Business email compromise (BEC) attacks involve impersonating an executive or business partner in order to convince a corporate target to wire large sums of cash to an attacker-controlled bank account. Mounting a successful international version of this cyberattack typically requires a lot of effort and resources. Necessary steps include researching the target thoroughly enough to make phishing lures convincing and hiring native speakers to translate scams into multiple languages. But that’s all changing as threat groups avail themselves of free, online tools that take some of the legwork out of the process.
A report from Abnormal Security released this week identified two BEC groups that exemplify the trend: Midnight Hedgehog and Mandarin Capybara. Both are leveraging Google Translate, which lets threat actors whip up a plausible phishing lure, in almost any language, in an instant.
Researchers in the report also warned that tools like commercial business marketing services are also making it easier than ever for less-sophisticated and less-resourced BEC threat groups to succeed. These, mostly used by sales and marketing departments to identify “leads,” make it simple to track down the best targets regardless of their region.
It’s all bad news for defenders given that BEC attacks are already lucrative, racking up $2.4 billion in losses in 2021 alone, according to the FBI’s Crime Report — and the number of BEC attacks continues to explode. Now, with some of the cost being driven out of performing them, volumes are only likely to go up.
BEC Groups Scale Fast With Translation, Marketing Tools
Abnormal Security’s Crane Hassold, director of threat intelligence who wrote the report, noted that Midnight Hedgehog has been around since January 2021 and impersonates CEOs as its specialty, according to the report.
So far, the firm has observed two distinct phishing emails from the group translated into 11 different languages: Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish. Thanks to Google Translate’s effectiveness, the emails are missing the simple errors users are trained to look out for and view as suspicious.
“We’ve taught our users to look for spelling mistakes and grammatical errors to better identify when they may have received an attack,” the report added. “When these are not present, there are fewer alarm bells to alert native speakers that something isn’t right.”
Requested payments from Midnight Hedgehog range anywhere from $17,000 to $45,000, the report said.
The second BEC threat group the report highlights, Mandarin Capybara, also sends emails purporting to be from company executives, but uses a twist: It contacts payroll to have direct-deposited paychecks sent to an account they control.
Abnormal Security has observed Mandarin Capybara targeting companies around the globe with phishing lures in Dutch, English, French, German, Italian, Polish, Portuguese, Spanish, and Swedish, but it also targets companies outside of Europe with phishing emails aimed at English speakers in the US and Australia, unlike Midnight Hedgehog, which the report said sticks to non-English-speaking victims in Europe.
Lowering the Barriers to BEC Entry
Extending campaigns across any language with translation tools and using online services to identify “leads” of their own on who to victimize with their next cyberattack makes it easier than ever to scale operations across borders for BEC cyberattackers.
“As email marketing and translation tools become more accurate, effective, and accessible, we will continue to see hackers exploiting them to scam companies with increasing success,” the report explained. “Not only that, because these emails sound legitimate and rely on behavioral manipulation instead of malware-infected files, Midnight Hedgehog, Mandarin Capybara, and other similar BEC groups will be able to easily bypass legacy security systems and spam filters.”
The answer to defending against the rising number and increased sophistication of BEC attacks, Hassold explains to Dark Reading, is a two-pronged approach.
“As social engineering attacks become more sophisticated and it becomes more difficult to distinguish them from legitimate emails, it becomes even more important to prevent them from reaching their destination,” he tells Dark Reading. “Security awareness training certainly has a role in defending against phishing attacks, but the best way to prevent employees from falling for these attacks is simply to ensure that they never receive them in the first place.”
That means implementing behavioral-based machine learning and AI tools tuned to detect anything outside “normal” behavior will be a key to stopping this new supercharged version of international BEC attacks, the report said.
