Business Email Compromise (BEC) attacks have become a highly remunerative line of business for threat actors. A new research from the APWG (Anti-Phishing Working Group) revealed how enterprises lose their wealth to BEC attacks. In its “Phishing Activity Trends Report,” APWG highlighted that the average wire transfer loss from BEC attacks surged from $54,000 in Q1 2020 to $80,183 in Q2 2020, as cybercriminals expected high returns.

In a BEC attack, cybercriminals first steal legitimate business email account credentials, which are later used to launch financial fraud campaigns like fraudulent email messages, requests for out-of-channel funds transfers, and deleted accounting trails.

BEC- A Lucrative Attack Vector

BEC attackers demand 66% of funds in the form of gift cards, stating that the average amount of gift cards requested during Q2 of 2020 was $1,213, down from $1,453 in Q1 of 2020. In addition, the number of phishing sites detected in Q2 of 2020 was 146,994, down from the 165,772 observed in Q1 of 2020.  Phishing attacks targeting the social media industry increased in Q2 by about 20%, with the most targeted attacks against Facebook and WhatsApp.

Threat from Russian Hackers

The research also found the movement of a BEC attackers’ gang in Russia known as “Cosmic Lynx,” in addition to the West African scammers targeting organizations with BEC attacks. It is found that the average ransom demanded by the Cosmic Lynx group is about $1.27 million. “We were expecting that Russian cybercriminals would move into the world of BEC because the return on investment for basic social engineering attacks is much higher than launching more sophisticated (and more expensive) malware-based attacks,” the report said.

A Rising Concern

Recently, the FBI warned that organizations that use cloud-based email systems are at high risk to BEC attacks. The bureau advised employees about the email scams that begin with phishing kits designed to mimic two popular cloud-based email services to lure employees into compromising business email accounts and misdirecting funds transfers. The FBI stated that its Internet Crime Complaint Center (IC3) received complaints, between January 2014 and October 2019, claiming more than US$2.1 billion losses from BEC scams.


Cybercriminals are unleashing a surprisingly high volume of new threats in this short period of time to take advantage of inadvertent security gaps as organisations are in a rush to ensure business continuity.

Cyber Security firm Fortinet on Monday announced that over the past several weeks, it has been monitoring a significant spike in COVID-19 related threats.

An unprecedented number of unprotected users and devices are now online with one or two people in every home connecting remotely to work through the internet. Simultaneously there are children at home engaged in remote learning and the entire family is engaged in multi-player games, chatting with friends as well as streaming music and video. The cybersec firm’s FortiGuard Labs is observing this perfect storm of opportunity being exploited by cybercriminals as the Threat Report on the Pandemic highlights:

  • A surge in Phishing Attacks: The research shows an average of about 600 new phishing campaigns every day. The content is designed to either prey on the fears and concerns of individuals or pretend to provide essential information on the current pandemic. The phishing attacks range from scams related to helping individuals deposit their stimulus for Covid-19 tests, to providing access to Chloroquine and other medicines or medical device, to providing helpdesk support for new teleworkers.
  • Phishing Scams Are Just the Start: While the attacks start with a phishing attack, their end goal is to steal personal information or even target businesses through teleworkers. Majority of the phishing attacks contain malicious payloads – including ransomware, viruses, remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, and even RDP (remote desktop protocol) exploits.
  • A Sudden Spike in Viruses: The first quarter of 2020 has documented a 17% increase in viruses for January, a 52% increase for February and an alarming 131% increase for March compared to the same period in 2019. The significant rise in viruses is mainly attributed to malicious phishing attachments. Multiple sites that are illegally streaming movies that were still in theatres secretly infect malware to anyone who logs on. Free game, free movie, and the attacker is on your network.
  • Risks for IoT Devices magnify: As users are all connected to the home network, attackers have multiple avenues of attack that can be exploited targeting devices including computers, tablets, gaming and entertainment systems and even online IoT devices such as digital cameras, smart appliances – with the ultimate goal of finding a way back into a corporate network and its valuable digital resources.
  • Ransomware like attack to disrupt business: If the device of a remote worker can be compromised, it can become a conduit back into the organization’s core network, enabling the spread of malware to other remote workers. The resulting business disruption can be just as effective as ransomware targeting internal network systems for taking a business offline. Since helpdesks are now remote, devices infected with ransomware or a virus can incapacitate workers for days while devices are mailed in for reimaging.

