Active Defense: Socially Engineering the Social Engineers

If you’re reading this, you probably know how big of a problem business email compromise (BEC) has become in recent years.

You’ve probably seen the stats from the FBI about how more than $43 billion has been lost to BEC attacks since 2016. Or maybe you've read that 35% of all financial losses from cyberattacks in 2021 were attributed to BEC.

So what can we do to better understand how BEC attacks work? Or better yet, is there something we can do to make a bigger impact on the BEC landscape—outside of detecting the attacks or expecting law enforcement to arrest all of the BEC bad guys?

In this article, we explore how our team at Abnormal uses active defense to collect intelligence about BEC attacks. We’ll explain what active defense is, why it works, and discuss the different types of intelligence that can be generated from active defense engagements, which give us an incredibly valuable understanding of the ever-evolving BEC threat landscape.

The definition I use for active defense is the act of interacting with an attack or attacker within a controlled engagement for the purpose of collecting intelligence that helps us better understand that threat.

For most types of cyberattacks, our intelligence collection is limited to analyzing the artifacts contained within the initial email. For something like a credential phishing attack or malware attack, an attacker simply launches a campaign and then waits for someone to click on a link or open a payload.

What’s unique about BEC attacks, though, is that in order for them to be successful, it requires back-and-forth communication between an attacker and a victim. A BEC actor has to engage in a conversation with a target in order to coerce them to initiate a transfer to a supposed vendor or go buy a bunch of gift cards for a group of lucky employees. This communication requirement gives us an opening to interject ourselves into an attack and collect information that helps us better understand how the attack would have unfolded.

For this blog series, we will be talking about active defense within the context of response-based BEC attacks, but similar concepts can also be used to better understand post-attack behavior in credential phishing attacks. To be clear, active defense isnot synonymous with “hacking back.” We aren’t trying to send an attacker malware or compromise their computer. At its core, active defense is all about simulating a successful attack and then controlling the outcome.

Within our active defense environment, we have about 250 personas that we’ve built to fill in as BEC “victims.” All of these personas are built to look like they could be employees at legitimate companies. That being said, none of the domains we use to host these personas are imitating actual, real-world companies.

When we identify a BEC attack in the wild, we use these personas to initiate an engagement with the attacker.

It’s important to note that we aren’t engaging with BEC actors on behalf of any particular organization, nor are we pretending to be an employee of a targeted company in these engagements. Instead, we set up our engagements to seem as though our persona was the target of the same BEC campaign we observed in the wild. The only actual artifacts of the original attack we use to craft our initial engagement are the attacker’s email address and the email subject.

As I mentioned earlier, the goal of an active defense engagement is to simulate a successful attack and control the final outcome. Essentially, we simply comply with whatever request the attacker gives us.

If a scammer asks us to send a wire payment to a fake vendor, we say, “Sure!” Or if a BEC actor wants us to update their direct deposit information, our response would be, “We’ll get it done ASAP!” Or maybe the attacker is asking for us to buy $5,000 in Apple iTunes gift cards. To which we’d say, “I’ll run out in a few minutes!”

Now, of course, we aren’t actually going to send the scammer any money. Rather, we’ll give them one of the dozens of reasons we’ve come up with about why a transaction isn’t working.

Maybe there’s a “hold” on the account the “vendor” wants to use to receive a payment. Or perhaps their new direct deposit account is located at a bank our “company” is prohibited from using. Then we wait to see how the attacker will respond.

At the end of the day, we control the outcome of the engagement and we can even guide an engagement in a certain direction if we want to answer certain intelligence requirements.

In most cases, once we kick off an active defense engagement, we run them until they’re extinguished (when the attacker stops responding to us). This can take less than 24 hours, but in some cases, an engagement may continue for weeks!

Conducting active defense engagements on a manual, opportunistic basis provides great insights into individual attacks. That being said, our team at Abnormal has been able to automate about 75% of the active defense process, which has allowed us to significantly scale the number of engagements we’re able to conduct.

Since the beginning of 2022, we have conducted almost 40,000 active defense engagements with BEC actors. The biggest benefit to conducting such a huge number of engagements is that it provides us with a really good representative view of the entire BEC ecosystem.

This means we can be confident that the overarching trends we observe in threat actor tactics and motivations are a good representation of what’s actually happening across the global BEC threat landscape.

Of the engagements we initiate, we’ve gotten responses from an attacker about 65% of the time. That success rate is pretty astounding considering, as we discussed last week, our engagements 1) are sent from persona accounts that an attacker never emailed to begin with, and 2) reference an initial “executive” that doesn’t exist.

So why does active defense work so well?

The main reason is that scammers are people too! As long as people have been communicating with each other, we’ve been socially engineering each other. The only difference is that now, in cases like BEC, humans are exploited via email or through a computer instead of getting conned face-to-face.

But the same concepts that have been used for literally thousands of years to con people are the exact same reasons that social engineering works today. The same social engineering principles that scammers use to con their victims are the exact same reasons that we're able to extract information from them.

The core driver of BEC attacks–just like a majority of other cyber threats today–is financial motivation. As long as a BEC subject has even a sliver of hope that they might make some money, they’ll continue to respond to our engagements.

