Machine learning has led to breakthroughs such as speech recognition and smart digital assistants such as Alexa. Then there’s the downside.

Scammers are now using machine learning tools to mine social media data and target the executive organization chart with fraudulent emails that look and sound like they came from someone inside the company. And it’s paying off. Cybercriminals have already collected more than $3 billion over the last three years by targeting 400 companies every day, according to recent findings of Symantec Corp. security researchers.

“This is one of the biggest deals in the cybercriminal world today,” said Vijay Thaware (pictured, left), security response lead for Symantec.

Fake emails convey urgency

Thaware and his Symantec colleague, threat analyst Ankit Singh (right), presented their findings on Wednesday during the first day of the Black Hat USA 2017 cybersecurity conference briefings in Las Vegas. According to the researchers, these business email compromise or BEC attacks occur during the workweek. They’re designed to instill a sense of urgency during a busy business day or fear based on failure to respond to a cleverly spoofed message from a key executive, such as the chief executive.

“It’s remarkably simple and relies on human psychology,” said Thaware.

Symantec’s Vijay Thaware (left) and Ankit Singh (Photo: Mark Albertson)

The security analysts were quick to point out that business email compromises are not mass attacks that cast a wide net aimed at ensnaring a percentage of unsuspecting users. Instead, they are targeted to specific company executives using data gathered from social media profiles and even the company’s own website. Anyone who has responsibility for making financial payments, such as accounts payable requests or invoices, becomes a highly valuable target.

Publicly available information contained in social media profiles such as those at Facebook Inc., Twitter Inc., and LinkedIn Corp. offers a baseline of personal information that scammers use. This can be supplemented with biographical information on executives and a company hierarchy found through material often posted on corporate webpages. “This information can be used by the scammer to select a potential victim,” said Thaware.

The researchers found that scammers have a robust set of tools at their disposal to gather relevant data. These include the use of Twitter search, where they can find data on followers, who could be more likely to send an email to the target victim, and Hunter.io, a tool that can match names with valid email addresses.

The researchers also identified Maltego, a data mining application that queries public online sources and can graphically depict relationships between people and companies, as an especially helpful tool.

Machine learning builds stronger attack models

Hackers are also becoming more adept not only at gathering the data, but at using available machine learning technology to build robust fraud-enabling models. “Criminals are using machine learning to increase the success rate,” said Singh.

To test the ability of criminals to build more robust BEC systems, Symantec used RapidMiner, a data science software platform, on a support vector machine. According to Singh, machine learning helped ingest key data points, such as Twitter users who sent a higher number of tweets, to predict the likelihood of a successful response to a carefully designed fake email.

Singh also said that data from successful and unsuccessful attacks is being fed into machine learning models in order to refine the formula for better results. “This is not the perfect model,” said Singh. “It is still in the experimental phase.”

The Symantec researchers offered advice for how businesses can protect themselves from future BEC-related loss. For one, companies should do a thorough review of social media “hygiene,” an evaluation of exactly how much personally identifiable information is available in the public domain among key executives. Companies also should perform penetration testing inside the organization by sending fake emails internally, while educating unsuspecting users on the dangers of accepting their validity.

When it comes to BEC, the best advice is simple, said Singh: “Be very, very suspicious while replying to any kind of email.”

Photo: HypnoArt/Pixabay