Protecting your Enterprise from Business Email Compromise
- Business Email Compromise (BEC) is a growing threat that has resulted in companies losing billions of dollars since 2013
- BEC starts with spear phishing and traditional attacks to install spyware
- Bromium prevents attackers from getting their first foot in the door
Within Bromium, the acronym BEC stands for the Bromium Enterprise Controller that’s used to manage our deployments. However, within the threat landscape, BEC is something else entirely. According to the FBI, the emerging financial threat called Business Email Compromise (BEC) has been one of the fastest growing scams since 2013.
Malware leads to sophisticated social engineering
Business Email Compromise is carried out by large and organized groups, which include lawyers, linguists, hackers and social engineers. Once a corporation has been targeting, the scam proceeds to use spear phishing or zero-day exploits to drop a malware payload, generally targeting someone in accounting.
This malware is essentially spyware that is crucial in getting information about the enterprise. This includes names and roles of various employees in the organization, vendor information, billing and invoicing email threads and any other information deemed pertinent to the scam.
What follows is weeks or even months of sophisticated analysis to ensure the deception is a success. The final nail in the coffin is an email from the CEO asking for an immediate wire transfer to a trusted vendor. But the account numbers are different, and a large sum of money is inadvertently wired to criminals.
Detection-based anti-malware won’t stop BEC
Note that one of the crucial steps in this scam is to install spyware that gains the attackers access to valuable inside information. This spyware can utilize a zero-day exploit, which means none of the traditional detection-based anti-malware can stop it.
Or it could be a simple social engineering exploit that prompts an unsuspecting employee to open a document or executable, which would install the silent spyware. Or the spyware itself has code very specific to this enterprise only and does not behave in a way that causes a heuristic scan to catch it, appearing as just another software product, which makes it almost impossible to detect.
Bromium to the rescue
With Bromium installed, any document or executable that the employee opens will open in a micro-virtual machine. This will result in the malware/spyware being dropped into the VM. Due to hardware enforced security, this spyware has no access to any of the user’s personal data, documents on the host, email profiles or any other pertinent information.
If the spyware is custom such that Bromium cannot detect it, it does not matter. In fact, as far as the spyware is concerned, this employee’s machine is a virtually empty PC with absolutely nothing that it can use to mine for information.
With Bromium installed on every employee’s PC, the criminals have no chance to get in the door, and no way to steal any valuable information deemed necessary to subsequent grooming and social engineering that eventually leads to a Business Email Compromise.