CEO Fraud Attacks Were Far More Lucrative than Ransomware Over the Past 3 Years

Cisco’s midyear report released this week showed that CEO fraud netted cybercrime five times more money than ransomware over the last three years.

The surprising highlight of Cisco’s ninety-page report was that cybercrime made 5.3 billion from CEO fraud attacks–called business email compromise (BEC) by the FBI–compared with a “mere” 1 billion for ransomware over a three-year stretch.

Organized Eastern European cybercrime is more and more taking the “time is money” approach, in this case billions, says Steve Martino, Cisco’s chief information security officer. “What we are looking at is the continual commercialization of cyberattacks,” Martino says, pointing out that is a major theme in the report.

Ransomware takes time to develop and extensively test before any net Bitcoin comes into the wallet, compared to doing a quick bit of research on LinkedIn and crafting a spoofed spear-phishing attack. CEO fraud simply is faster to pull off. Moreover, your run-of-the-mill spray-and-pray ransomware attacks are often lower-dollar numbers.

Schooling Users on CEO Fraud and Ransomware

Cisco’s Martino says targeted cybersecurity education for employees can help prevent users from falling for CEO fraud and ransomware attacks. The finance department could especially benefit from security training on phishing campaigns, so when the bogus email comes across the transit of the CEO asking for a funds transfer it can be detected, Martino says.

Regular software patching also is crucial. When spam laden malware hits or ransomware attacks similar to WannaCry surfaces, the impact can be minimized. “People focus on new technology, but forget about patching and maintaining the infrastructure,” Martino observed.

And a balanced defensive and offensive posture, with not just firewalls and antivirus but also including measures to hunt down possible attacks through data collection and analysis, he adds.

Spyware Makes a Comeback

Cisco found that in the first half of this year, attackers altered their methods of delivering, hiding, and evading their malicious packages and techniques.

Fileless malware is popping up, which lives in memory and disappears when a device reboots, according to the report. As a result, it makes detection and the ability to investigate it more difficult.

Additionally, attackers are also making use of anonymized and decentralized infrastructures, such as Tor proxy services, to hide command and control activities.

Meanwhile, three families of spyware ran rampant, with Hola, RelevantKnowledge, and DNSChanger/DNS Unlocker affecting more than 20% of the 300 companies in the sample for the report.

Ironically, many organizations underestimate or virtually dismiss spyware. “Spyware is being disguised as adware and adware, unlike spyware, does not create damages for a company,” says Franc Artes, Cisco’s Security Business Group architect. He adds that attackers are injecting spyware and other forms of malware into adware, since adware is a low priority for security teams.

‘Destruction of Service’ Attack Threat

The report also highlights the dangers of Destruction of Service (DeOS) attacks, epitomized by the likes of WannaCry and NotPetya which were both much more destructive than traditional ransomware. These types of attacks, Cisco says, have the strength to eliminate organizations’ data backups and leave them unable to recover.

Cost of Downtime Not Calculated

The one thing that was not taken into account related to ransomware was the amount of damage caused by downtime, having workstations and servers not up and running. If you calculate that in, ransomware is probably as damaging as CEO fraud, or even more.