legal, construction, critical infrastructure, defense, healthcare, and non-profits.
They wrote that “the group exhibits high levels of patience with low and slow tactics, attempting to avoid detection while using advanced impersonation techniques to compromise accounts. Their TTPs [tactics, techniques, and procedures] are highly effective at bypassing multi-factor authentication.”
Those tactics include AITM attacks, SharePoint phishing, and installing rogue applications. After they compromise a system and steal session tokens, the hackers look to hide their efforts by installing applications or logging indirectly from Microsoft using Outlook in Office or Azure. They also use different ISPs for different purposes, such as password spraying – using a small number of passwords to try to break into multiple accounts – scanning, and running as relays. Relay attacks involve intercepting communications between two systems to gain unauthorized access or control.
Social Engineering Campaigns on the Rise
The increase in BEC and similar attacks seen by Todyl echo what other cybersecurity and IT companies have seen. In a report earlier this year, Abnormal Security found significant year-over-year increases in both BEC and vendor email compromise (VEC) attacks in 2023. Researchers found monthly attacks per 1,000 mailboxes jumped to 10.77, a 108% increase over 2022, with larger businesses at the greatest risk.
Barracuda Networks found that BEC made up 10.6% of all social engineering attacks in 2023.
More recently, a report from IBM’s X-Force threat intelligence group said that phishing, BEC, and similar attacks accounted for a large portion of cloud-related cyber incidents over the past two years, helping lead to huge amounts of credential theft.
No Slowing Down
Organizations should expect that such attacks will continue, according to Rob Enderle, principal analyst with The Enderle Group. Cybercriminals will stick with what works, and social engineering schemes like phishing and BEC still work well.
“You don’t need any technical knowledge,” Enderle told MSSP Alert. “You just need to be good at scamming and manipulating people, and a lot of people know how to do that reasonably well, particularly given that we are pretty easy to fool.”
Humans continue to be a significant security risk for businesses. Abnormal Security found that in 2022, people opened the initial message in almost 28% of BEC attacks, and that of the malicious emails that are read, an average of 15% are replied to.
People “remain the biggest weakness for any secure site and likely will remain that way for the foreseeable future,” Enderle said.
