Attackers have found a new way to avoid detection in business email compromise (BEC) and account takeover attacks by buying locally generated IP addresses to mask the origin of their login attempts, thus circumventing the common “impossible travel” security detection, Microsoft is warning.
An impossible travel flag occurs when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other — for instance, if Employee A always logs on from Boston at 9 a.m., then a login attempt an hour later from Singapore would raise a red flag. However, masking the actual origin IP address from which a malicious task is coming provides “the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts” from anywhere, Microsoft researchers wrote in a blog post.
Threat actors are using a combination of platforms such as BulletProftLink, a service for creating industrial-scale malicious email campaigns, and residential IP services to help them evade the flag, Microsoft Security researchers revealed.
BulletProftLink sells an end-to-end service, including templates, hosting, and automated services for committing BEC — essentially providing cybercrime-as-a-service (CaaS). The abuse of residential IP addresses meanwhile allows for higher volumes of BEC attacks, the researchers warned. One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second.
“Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent ‘impossible travel’ flags, and open a gateway to conduct further attacks,” according to Microsoft, which added that threat actors in Asia and Eastern Europe are the ones most frequently deploying this tactic.
A Growing Tide of Business Email Compromise
The warning comes against a backdrop of escalating numbers of BEC campaigns. Indeed, the FBI reported that in 2022, it logged more than 21,000 BEC complaints, amounting to adjusted losses of more than $2.7 billion. Microsoft said that nearly all forms of BEC attacks are on the rise, with the top lures among the socially engineered campaigns including payroll topics, invoices, gift cards, and business information.
“Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking a direct action like unknowingly sending funds to money mule accounts, which help criminals perform fraudulent money transfers,” the researchers wrote in the post.
Top targets for BEC cybercriminals are executives and other senior leaders, finance managers, and human resources staff with access to employee records like Social Security numbers, tax statements, or other personally identifiable information, the company said.
Attackers also like to target new employees who may be less likely to verify unknown sender email addresses, the researchers said. Indeed, attackers successfully breached security vendor Dragos by targeting a new employee with a socially engineered attack, allowing them to log into the company’s employee-onboarding process.
Protection & Mitigation Against Local IP Tactics
While “masquerading behind different IPs/proxies” has been in use by threat actors for more than a decade, its increased use in BEC attacks should serve as a reminder to organizations that they need to practice more vigilance in flagging suspicious network activity, notes one security expert.
In particular, organizations need to use more than geo-location to evaluate the authenticity of an attempt to access a network, says Roy Akerman, co-founder and CEO of cloud and SaaS security firm Rezonate. Instead, full behavioral analysis is the way to go.
“Additional behavioral information on the browser details, actions taken, pattern of usage, and others should be taken into account to limit the usage and stealing of identities,” he says in an email to Dark Reading.
There are also other steps that enterprises can take to stop BEC campaigns that attempt to circumvent the impossible travel flag, Microsoft said. The company suggested that enterprises configure mail systems to flag messages sent from external parties, as well as enable DMARC and notifications for when email senders are not verified.
Organizations also should block senders with identities that they cannot independently confirm and report their mails as phishing or spam in email apps, the researchers said.
Setting up strong authentication policies, such as multifactor authentication (MFA), can also help thwart BEC campaigns, making accounts “more resistant to the risk of compromised credentials and brute-force login attempts, regardless of address space attackers use,” the researchers also noted.
Employee training in how to spot fraudulent and malicious emails should be commonplace among organizations at this point given the frequency with which attackers use BEC and phishing to compromise accounts, as well as their continued success rate and the cost associated with these attacks, the researchers said.