It’s this strong financial motivation that we’re exploiting in active defense, which causes BEC actors to ignore some pretty clear red flags that you’d think they’d notice (like consistently not receiving any money?). In a way, it’s similar to the way the scammers we’re engaging with trick victims by exploiting other deep-seated human emotions, like trust or anxiety.

The primary reason we conduct active defense engagements with BEC actors is that it provides us with significant insights into the full BEC attack cycle that we wouldn’t have without it. Active defense gives us a glimpse into what would have happened if an attack had been successful. In essence, we’re simulating successful attacks to understand an adversary’s post-attack behavior.

The most obvious output from active defense is gaining a more definitive understanding of an attacker’s ultimate goal in an attack. Many BEC attacks start out as a basic email with a generic question that doesn’t provide insight into what the attacker actually wants.

As a result of active defense, though, we’re able to identify exactly what the attacker hoped to gain from the attacks and, when conducted at scale, we’re able to get a better idea of exactly what types of BEC threats an organization should be focusing on based on their known attack history, which can be helpful in developing a strategic risk model.

In addition to uncovering an attacker’s motivation, active defense also allows us to tie an exact potential financial impact figure to a specific attack. This allows us to better understand an organization’s overall potential financial exposure to BEC threats when the outcomes of active defense engagements are analyzed together.

Strategically, this financial exposure figure helps provide executives with additional context about the ROI of existing defenses that have stopped previous BEC attacks. It also shows, in more concrete terms, the potential financial impact of future BEC attacks if they aren’t stopped.

Another interesting output of active defense engagements is observing how actors adapt to obstacles they encounter. Remember, because we’re controlling the communication in these engagements, we’re able to play out certain scenarios to see how an attacker responds.

The most obvious situation is seeing how an actor pivots when a payment doesn’t go through as requested. Of course, we’re never going to send a BEC actor a wire transfer or go out and purchase thousands of dollars of gift cards, so we develop dozens of reasons why transactions don’t go through as intended. This helps us understand if an attacker will pivot to another type of payment method or perhaps a different type of account.

For example, based on the historical active defense engagements we’ve conducted, we know that payroll diversion BEC actors generally prefer to use non-traditional fintech accounts (e.g., prepaid cards, third-party app accounts, etc.) to receive diverted direct deposits; however, when we take that option away from them, many times they pivot to smaller financial institutions, like credit unions or regional banks, instead of accounts at larger banks.

Active defense also gives us an opportunity to supplement attacker attribution to help us better understand where BEC actors are coming from. As part of our active defense engagements, we use a beacon that provides us with high-level information about the actors we’re communicating with.

By analyzing the data the beacon provides, we’re able to determine where the actor behind the keyboard is located and, since we’re conducting our active defense engagements at scale, it gives us a representative view of the likely geographic composition of BEC actors globally. Our data shows, for example, that two-thirds of BEC actors we’ve engaged with this year have been located in Nigeria, followed by South Africa (7%), the United Kingdom (7%), the United States (2%), Canada (2%), the United Arab Emirates (1%), and Turkey (1%).

Controlled active defense engagements are especially useful for understanding multi-stage BEC attacks, such as aging report theft attacks, which we discussed in detail in our recent financial supply chain compromise report.

To understand how an attacker uses a compromised aging report, one of the strategies we employ is providing the attacker with an actual aging report; however, instead of filling it with bogus customer contact details, we include contact information for other persona accounts we control. Then, we sit back and wait to see when and how an actor reaches out to our other personas to request a supposed outstanding payment.

As we’ve discussed in this article, active defense has many uses to help us better understand BEC attacks and the actors behind them. This intelligence can help us develop more strategic organizational risk models, understand the potential overall impact of BEC attacks, gain additional insights into the origins of BEC attacks, and gain visibility into the second stage of an attack targeting multiple, separate organizations. But can we use active defense to actually impact the BEC threat landscape?

In addition to collecting intelligence that helps us better understand BEC attacks, which, in turn, allows us to collaborate with other internal teams to make our products more effective, we can also use the output of active defense to develop partnerships that give us an opportunity to impact BEC from a different angle.

One of the byproducts of an active defense engagement is the collection of mule accounts to which BEC actors want money to be sent. As we collect these fraudulent accounts, we actively partner with financial institutions around the world to notify them about these accounts in real time. The goal here is to minimize the effective lifespan of these accounts and disrupt the overall BEC financial supply chain. Similarly, we coordinate with law enforcement to provide them with intelligence about BEC actors and groups that can be used to support ongoing investigations.

Of course, the main reason we developed a unique way to collect intelligence about BEC attacks is to help protect our customers. While Abnormal’s core platform uses behavioral analysis to detect attacks that consistently evade legacy defenses, intelligence from active defense engagements can help supplement this already world-class detection with additional unique indicators and trend data that can make it even better, while also providing some additional context about cyber threats to help inform our customers.

Staying informed about the latest threats is key to protecting your organization. Get the resources you need to safeguard your email environment in our CISO Resource Kit.