Hackers Steal Millions by Ditching Malware to Sidestep Security

Photo: Getty
Photo: Getty

Employing sophisticated scams involving social engineering, email phishing, and the harvesting of employee passwords, attackers have pilfered millions of dollars from some of the world largest corporations—all while bypassing traditional hacking safeguards by simply avoiding the use malware.


A new report from IBM Security sheds light on ongoing campaigns being waged by “cyber con artists” employing a known scam called Business Email Compromise (BEC). These attacks take on many forms, but typically include fraud involving fake invoices, impersonation of high-ranking corporate officers, and the targeting of accounting or human resources staff to gather sensitive financial information, such as tax statements.

The threats tracked by IBM’s global threat intelligence service, known as X-Force (insert Marvel Comics joke here), began by harvesting mass amounts of business user credentials, which in studied incidents enabled attackers to impersonate corporate officers authorized to make large fund transfers.

The compromised accounts were gathered largely using traditional phishing techniques.

In one case, an official-looking email sent to hundreds of corporate contacts appeared to contain a link to a business document. The targets were directed to a fake “DocuSign” website where they were first asked to log in using their email credentials. The attack targeted primarily personnel working in the company’s accounts payable department, the report says.

A key defense against this form of credential harvesting is implementing multi-factor authentication.

A Business Email Compromise attack relies heavily on social engineer tactics as opposed to network penetration. (Image: IBM Security)
A Business Email Compromise attack relies heavily on social engineer tactics as opposed to network penetration. (Image: IBM Security)

“To successfully scam companies without special tools or malware, the attackers used sophisticated social engineering tactics that prey on flaws in common accounts payable processes,” IBM reports, such as impersonating vendors that have established relationships with the target. This deception would require some in-depth knowledge of the targeted company’s business ties.

“The attacker’s thoroughness during reconnaissance and while financial conversations took place has involved such actions as impersonating victims, finding and spoofing internal documents needed to make legitimate wire transfers, and setting up multiple domains and emails to pose as higher-level authorities,” the report says.


Because the thefts often involved millions of dollars, the threat groups would go as far as creating shell companies, typically with corresponding bank accounts in Hong Kong or China, as consumer accounts involved in transfers of that size typically warrant additional scrutiny, the report notes.

IBM asserts that the attackers assessed in its research likely originate in Nigeria, though attribution is always tricky. Sophisticated threats often mask their locations by staging attacks from compromised servers in foreign countries.


Business Email Compromise attacks are a growing threat. In December, the cyber defense firm TrendMicro estimated BEC would lead to more than $9 billion in global losses in 2018, based on a flat growth scenario. In a May 2017 advisory, the Federal Bureau of Investigation claimed BEC had grown into a $5.3 billion global industry and reported a 2,370 percent increase in losses between January 2015 and December 2016.

Read the full IBM Security report here.


Senior Reporter, Privacy & Security


Drakkon- Most Glorious and Upright Person of Genius

My tiny company had two of these recently. It was not a fake Docusign, is was a fake OneDrive, ‘please download our signed contract...’

And the hackers setup rules in the Outlook account to hide their tracks. I found them. Very sneaky. If you worry about this, look in the ‘rules’ or automation section of your email system. My account was sending thousands of these emails to other users, the sent items never appeared in the sent or deleted folders. It’s like they never happened.

The other one was an email that appeared to be from me asking my AP dept to ACH a decent amount of money to such and such. The good news is, I sit about 12 feet away from AP so she just called out and asked what was it for... That wasn’t me was my reply.

The funny thing about this, is I could basically tell the age of the user on the other side if they opened the phishing email. Boomers all opened it. Gen-xers sometimes opened it. Younger folks almost never opened it or sent me an email asking if they should