It's Why It's Called the Dispatches From the Front:
Or a BEC Campaign Coming
Soon To A Small Business Near You (or To You)
Customer:
What have you got?
Waitress:
Well, there's egg
and bacon
Egg sausage and
bacon
Egg and spam
Egg, bacon and
spam
Egg, bacon, sausage and
spam
Spam, bacon, sausage
and spam
Spam, egg, spam, spam,
bacon and spam
Spam, sausage,
spam, spam, spam, bacon, spam tomato and spam
Spam, spam, spam,
egg and spam
Spam, spam, spam,
spam, spam, spam, baked beans, spam, spam, spam and spam
(Choir:
Spam! Spam! Spam! Spam! Lovely Spam! Lovely Spam!)
— Spam Song,
Monty Python
It has been reported that Business Email Compromise (BEC)
attacks
increased by 48% in the first half of 2022.
Topping the list of BEC attacks is
Credential phishing: a process of obtaining login information
from users. And it was into a very deep morass of a
concentrated and relentless BEC attack on a small business client of
mine where I found myself during the week beginning October 31, 2022.
The increasing prevalence of BEC attacks only continues a trend that
gathered a great deal of steam in 2021. The graph below from
the Visual Capitalist illustrates the fact that 53%
of all cyber attacks on businesses in 2021 involved the same techniques
that were successful against my client in November 2022.
✓ Business email attack
✓
Phishing message resulting in malware infection
✓
Domain name spoofed
The FBI maintains a
website devoted to these types of online scams.
A separate page at this site explains in simple language
what makes up BEC scams. A common example,
and what plagued my client, is when: "A vendor your company
regularly deals with sends an invoice with an updated mailing address."
(Ibid.) This type of spam campaign is not
new.
Stolen credentials of a third party vendor is what predicated
the attack on Target Stores in 2015.
The steps of a
BEC campaign do not vary greatly. The graphic below from the FBI
website details the steps a BEC campaign would most likely take.
The attack my client experienced employed all three of the attributes that were so successful in 2021, and noted above by the FBI. It did appear that my client's email Contact List of his Business Clients had been compromised — yet it also seemed that his Personal Contacts had been spared. Spearphishing emails flew hither and yon; but again only to and from Business Clients. And to complete the FBI's trifecta, my client's spams referenced email addresses using mailboxes that did not exist at his domain that does exist. Spoofing; Spearphishing; and Malware Induced Reconnaissance — my client had them all. And with all these actions and reactions came a great deal of FUD.
I have learned over these 20 plus years of this war of attrition against malware that little if anything is as it seems. Within each and every spam email going to and from my client's email server, there were references to emails emanating to and from a medical facility located in Florida. This led me to believe initially that the attack of last week inflicted upon my client was part of an ongoing campaign against CommonSpirit, the second largest nonprofit healthcare corporation in this US of A. This ransomware attack brought down systems at medical facilities from Chicago to Omaha, Nebraska, to Virginia. and beyond.
Seattle-based Virginia Mason Franciscan Health has begun the
process of restoring its IT systems that were taken offline during the
ransomware attack that impacted Chicago-based CommonSpirit Health
hospitals across the country. Virginia Mason providers are now
able to access their patients' EHRs, with MyChart functionality expected
to be available in the coming days, according to an Oct. 17 update from
the hospital.
The hospital said it will take some time before all
systems are up and running again but said it is continuing to monitor
which systems are safe and secure enough to restore.
On Oct. 18,
Omaha, Neb.-based CHI Health also said it was in the process of
restoring IT systems that were taken offline during the ransomware
attack, but said MyChart capabilities were still down.
The news
comes after CommonSpirit confirmed the IT incident that hit its
hospitals across the nation on Oct. 4 was due to ransomware.
The
incident has caused some of its hospital EHRs to go offline, leading to
canceled appointments and procedures at some facilities.
This attack on medical facilities went global. While the
CommonSpirit attack was in full swing,
the UK
National Health Service suffered a ransomware attack.
In Australia, during the same time period, it was reported that
"Health insurance provider Medibank has
confirmed that a ransomware attack is responsible for last week's
cyberattack and disruption of online services". So,
here embedded in the ebb and flow of my client's spam messages, is a
reference to an unknown and unrelated healthcare firm, again in Florida,
while a world wide attack on healthcare was still in full swing.
There was, therefore, good reason to believe that my client and his
clients and vendors were all sucked into the worldwide cyber war on
healthcare. And, thus, I also had good reason to believe that my
client was not
USER ZERO in this particular spam phishing attack.
Nevertheless, none of this really mattered to my client.
In fact, he was more than a little bit incredulous that his spam attack
was in any way related to the ongoing worldwide attack on healthcare
institutions. The client was right about one thing. Whatever
or whomever was the source of the attack did not affect the mitigation
steps required to put his office right.
Then, at the end of the week, there were reports of another likely culprit affecting users worldwide, and my client and his business contacts. As BleepingComputer reported, November 2, 2022, after 4 months of inactivity: The Emotet malware operation is again spamming malicious emails after almost a four-month "vacation" that saw little activity from the notorious cybercrime operation. As the BleepingComputer article cited explains:
From samples uploaded to VirusTotal, BleepingComputer has seen attachments targeted at users worldwide under various languages and file names, pretending to be invoices, scans, electronic forms, and other lures.
Indeed. Emotet has plagued users for several years now. The group behind this Advanced Persistent Threat was disrupted in 2021 by law enforcement agencies around the globe working in tandem. It was considered quite a victory against global criminals at the time.
The takedown was no small task: Authorities including Europol, the FBI, and the UK's National Crime Agency, along with agencies from Canada, France, Germany, Lithuania, the Netherlands, and Ukraine, teamed up to bring down one of the world's most prolific and dangerous botnets.
Whether it was the attack on healthcare worldwide, or the global return
of Emotet, that attacked my client in a sunny beach town south of LAX,
is less important than the simple fact the Global Cyberwar has come to
cities, towns, and neighborhoods near you and me. The threat that any one of us
computers users could be the next victim of this global threat is here
and now.
These crooks rely on two common facts about how
people use there computers to make their job of infiltration easier.
The crooks know that the vast majority of computers users in business or
personal situations are too ignorant of the simple facts of networking
that could prevent them from being duped; and these same users are
JUST TOO DAMN LAZY to learn how to
protect themselves from URL FRAUD.
On July 7,
2022, I posted a Dispatch entitled, "The
anatomy of an address: There is more than what meets the eye"
The only real
fail-safe to mitigate against an incoming attack is to carefully
examine and evaluate each and every URL that enters one's digital
dialogue. Our Mothers' first admonition to us as we ventured out
on our own as little children, was to "Look
both ways before you cross the street." Well, I
contend that it is incumbent upon all users to apply pour Mothers' clear
logic about crossing the street to clicking on the hyperlinks in our
digital documents. This is especially true when those links are
displayed in an email. It was by examining and evaluating the
links embedded in my client's spam emails that I was able to quickly
determine that this was no simple virus infection we were dealing with.
So Step One on my client's road to recovery was to disable the network
connection. My client went dark for two days while security was
reestablished.
So, My Pretties, let's go back to URL
school. And if you do, you will come to understand why I
continually declare that the best
antivirus program is the one between your ears.
And the words of our British Renaissance writer and linguist,
John Florio, will never ring more true.
Measure Twice Cut Once
Second Frutes,
John Florio, (1591)