Defending lead generation tools from cyber-crime

Mike Britton at Abnormal Security explains how attackers are using B2B lead generation tools to do their homework – and how to stop them

 

Business email compromise (BEC) is one of the costliest threats facing organisations today, generating losses of over $2.9 billion in 2023 alone. And they are continuing to grow—our recent research found that BEC grew 50% over the last year, with no signs of slowing. 

 

One of the reasons these attacks are so successful is that they incorporate social engineering, using seemingly authentic messages and impersonations to manipulate targets into taking an action, like wiring funds, paying a fake invoice, or sharing sensitive data. While the lures may vary, a common tactic across many BEC campaigns is the use of legitimate corporate data to make these attacks as convincing as possible. 

 

Here, we discuss the growing ’shadow economy’ of criminal groups that exploit lead generation data to fuel targeted BEC attacks – and what organisations can do to mitigate these threats.  

 

The growing shadow economy for corporate data  

The success of a social engineering attack hinges on its ability to convince the victim they are interacting with a real, trusted contact. Much of this comes down to crafting a believable and compelling narrative that demands immediate action, whether it’s impersonating tech support to request an urgent password change, or a supplier requesting payment for an outstanding invoice. 

 

Many cyber-criminals are taking these attacks up a notch, adding credibility to their malicious narratives by thoroughly researching their target and the contact they are impersonating. Zeroing in on these individuals and reinforcing requests with relevant details adds legitimacy to their messages, increasing their chances at deceiving their victim. 

 

So how do attackers go about finding these details? Many threat actors simply search the web or social media for publicly available information. But savvier attackers are increasingly turning to legitimate online data broker services to source this information.

 

There is a crowded market for sales intelligence and B2B lead generation tools, like ZoomInfo and Apollo, that provide access to detailed dossiers on companies and their employees. Users can sign up to access information such as organisational charts, key personnel, and contact details. These services are perfectly legitimate, providing sales teams with valuable intelligence on relevant contacts to support their outreach efforts. 

 

Unfortunately, these resources are just as valuable for cyber-criminals doing their homework on potential victims, providing a treasure trove of corporate data that gives them greater efficiency and precision in their attacks. 

 

Rather than signing up for paid subscription plans that could expose their real identities, malicious actors will often buy stolen credentials on cyber-crime forums. This has bred a new sector of the cyber-criminal shadow economy, spurring a cottage industry around criminals looking to buy and sell access to popular lead generation platforms. 

 

Because these accounts can be used to fuel highly profitable BEC attacks, demand is high. Selling stolen credentials to lead generation accounts has shown to be quite lucrative—for example, we have seen ZoomInfo accounts on offer for more than $2,000.  

 

How lead generation data powers BEC attacks  

Data broker platforms provide BEC attackers with several advantages. First, they can use filtering options to identify their ideal list of targets. Filtering by factors such as industry and company size, revenue, and geographic location can help them narrow down an ideal hit list of attractive enterprise targets. 

 

Searching for specific roles and job titles, aided by the organisational charts and reporting structure details that these tools provide, can then enable attackers to compile a list of specific individuals to target. The details of these individuals can then be cross-referenced against publicly available data sources such as company websites and LinkedIn.

 

Once this information is compiled, threat groups have a few options for executing their attacks, based their intent and resources.  

 

One route is to launch mass BEC campaigns that target multiple companies at scale. Organisations that fall under similar criteria—European financial institutions or US-based healthcare providers, for example—can be hit with the same generic phishing email. Just like a legitimate email campaign, mail merging can be used to insert personal details such as first names and job titles pulled from the lead generation reports.  

 

However, as anyone who has received mass sales and marketing emails knows, these campaigns lack the personal touch, even with some clever mail merge tactics. As a result, these mass email blasts are unlikely to be very convincing—or successful. Still, with fairly minimal effort per email and a huge pool of victims to target, attackers can still count on a reasonable number of hits.  

 

The threat of personalisation

The bigger threat comes from the use of lead generation data to inform highly personalised emails for specific targets. Knowledge of the company’s key personnel, internal hierarchies and reporting structures enables adversaries to impersonate real executives with more believable pretexts.

 

Spoofing genuine emailed addresses, combined with a detailed knowledge of who’s who and what’s what, will reduce the chances of the recipient questioning the message. And with additional information taken from public social media accounts, attackers can inject even more personalisation to really sell the deception.  

 

This all adds weight to the attacker’s demands, making it more likely that the victim will comply without considering proper verification protocol. A message from a familiar email address that reads, "I need you to process this payment request before EOP since Gary in accounts payable is on PTO down in Florida,” is far less likely to raise alarm bells than a generic, mass-blasted request. 

 

Keeping ahead of social engineering threats 

With BEC attacks delivering increasingly heavy losses, enterprises must ensure they can keep pace with adversaries that are becoming more resourceful than ever. 

 

There are some basic measures and best practices that can be taken to restrict the amount of information available to threat actors. Reputable lead generation platforms will generally have processes for removing data upon request—an easy action to take if you find that your employees’ information is being widely circulated. Locking down social media visibility through privacy settings can also limit what attackers may find. 

 

Still, even with these steps, savvy attackers will still find a way to get the information they need to fuel their malicious campaigns. Companies are better off focusing their efforts on identifying and intercepting incoming attacks.   

 

While there are dozens of email security tools on the market, threat actors have learned to bypass traditional signature-based solutions simply by omitting malicious links and attachments.

 

A more reliable approach catching these advanced deceptive attacks is through the use of behavioural analytics. The key lies in establishing a baseline for normal user behaviour—like who users typically correspond with, the IP addresses or locations associated with their most common senders, or the typical content of their emails—and then detecting anomalies that indicate malicious imposters. 

 

Even when threat actors have conducted extensive research and carefully constructed their false persona, there will still be subtle clues giving them away. Behavioural analytics supported by machine learning can swiftly and accurately analyse an email’s contents to determine hidden intent—an impossible task for the human eye. 

 

As threat actors draw on more sources to craft compelling and convincing deceptive attacks, the ability to quickly and reliably spot the smallest flaws in the façade will make all the difference in keeping them at bay.    

 

---

 

Mike Britton is CISO at Abnormal Security 

 

Main image courtesy of iStockPhoto.com and simarik