Cybercriminals are using residential IP addresses in business email compromise (BEC) attacks to make them seem locally generated and evade detection, Microsoft says.
The number of reported BEC attacks is constantly increasing, with the Federal Bureau of Investigation (FBI) receiving close to 22,000 BEC complaints in 2022 (PDF), with losses totaling over $2.7 billion.
As part of a BEC attack, cybercriminals use compromised or spoofed email addresses to send fraudulent requests for wire transfers to employees in charge of making or authorizing payments. The fraudsters request payments to be made to bank accounts they control.
One of the latest tactics that BEC scammers have adopted involves the purchase from residential IP services of IPs matching the location of their victim, which allows them to mask the origin of their login attempts.
“Armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent ‘impossible travel’ flags, and open a gateway to conduct further attacks,” Microsoft explains.
The ‘impossible travel’ detection flags physical restrictions when a task is performed at two locations in a shorter amount of time than that required to travel from one location to the other.
“Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts. Threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks,” Microsoft notes.
The tech giant has observed BEC scammers in Asia and an Eastern European country frequently using this tactic.
The threat actors use phishing-as-a-service offerings to obtain login credentials, including BulletProftLink, which uses Internet Computer public blockchain nodes for the hosting of phishing and BEC sites, making takedown more difficult.
Organizations are advised to set specific email rules to block messages from outside parties, to implement strong authentication methods, train employees to spot fraudulent emails, use secure email solutions, and implement domain-based message authentication, reporting, and conformance (DMARC) policies to protect against spoofed emails.
“Threat actors’ BEC attempts can take many forms – including phone calls, text messages, emails, or social media messages. Spoofing authentication request messages and impersonating individuals and companies are also common tactics,” Microsoft notes.