Cybercriminals have developed a new way to evade detection in business email compromise (BEC) and account takeover attacks. They are buying locally generated IP addresses to mask the origin of their login attempts and avoid detection by the “impossible travel” security feature, according to a Microsoft blog post. This feature flags login attempts that occur in two locations within a shorter amount of time than it would take to travel from one to the other. Masking the actual origin IP address that malicious tasks come from enables criminals to gather large volumes of compromised credentials and access accounts from anywhere.
Residential IP services have been abused by attackers, increasing the likelihood of successful BEC attacks, according to Microsoft Security researchers. BulletProftLink, which offers an end-to-end service, including templates, hosting, and automated services for committing BEC attacks, also helps criminals evade detection. One IP service provider allows attackers to rotate or change their IP addresses every second, indicating the scale of available resources and the challenge businesses face.
The researchers highlighted that cybercriminals in Asia and Eastern Europe are the most frequent users of this tactic. The report comes amid a sharp rise in BEC campaigns, which take advantage of social engineering, with cybercriminals luring victims to provide financial information or perform fraudulent money transfers. In 2022, the FBI reported 21,000 BEC complaints, with adjusted losses of over $2.7bn.
Executives and senior leaders, finance managers, and human resources staff with access to employees’ personally identifiable information are popular targets for BEC criminals. New employees are also ideal targets as they may be less likely to verify unknown sender email addresses, the report said.
Organizations need to practice more vigilance in flagging suspicious network activity. They should take extra steps by analyzing browser details, actions taken, pattern of usage, and more, to limit the usage and stealing of identities, according to Roy Ackerman, co-founder, and CEO of cloud and SaaS security firm Rezonate.
Microsoft suggested configuring mail systems to flag messages sent from external parties, enabling DMARC and notifications for when email senders are not verified. Companies can also block senders with identities they cannot independently confirm and report their mails as phishing or spam in email applications. Setting up strong authentication policies, such as multifactor authentication (MFA), can make accounts more resistant to the risk of compromised credentials and brute-force login attempts, regardless of the address space used by attackers.
Employee training on identifying fraudulent and malicious emails should also be commonplace given the frequency with which attackers use BEC and phishing to compromise accounts. The success rate and cost associated with these attacks also make training imperative, the Microsoft researchers said.