The rise of Business Email Compromise (BEC) scams is a trend that should concern every organisation. These attacks are incredibly effective, increasingly easy for hackers to employ, and have the potential to deliver much higher returns than traditional email phishing activities.
The worst part of all this is that BEC attacks are only reported a fraction of the time, allowing them to thrive in anonymity. Indeed, I don’t believe many businesses realise the full extent of the problem. It’s the reason we need to get better at raising awareness.
Shining a light on BECs
For those unfamiliar, BEC attacks involve cybercriminals imitating known contacts (usually C-level execs) in order to trick others into wiring payments for good and services into substitute bank accounts. An example BEC scenario could involve a hacker spoofing the email communications of a Chief Financial Officer (CFO) to the accounts team, requesting payment of an invoice to an alternate account owned by the hacker. In some cases, the CFO’s account may have been directly compromised, or emails are sent from a domain set up to closely resemble that of the company being imitated.
BEC attacks are not just an internal problem, they can spread along the supply chain too. In another scenario, the CFO imposter could email a company client to request payment of an outstanding or fake invoice. In all cases, the perpetrator is trading on the fact that this kind of email is not scrutinised, and that the person being imitated is authorised to sign off high value transactions.
Italian football club, Lazio, was a high-profile victim of a BEC attack and a great example of how criminals can intercept legitimate payments – when a £2m player transfer fee was wired to a cybercriminal instead of the player’s former club.
Considering the hectic modern workplace, it’s easy to understand why BEC attacks work so well. It’s the reason hackers put a lot of effort into creating increasingly elaborate and effective scams. Cybercriminals now conduct meticulous research into their targets, monitoring supply chains, following company news, tracking social media channels, and even learning employee routines.
BECs under the microscope
The Redscan team recently investigated a particularly sophisticated BEC attack; one affecting an insurance company specialising in high value business mergers and acquisitions. In this case, attackers sought to defraud a client of the company out of £300,000, which was owed in relation to two outstanding invoices.
Having been commissioned to conduct a full investigation in to the source and scope of the incident, we were able to establish that six weeks prior to the invoices being sent, a senior member of staff had had their corporate Office 356 account compromised. The person had received a phishing email purporting to be an official security alert from Microsoft, which requested that they log in to their account to review suspicious activity. The member of staff was convinced by the level of detail in the fake security alert and handed over their login details.
Further Redscan analysis discovered that hundreds of attempts to log in to the employee’s Office account were initiated from a range of malicious IP addresses, with several successful logins being made. With full access to the user’s Office account, the attacker created mailbox rules to scan all incoming emails for keywords (such as invoice, payment or receipt). They then moved any interesting items to a hidden folder within Outlook, after which they were promptly deleted. The attacker also set up an email rule to auto-forward all incoming and outgoing emails to a third-party Gmail address.
In just one week, the email forward had delivered more than 280 emails to the Gmail account. These emails included information sent to a client about payment of two high value invoices, which presented a perfect opening for a BEC scam. The attacker proceeded to send a chain of spoof emails to carefully chosen client contacts requesting payment of the invoices to a substitute bank account. The source of the spoofed emails was a domain set up to closely resemble that of the insurance company. The attacker even offered to call the client to provide verbal authorisation of the transaction – all making for an extremely convincing interaction.
In this example, the BEC attack was remarkably close to achieving its objectives. Indeed, it would have done so had it not been for a diligent employee insisting on seeking outbound telephone approval prior to processing payments.
This is a good example of how simple security policies can make a big difference, as well as the importance of employee security training so that these processes are followed each and every time. Authorisation checks might seem like an obvious mitigating control, but few companies enforce them consistently. Indeed, one of the most famous breaches in recent years, the $1bn Bangladesh Bank cyber heist, was due in part to insufficient protocols for checking payment transfers.
In addition to prevention, organisations must also consider mitigation. It’s imperative that businesses implement a range of controls and processes to detect and respond to BEC scams as quickly as possible should they happen. Enforcing multi-factor authentication across all user accounts is advised. So too is the activation of full mailbox audit logging in Office 365 to increase visibility of anomalous activity – this includes failed sign in attempts and policy violations.
To further reduce risk, SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) tools can be incredibly effective at improving threat visibility across both on-premise and cloud environments, as well as supporting a swift response to incidents
BEC attacks may never get the same attention as other cybersecurity threats such a cryptojacking and ransomware – but that doesn’t mean they should be allowed to thrive in the dark. With criminals continuing to identify new targets and devise more sophisticated scams, it’s imperative that the industry works to shine a light on BEC attacks and their dangers in 2019.
Mark Nicholls, Director of Cyber Security, Redscan