Posted on March 7, 2022
Want to interview Gerry?
ContactBusiness Email Compromise (BEC) has been around for a long time. In a BEC attack, the cybercriminal sends a spoofed email that appears to come from someone within the recipient’s company, usually the CEO or another authority figure. The email typically contains urgent instructions to wire money to a particular account immediately, or to release sensitive information. If the recipient follows the instructions without verifying them through a separate channel, the money will be wired directly – and conveniently – to the cyberthief’s account.
According to the FBI, BEC attacks cost businesses worldwide an estimated $26 billion between 2016 and 2019.
And now, there’s a new twist on this old scam. The FBI recently issued an alert about cybercriminals who are now leveraging virtual meeting platforms to update BEC scams.
The business world pivoted to virtual meeting technology to keep up during the pandemic and now there is no going back. Cybercriminals have followed, and are continuing to devise new and innovative ways to leverage virtual meetings to abet their attacks. The FBI alert described three ways that cybercriminal using virtual meetings for BEC scenarios: Fake meetings, spying on real meetings, and using virtual meetings as an excuse.
Using a compromised email account, typically belonging to either the CEO or CFO, the attacker will instruct an employee to log in to a virtual meeting, in which the hacker uses a picture of the exec, either without audio or with “deep fake” audio. Posing as the CXO, the attacker will claim that his video and/or audio isn’t working correctly and will ask the employee to initiate a money transfer via chat or in a follow-up email. Since the employee first learned of the request in a virtual meeting, they are less likely to view it with suspicion than if they only received an email request.
Deep fake audio is a new fraud concern. The technology uses a voice sample (often obtained from a YouTube recording of a CEO’s presentation at a conference) and artificial intelligence to create entirely new messages using the exec’s voice and speech patterns. One of the first instances of deep fake audio being used for a criminal application was discovered last year, when an employee received a phone call from someone they believed was the company’s CEO (sure sounded like them) with instructions to close out an account and send $243,000 to a different account. The employee dutifully followed the “CEO’s” instructions and wired the $243,000 right to the fraudster’s account.
Using compromised employee emails, cybercriminals have also inserted themselves into legitimate meetings on companies’ virtual meeting platforms in order to collect information that can be sold, used in insider stock trading or other fraudulent use. The information collected may also be leveraged for BEC, ransomware, or other cyberattacks.
Sometimes a virtual meeting is simply used as part of the ruse. In this variation, the attacker sends an email spoofed to seem as if it is coming from someone important, such as the CEO. The “author” of the email claims to be in a virtual meeting that they can’t interrupt and asks the recipient to help them out by executing a funds transfer that needs to be done right away.
The FBI alert contains several recommendations for protecting yourself and your organization from this new threat, most of which involve employee training and alerting employees to the danger. Unfortunately, user training has been proven woefully inadequate at stopping cybercrime. Even trained users will often fall for a sufficiently sophisticated spearphishing attack.
Oddly enough, the FBI warning makes no mention of risks that are linked more directly to virtual meeting use. These may include intentional or inadvertent sharing of confidential data via chats or screenshares; exposure of internal IP addresses via meeting web portals; and malware delivery via weaponized chat attachments or infected web portals.
The best way to protect against virtual meeting enabled attacks is to adopt a Zero Trust security approach, as the US Federal Government recommended last year in an Executive Order on improving the nation’s cybersecurity.
There are numerous ways that a comprehensive Zero Trust-based solution, such as ZTEdge, along with appropriate policies, can help protect against these attacks:
The coronavirus pandemic that drove workers out of their offices and online from remote locations opened a world of opportunity for cybercriminals. Attacks that leveraged remote access vulnerabilities, including attacks via virtual meetings, skyrocketed – and remain sky high. As cybercriminals step up their game – including by deploying AI-driven tools such as deep fake audio – businesses need to step up their cybersecurity game right along with them. Large organizations are well on their way to implementing a Zero Trust security approach via large scale Secure Access Service Edge (SASE) platforms. ZTEdge enables small and mid-organizations to do so as well, with a comprehensive platform that is right-sized, modular and easily managed.
Air Gapping Your Way to Cyber Safety
Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.
Motion Picture Association Updates Cybersecurity Best Practices
The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.
FTC Issues Cybersecurity Warning for QR Codes
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.