It’s not inappropriate for ransomware attacks, such as the recent one on Howard University, to get a lot of attention and coverage. They are a despicable form of crime, a formidable challenge for defenders, and potentially devastating for victims. But a point my colleague Chad “@piffey” Anderson made on an episode of the Breaking Badness podcast we recorded recently stayed with me: business email compromise (BEC) and other forms of “pure” phishing (phishing that was the main TTP, rather than an early stage of a multi-part attack) still considerably outpace ransomware when it comes to the losses incurred. The FBI’s Internet Crime Report stats from 2020 make this clear, and while the 2021 numbers aren’t in yet, it’s unlikely that the picture will be appreciably different unless the actors lining their pockets with the ill-gotten gains of BEC have suddenly decided to retire.
The case in question on the podcast concerned a successful BEC attack in the town of Peterborough, NH. No sophisticated malware was needed to bilk the taxpayers out of some $2.3 million; rather, a phisher successfully impersonated organizations that had accounts receivable from the town. Unfortunately, Peterborough was just one of the thousands of BEC cases that still plague both the public and private sectors. Yet the headlines still focus on the malicious gangs with the clever names and ever-escalating technical sophistication.
In 2020, the IC3 received 19,369 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses of over $1.8 billion. Source: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
It all reminds me of how we respond to plane crashes compared to highway accidents: the air crashes are a tragic spectacle. The attention they generate is not misplaced, mostly because of the human toll, but also because of the learnings that come from crash investigations to make flying safer in the future. But the attention to them makes it easy to lose sight of the daily reality of highway traffic accidents, which cumulatively are much costlier in lives and injuries. The reasons for this phenomenon are easily enough understood, but that doesn’t make it any less pernicious. And there are lessons we can take from it.
Lesson 1: the spectacle is a distraction. Be sure that the focus on ransomware doesn’t create gaps in diligence and prioritization that could allow simpler, yet still effective, social engineering schemes to slip through.
Lesson 2: the measures that protect against the spectacular events can also protect against the mundane ones. Seat belts save drivers and fliers alike; anti lock brakes (originally developed for aircraft) improve safety margins on runways as well as roadways. With regard to infosec, I recently wrote about how the defenses against ransomware are an interlocking set of “defender TTPs” that are all well-understood. And that leads us to…
Lesson 3: Focus on the common denominator. While it can require many defensive actions to quash a ransomware attack, phishing is often the initial vector and best chance to stop it cold. And, while it is possible for BEC to be initiated by just about any contact, including telephone, email is still the most common there too. This suggests that, among all of the areas to place extra diligence, phishing prevention may have the biggest payoff. Fortunately, there are many good methods and tools.
In closing, it’s obvious that we have to be mindful of all of the threats facing every organization. And strong measures against ransomware have never been more important than they are now. But it behooves all of us to remember that some of the other, simpler, attack types still pack a significant punch.
Mindful of Lesson 3, in a companion blog we’ll look at the variety of tools in the anti-phish-kit. For now, be safe out there!