Compromise of virtual meetings and professional emails: Dressing up old scams with new tools
Business Email Compromise (BEC) has been around for a long time. In a BEC attack, the cybercriminal sends a spoofed email that appears to be from someone within the recipient’s company, usually the CEO or other authority figure. The email usually contains urgent instructions to immediately transfer money to a particular account or to disclose sensitive information. If the recipient follows the instructions without verifying them through a separate channel, the money will be transferred directly – and conveniently – to the cyberthief’s account.
According to the FBI, BEC attacks cost businesses around the world an estimated $26 billion between 2016 and 2019.
And now there’s a new twist on this old scam. The FBI recently released a alert about cybercriminals now using virtual meeting platforms to unearth BEC scams.
Virtual meetings and BEC
The business world has turned to virtual meeting technology to keep pace with the pandemic and there is no turning back. Cybercriminals have followed and continue to devise new and innovative ways to leverage virtual meetings to encourage their attacks. The FBI alert described three ways cybercriminals use virtual meetings for BEC scenarios: fake meetings, spying on real meetings, and using virtual meetings as an excuse.
Fake virtual meetings
Using a compromised email account, usually belonging to the CEO or CFO, the attacker will ask an employee to log into a virtual meeting, in which the hacker uses a photo of the executive, either without audio or with a “deep fake” sound. . Impersonating the CXO, the attacker will claim that their video and/or audio is not working properly and ask the employee to initiate a money transfer via chat or in a follow-up email. Since the employee first learned of the request in a virtual meeting, they are less likely to view it with suspicion than if they had only received an email request.
Deep fake audio is a new fraud problem. The technology uses a voice sample (often obtained from a YouTube recording of a CEO’s presentation at a conference) and artificial intelligence to create entirely new messages using voice and speech patterns of the executive. One of the first cases of a fake deep sound being used for a criminal application was uncovered last year, when an employee received a phone call from someone he believed to be the CEO of the company. company (which certainly looked like him) with instructions to close an account and send $243,000 to another account. The employee dutifully followed the “CEO’s” instructions and wired the $243,000 entitlement to the fraudster’s account.
Spy on real meetings
Using emails from compromised employees, cybercriminals have also inserted themselves into legitimate meetings on companies’ virtual meeting platforms to collect information that can be sold, used in insiders or other fraudulent uses. The collected information can also be exploited for BEC, ransomware or other cyberattacks.
Virtual meetings as an excuse
Sometimes a virtual meeting is just used as part of the trick. In this variant, the attacker sends a spoofed email to make it look like it is from an important person, such as the CEO. The ‘author’ of the email pretends to be in a virtual meeting that he cannot interrupt and asks the recipient to help him by executing a funds transfer that needs to be done immediately.
Virtual Meeting Fraud Protection
The FBI alert contains several recommendations to protect you and your organization from this new threat, most of which involve training employees and alerting employees to the danger. Unfortunately, user training has proven woefully insufficient to stop cybercrime. Even trained users will often fall for a sufficiently sophisticated spear phishing attack.
Curiously, the FBI warning makes no mention of the risks associated more directly with the use of virtual meetings. These may include intentionally or inadvertently sharing confidential data via chats or screen shares; exposure of internal IP addresses via meeting web portals; and spreading malware through weaponized chat attachments or infected web portals.
The best way to protect against attacks enabled by virtual meetings is to adopt a Zero Trust security approach, as the US federal government recommended last year in a Executive Decree on improving the country’s cybersecurity.
A complete solution based on Zero Trust, such as ZTEdgealong with appropriate strategies, can help protect against these attacks:
- Virtual Meeting Isolation (VMI) protects against hackers using malware to surreptitiously join or record virtual meetings. It also disables active items in all files transferred during a virtual meeting, so that if a hacker manages to enter the meeting, they will not be able to deploy malware. Dangers on malicious websites whose URLs are shared in chat are also disabled.
- VMI includes policy-based controls that can selectively restrict screen sharing in virtual meetings, and the viewing or attachment of specific files, data categories, or even PII formats. These restrictions minimize the risk of exposure of sensitive data in the event that an unauthorized person accesses a meeting.
- Requiring that all virtual meetings be conducted using VMI can prevent employees from clicking into an external virtual meeting platform just because someone sent them an invite.
- Web Isolation protects against credential theft by opening suspicious sites in read-only mode and reduces the likelihood that a criminal can log in and misuse an employee’s email or virtual meeting account.
- Setting financial policies that the transfer of funds cannot be done solely on the basis of an email would prevent many BEC attacks from succeeding.
The coronavirus pandemic that has pushed workers out of their offices and online from remote locations has opened up a world of opportunity for cybercriminals. Attacks that exploited remote access vulnerabilities, including attacks via virtual meetings, have skyrocketed — and remain very high. As cybercriminals step up their game – including by deploying AI-based tools such as deep fake audio – companies need to step up their cybersecurity game with them. Large organizations are well on their way to implementing a Zero Trust security approach through large-scale Secure Access Service Edge (SASE) platforms. ZTEdge enables small and medium-sized businesses to do it too, with a fully-featured, right-sized, modular, and easy-to-manage platform.
The post office Compromise of virtual meetings and professional emails: Dressing up old scams with new tools appeared first on Erico’s Blog.
*** This is a syndicated blog from the Security Bloggers Network of Erico’s Blog written by GERRY GREALISH. Read the original post at: https://blog.ericom.com/virtual-meetings-and-business-email-compromised-dressing-old-scams-in-new-tools/?utm_source=rss&utm_medium=rss&utm_campaign=virtual-meetings-and-business-email -compromise-dress-up-old-scams-into-new-tools