“Though organizations have completed the initial phase of transitioning their entire workforce to remote telework and employees are becoming increasingly comfortable with their new reality, CISOs continue to face new challenges presented by maintaining a secure teleworker business model. From redefining their security baseline, or supporting technology enablement for remote workers, to developing detailed policies for employees to have access to data, organizations must be nimble and adapt quickly to overcome these new problems that are arising”,said Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet – Office of CISO.

Singapore-based cybersecurity company Group-IB’s Computer Emergency Response Team analysed hundreds of Coronavirus-related phishing emails between February 13 and April 1, 2020. Researchers found that spyware was the most common malware class (65%) hiding in fraudulent COVID-19 emails, with AgentTesla topping the list of phisher’s favorite strains.

Spyware: The Most likely COVID-19 Phishing Campaign Payload

CERT-GIB’s report is based on the Threat Detection System (TDS) Polygon, which analyzes Coronavirus-related phishing traffic to detect both known and unknown threats in isolated environments. Most COVID-19-related phishing emails had different spyware strains embedded as attachments.However, AgentTesla (45%), NetWire (30%), and LokiBot (8%) were the most actively exploited malware families. With some minor differences, all these malware samples are designed to collect personal and financial data. They are highly efficient in mining user credentials from browsers, exfiltrating mail clients and file transfer protocol (FTP) clients, capturing screenshots, and in secretly tracking user behavior, which is further sent to the operators’ command and control (C&C) server(s).

COVID-19 phishing campaign

Other Findings

  • Most of the emails detected were written in the English language. Those behind such COVID-related campaigns target government organizations and private companies.
  • The emails were masked as advisories, purchase orders, face mask offers, and alerts or safety recommendations from world bodies such as the World Health Organization (WHO), UNICEF, and other international companies such as Maersk, Pekos Valves, and CISCO.

Important: Please take note that these world bodies and international organizations are in no way involved in these fraudulent activities and/or scams.

phishing email, covid-19 phishing campaign

Fig. 1. Example of a malicious email disguised as “UNICEF COVID-19 TIPS APP” with spyware in the attachment.

covid-19 phishing campaign

Fig. 2. Example of a phishing email disguised as an offer of free masks.

  • Following file extensions have been used to deliver malware samples: .gz, .ace, .arj,and .rar,which are mainly archive file formats.

To trick antivirus software installed on the victim’s system, threat actors now include the passwords for accessing the content in the email subject line, in the archive name, or in a subsequent correspondence email sent to the victim. Thus, unless behavioral analytics is employed, such malware are likely to go undetected.

Aleksandr Kalinin,Head of CERT-GIB says, “People should remain particularly vigilant now that most people are working from home due to the pandemic. We predict an increase in the number of cyberattacks on unprotected home networks used by employees who have switched to remote work. Corporate security teams should reassess their approach to securing corporate digital space by strengthening their perimeter, which now includes employees’ home devices. A single employee who opens a malicious file from an undetected phishing email could jeopardize the whole company’s operations.”

What Needs to be Done?

  • All remote employees’ email accounts and VPNs used to access corporate networks should be protected with two-factor / multi-factor authentication.
  • Implement network protection solutions to analyze incoming and outgoing e-mails traffic.
  • Employ network segmentation and role-based access (RBAC) rights to all employees.
  • Remote user activity should also be covered under the organization’s security perimeter and hence endpoint security tools need to be implemented.