Business email compromise (BEC) has become one of the most popular methods of financially motivated hacking. And over the past year, one group in particular has demonstrated just how quick, easy, and lucrative it really is.
In a Feb. 1 blog post, Crane Hassold, director of threat intelligence at Abnormal Security, profiled “Firebrick Ostrich” a threat actor that’s been performing BEC at a near-industrial scale. Since April 2021, the group has carried out more than 350 BEC campaigns, impersonating 151 organizations and utilizing 212 malicious domains in the process.
This volume of attacks is made possible by the group’s wholesale gunslinging approach. Firebrick Ostrich doesn’t discriminate much when it comes to targets, or gather exceptional intelligence in order to craft the perfect phishing bait. It throws darts at a wall because, evidently, when it comes to BEC at scale, that’s enough.
“BEC is attractive to bad actors,” Sean McNee, CTO at DomainTools, explains to Dark Reading, “due to the lower barriers to entry than malware, less risk, faster scaling opportunities, and way more profit potential to higher echelons than other methods of attack.”
These factors may explain why such attacks are “absolutely the emerging trend,” as Hassold tells Dark Reading, leaving even ransomware in the dust. “There are literally hundreds, if not thousands, of these groups out there.”
Firebrick Ostrich’s BEC M.O.
Firebrick Ostrich almost always targets organizations based in the United States. Beyond that, though, there doesn’t appear to be a pattern — it dips into retail and education, transportation and healthcare, and everything in between.
The group specializes in third-party impersonations, reflecting a shift in BEC more generally. “Since its inception, BEC has been synonymous with CEO impersonation,” Hassold notes. But more recently, “threat actors have identified third parties as a sort of soft target in the B2C attack chain. More than half of the B2C attacks that we see now are impersonating third parties instead of internal employees.”
The degree of reconnaissance Firebrick Ostrich requires to perform such an attack is frustratingly minimal. All that’s needed is an understanding that two organizations connect to one another somehow — most often, that one provides a product or service to the other.
Such information is publicly available on many government websites. In commerce, it might be found on a vendor’s website, on a landing page gallery of customer logos. If not, a simple Google search might do the trick. It’s enough to go on, Hassold says, even if “they haven’t compromised an account or a document that provides them with insight into payments that are going back and forth.”
Having identified a vendor, the group registers a lookalike Web domain, and a series of email addresses for imaginary employees and executives in the vendor’s finance department. “Firebrick Ostrich copies all of the additional fake accounts on their emails to make it look like they are including others in the conversation,” Abnormal Security researchers wrote in the analysis, “which adds credibility and social proof to the message.”
Finally the group sends the email, impersonating an accounts payable specialist, to the accounts payable division at the target organization. The note will typically begin with some flattery, like how the vendor “greatly appreciates you as a valued customer and we want to thank you for your continued business.”
Firebrick Ostrich doesn’t seek out bank information from its victims. Rather, its operatives request to update their own (the “vendor’s”) bank details, for future payments.
“These attackers are playing a longer game,” according to the report, “hoping that a simple request now will result in a payment to their redirected account with the next payment.” The group always opts for ACH, as it requires only an account and routing number — no other identifying information — to send a lump sum.
For good measure, these emails also include a vague inquiry regarding outstanding payments.
What’s notable in all this is how quick and easy the entire attack flow is. Case in point: Abnormal Security found that in 75% of cases, Firebrick Ostrich registered a malicious vendor domain within just two days of sending an opening phishing email, and 60% of the time within 24 hours.
BEC Is Big-Time Cybercrime
In 2018, the FBI released a public service announcement about a “12 billion dollar scam.” From October 2013 to May 2018, the agency estimated, organizations worldwide had lost about $12.5 billion to BEC.
That seemed like a lot at the time. One year later, though, the Feds released a new PSA. Now, BEC was a $26 billion arena. And in 2022, a third PSA appeared, declaring BEC a $43 billion scam.
These numbers may even be underestimated, considering the cases that go unreported.
Firebrick Ostrich is a prime example of why BEC is so popular, according to Abnormal Security: “They have seen massive success, even without the need to compromise accounts or do in-depth research on the vendor-customer relationship.” The campaigns are effective yet quick, low effort, with a low barrier to entry.
BEC can also be, as McNee calls it, a “‘gateway drug’ to other illicit, illegal activities” like ransomware.
“There’s an accessible underground economy of suppliers that make account takeover fairly trivial, so if a BEC-focused bad actor is interested in pivoting to other activities or selling the access they gain to others, they can easily do so.” This relationship goes both ways, with ransomware double extortions feeding follow-on BEC attacks.
To prevent a costly compromise, Hassold recommends that organizations “have a really structured and rigid process for any financial transaction. Make sure that the account change is confirmed with the actual party offline, in a separate communication thread, before the change is actually implemented.”
Most of all, employees must be aware of phishing tactics. “A key reason BEC attacks are difficult to defend against,” McNee adds, “is that they attack people and not technology per se. Everyone is susceptible to social engineering because we’re all human.”
