Business Email Compromise or BEC is not a new cybersecurity attack vector, but it is gaining more attention as it is becoming more common. The basic idea is that a scammer or con-artist uses deception to pretend to be a high-level official of an organization in order to compromise that organization or to otherwise profit. It is a particularly insidious social engineering attack.
Most BEC attacks revolve around theft: The perpetrator pretends to be someone authorized to send or receive funds from the company. The US FBI’s Internet Crime Complaint Center (IC3) has an excellent press release with attack types, examples, and response suggestions. It is worth reading. Trend Micro has categorized attack methods and has a good story on its website’s cybersecurity section
The attacker usually begins with a targeted phishing attack on the company followed by a spearphishing attack on the CEO, CFO, or someone else authorized to send money to the attacker.
It seems unlikely that phishing will ever be curtailed. I think it is a tool attackers will at least use for some time because there are always gullible or uninformed users who will click on links that conceal attack vectors. Wouldn’t it be useful if there were some way to protect individuals and organizations when those links are clicked?
Because BEC and many other attacks often begin with an email or website containing deceptive links, the Global Cyber Alliance, has developed Quad9, a tool to help address that. The Alliance was founded by The City of London Police, the District Attorney’s office of New York County, and the Center for Internet Security. You can find more about them at https://www.globalcyberalliance.org/about.html An important collaborator on Quad9 is IBM.
According to the Alliance, “Quad9 is a free security solution that uses DNS to protect your system against the most common cyber threats. It improves your system’s performance, plus, it preserves and protects your privacy. It’s like an immunization for your computer.” The idea is that the DNS server at 126.96.36.199 is configured to reject (using the NXDOMAIN message) name resolution requests for domains that are known or suspected to be malicious. Quad9 uses databases from “18+” organizations to determine what sites to block.
It is easy to configure Quad9: a network administrator just needs to replace the default IPv4 DNS address with 188.8.131.52. The backup you can use for a secondary server is 184.108.40.206.For IPv6 you can use 2620:fe::fe. As of this writing, they claim to block around two million requests per day. There is no guarantee that all of those were genuine attacks, but I believe it is making a significant dent in visits to potentially malicious sites already. If you are interested in the speed of resolution with Quad9, hackernoon.com reported the results of some testing in December 2017.
I checked an internet database of “suspected” malicious domains and picked a couple. I tried each using google’s public DNS of 220.127.116.11 and Quad9’s 18.104.22.168. In both cases, the google server resolved the names (to the addresses reported in the database I checked) and Quad9 showed “nonexistent domain”.
I am configuring the DNS server for my office to Quad9, and I suggest you consider doing so also.
Cyber Security Training
AUTHOR: John McDermott