Business Email Compromise or BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company’s supervisors, CEO, or vendors. Once in, they request a seemingly legitimate business payment. The email looks authentic, seems to come from a known authority figure, so the unsuspecting employee complies. These fraudsters are increasingly exploiting the auto-forwarding feature in compromised email accounts to help conduct business email compromise scams, the US Federal Bureau of Investigation (FBI) warns. Once again, any out of the ordinary/routine request to issue or authorize payments should be confirmed by a supervisor, director, CFO, and the requesting party by voice. Regular payments are normally authorized and paid in batches that are made on a regular or once a week sequence for business control purposes. There are multiple authorizations levels to ensure compliance with company and GAAP guidelines.
The FBI notes in an alert made public the first week in December 2020, that since the COVID-19 pandemic began, leading to an increasingly remote workforce, BEC scammers have been taking advantage of the auto-forwarding feature within compromised email inboxes to trick employees to send them money under the guise of legitimate payments to third parties.
This tactic works because most organizations do not sync their web-based email client forwarding features with their desktop client counterparts. This limits the ability of system administrators to detect any suspicious activities and enables the fraudsters to send malicious emails from the compromised accounts without being detected, the alert, sent to organizations in November and made public this week, notes. "If businesses do not configure their network to routinely sync their employees' web-based emails to their internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email applications," the FBI says. "This leaves the employee and all connected networks vulnerable to cybercriminals."
Because system audits will not detect email discrepancies or updates, BEC scammers can retain email access to the compromised accounts and then continue with their malicious activities, the alert notes. The FBI reported earlier this year that the bureau had received nearly 24,000 BEC-related complaints in 2019, with the scams generating a total loss of $1.7 billion and an average loss per incident of about $72,000.
The FBI alert highlights two types of BEC scams that are taking advantage of email-forwarding rules. The first was detected in August 2020, when fraudsters used the email forwarding feature in the compromised accounts of a U.S.-based medical company. The attackers then posed as an international vendor and tricked the victim to make a fraudulent payment of $175,000, according to the alert. Because the targeted organization did not sync its webmail with its desktop application, it was not able to detect the malicious activity, the FBI notes.
In a second case in August 2020, the FBI found fraudsters created three forwarding rules within a compromised email account. "The first rule auto-forwarded any email with the search terms 'bank,' 'payment,' 'invoice,' 'wire,' or 'check' to cybercriminals' email accounts," the alert notes. "The other two rules were based on the sender's domain and again forwarded to the same email addresses."
Chris Morales, head of security analytics at security firm Vectra AI, says that in addition to reaping fraudulent payments, fraudsters can use email-forwarding to plant malware or malicious links in documents to circumvent prevention controls or to steal data and hold it for ransom.
In a keynote presentation at Group-IB's CyberCrimeCon 2020 virtual conference in November, Craig Jones, director of cybercrime at Interpol, noted that BEC scammers are among the threat actors that are retooling their attacks to take advantage of the COVID-19 pandemic. Interpol revealed that it recently worked with others to uncover a massive Nigerian business email compromise gang that was active across more than 150 countries. Several members of the criminal organization were arrested.
"With the COVID-19 pandemic continuing to remain in the forefront of public consciousness, organized criminal groups are taking advantage of new working arrangements and global brands to steal large sums of money," says Mark Chaplin, principal at the London-based Information Security Forum. "Uncertainty will continue to provide criminals with further opportunities. BEC sits firmly on every organization's threat radar and will remain there for the foreseeable future."
Keylogged accounts can also lead to BEC attacks. These keylogged accounts are available on the dark web for sale or for free. Your cyber threat intelligence vendor should be reporting these keylogged account details to you on a daily basis. This service is a standard feature of Red Sky Alliance’s RedXray service.
The FBI recommends several steps that businesses can take to mitigate BEC threats:
- Ensure the organization is running the same version of desktop and web applications to allow appropriate synching and updates.
- Track changes established in email account addresses.
- Prohibit automatic forwarding of email to external addresses.
- Monitor the email Exchange servers for changes in configuration and custom rules for specific accounts.
Red Sky Alliance has been tracking cybercriminals for years. Throughout our research, we have painfully learned through our clients that the installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like all the different variants of malware are bought and sold, and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941