Microsoft reports that they are seeing an increase in business e-mail compromise (BEC) attacks using locally generated IP addresses to avoid attack detection.
A new tactic observed in these attacks involves attackers purchasing residential IP addresses from providers that are local to their targets, allowing them to mask the origin of their login attempts.
“Armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent ‘impossible travel’ flags, and open a gateway to conduct further attacks,” Microsoft explains
“Impossible travel” is a security detection flag provided when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other.
“Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts. Threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks,” Microsoft notes.
Roy Akerman, Co-Founder & CEO, Rezonate had this to say:
“Masquerading behind different IPs/Proxies is a common technique already in use for more than a decade. Whether it is used to leverage compromised accounts for financial gain or whether used in a BEC attack to obtain credentials. Geo-Location is a valuable input, yet should be a single indicator out of many to evaluate the authenticity of an access attempt. Additional behavioral information on the browser details, actions taken, pattern of usage, and others should be taken into account to limit the usage and stealing of identities.”
This is another example of threat actors trying to stay two steps ahead of defenders. Thus it would benefit defenders if they get equally as agile so that at worst, they are staying even with the bad guys.
Like this:
Like Loading...
Related
This entry was posted on May 23, 2023 at 8:08 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
BEC Using Locally Generated IPs to Evade Detection: Microsoft
Microsoft reports that they are seeing an increase in business e-mail compromise (BEC) attacks using locally generated IP addresses to avoid attack detection.
A new tactic observed in these attacks involves attackers purchasing residential IP addresses from providers that are local to their targets, allowing them to mask the origin of their login attempts.
“Armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent ‘impossible travel’ flags, and open a gateway to conduct further attacks,” Microsoft explains
“Impossible travel” is a security detection flag provided when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other.
“Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts. Threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks,” Microsoft notes.
Roy Akerman, Co-Founder & CEO, Rezonate had this to say:
“Masquerading behind different IPs/Proxies is a common technique already in use for more than a decade. Whether it is used to leverage compromised accounts for financial gain or whether used in a BEC attack to obtain credentials. Geo-Location is a valuable input, yet should be a single indicator out of many to evaluate the authenticity of an access attempt. Additional behavioral information on the browser details, actions taken, pattern of usage, and others should be taken into account to limit the usage and stealing of identities.”
This is another example of threat actors trying to stay two steps ahead of defenders. Thus it would benefit defenders if they get equally as agile so that at worst, they are staying even with the bad guys.
Share this:
Like this:
Related
This entry was posted on May 23, 2023 at 8:08 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.