Many security tools use geolocation to assess the legitimacy of login attempts. In a series of business email compromise (BEC) attacks conducted in May 2023, threat actors bought residential IP addresses to circumvent these controls.
Geolocation-based security controls look at the user’s location to flag potentially malicious login attempts. For example, if a user simultaneously tried to access the network from New York and China, the login would be blocked. The tools also look for “impossible travel” — a user logging in from New York at 9 a.m. and China at 10 a.m. would raise a red flag. It’s not possible to travel from one location to the other in that amount of time. However, these tools are not equipped to identify attacks in which the origin IP address is masked.
Understanding the Risk
The May 2023 BEC attacks used the BulletProftLink service to generate malicious email campaigns at a large scale. BulletProftLink sells all the tools needed for BEC attacks in a Cybercrime -as-a-Service model. The attackers also used a service that can rotate through millions of IP addresses each second.
The attacks come at a time of skyrocketing numbers of BEC campaigns. According to a report from Abnormal Security, BEC attacks increased 55 percent in the first half of 2023 compared to the previous six months. The FBI’s Internet Crime Complaint Center (IC3) has identified $51 billion in BEC losses since 2013, with $2.7 billion in 2022 alone.
Residential IP addresses were also used in a password-spraying attack launched in November 2023. The attack infiltrated Microsoft’s Office 365 tenant and affected the accounts of Microsoft senior leadership and cybersecurity and legal teams. The Russian state-sponsored group Midnight Blizzard carried out the attack. The impact was relatively limited, but the attackers were able to remain undetected for months as they exfiltrated sensitive data.
Thwarting These Attacks
Threat actors have used masked IP addresses for more than a decade, but experts are concerned about the use of this technique in BEC and account takeover attacks. Attackers can obtain large numbers of compromised credentials and access accounts from any location. In addition to circumventing “impossible travel” flags, the masked IP addresses allow threat actors to hide their activities as they carry out their attacks.
Organizations should still detect impossible travel due to widespread remote work and the distributed nature of the IT environment. Impossible travel remains an early warning sign of attacks and account takeovers. However, organizations should supplement impossible travel flags with the detection of other anomalies, including:
- Multiple failed login attempts
- Activity from dormant or terminated users
- Unusual downloads of large volumes of data
- Activity from suspicious IP addresses
- Suspicious email sending patterns
To detect BEC attacks, organizations should authenticate senders using Domain-Based Authentication, Reporting & Conformance (DMARC). DMARC is a standards-based protocol that enables domain owners to block email from unapproved senders and receive reports of senders attempting to use their domains.
Other Steps to Take
Account takeover attacks often stem from weak passwords and compromised credentials. In the Microsoft attack, the threat actor gained access through an inactive test account with a weak password. Organizations can minimize the risk by requiring multifactor authentication and regularly reviewing user access. Privileged accounts should be reviewed frequently, and least-privilege access policies enforced.
Organizations should also conduct security awareness training regularly. Users need to understand how to spot malicious emails and prevent BEC attacks and other fraud.
Security is never a set-and-forget operation. Hackers are skirting common security controls, and organizations must respond by closing the gaps. Let Technologent’s cybersecurity team help you update your strategy and create a more resilient environment.
Comments