Last December, an employee working out of the office for a Canadian firm received an email supposedly from the IT department asking them to reset their login credentials. That was the beginning of a complex scam that several months later cost the company $400,000 in part due to disarray caused by the COVID-19 pandemic.
It fell into the category of fraud that police and security experts call a “business email compromise,” or BEC.
BEC fraud is a big business because it gets cybercriminals cash. Credit card theft may be more common by numbers, the spread of ransomware and associated data theft is accelerating but business email compromise is still good business for hackers.
“BEC fraud threat is high today because there’s a lot of use of the cloud and people working from home,” says Tom Arnold, vice-president of Payment Software Co., a division of NCC Group, which investigated the Canadian scam.
COVID is making things worse, Arnold believes. “Because of all the remote access there’s a lot less in the way of controls. It’s quite a problem.”
The Canadian Anti-Fraud Centre says there is a wide range of targeted email frauds being reported by businesses. Many involve urgent requests for wire transfers, while some also involve requests to purchase prepaid card products. These scams are categorized as spear-phishing attacks and typically involve an employee being convinced to make a change in a standard business process, like change a bank account where money usually goes.
In 2019, the centre received 1,041 spear-phishing reports of which 588 were classified as victims reporting a total of $38.7 million — which was the biggest chunk of the $137 million in losses reported that year.
In the first six months of this year, the centre received 951 spear-phishing reports, including 422 victims totalling $14.8 million in losses.
Arnold, who also heads his firm’s forensic investigations unit, says what happened to the unnamed Canadian firm was typical. “The bad guys had set up a domain very similar to the corporate domain — they had certificates issued so everything looked right. They began sending out email messages [to the target] saying, ‘We’re having problems, we have to make some adjustments to our cloud email infrastructure, and as a part of this we need you to reset your access credentials’ by clicking on the included link.”
When one employee fell for it the attackers gained access to their email. In effect, they became the man-in-the-middle between all incoming and outgoing emails.
From that account, he says attackers forwarded copies of mail to themselves to identify and compromise a dozen other employee accounts. This let them figure out how the business worked, and it’s how they discovered the company received quarterly payments from franchisees.
In the spring, the hackers began sending notices saying, “We just sent you this invoice, but forgot to tell you that the bank account and routing numbers have changed because of COVID. We had to open a separate account for your deposits. Please send your deposits there.”
As soon as funds were deposited, the attackers transferred the money to an untraceable account. With money suddenly no longer flowing to the real bank, the firm’s accounts payable department began emailing franchisees asking for an explanation. The hackers were able to reply, ‘The cheque’s in the mail. Sorry, it’s COVID, we’re a little late in paying.”
By the time the company realized it had been duped, it was out about $400,000.
The Canadian Anti-Fraud Centre’s breakdown of spear-phishing scams includes an “urgent” request from an executive to transfer a large amount of money to a foreign account for a business purpose; a similar scam aimed particularly at financial dealers, brokers or banks from a client asking it to make an unusual wire transfer; a message that appears to come from an employee asking that his salary direct deposit goes to a new bank account; a scammer pretending to be an executive and asking an employee to buy gift cards whose numbers will be given to the scammer; and supplier swindles like the Canadian case here.
Recently, several cybersecurity vendors have issued reports on the latest trends in BEC scams.
Barracuda Networks says it identified 6,170 malicious accounts since January that use Gmail, AOL, and other email services that were responsible for more than 100,000 BEC attacks on nearly 6,600 organizations around the world. Since April 1, malicious accounts have been behind 45 percent of the BEC attacks detected.
“Cybercriminals preferred choice of email service for malicious accounts is Gmail, which makes sense because it’s accessible, free, easy to register, and has a high enough reputation to pass through email security filters,” the report says.
Of the 6,600 incidents examined in many cases, cybercriminals used the same email addresses to attack different organizations. The number of organizations attacked by each malicious account ranged from one to a single mass scale attack that impacted 256 organizations — four per cent of all the organizations included in this research.
While experts say multi-factor authentication is necessary to reduce the odds of email account hacks, a report this month from Abnormal Security warns it is seeing an increase in BEC attacks that successfully compromise email accounts despite making use of multi-factor authentication (MFA) and Microsoft Office Conditional Access.
Legacy email protocols, including IMAP, SMTP, MAPI and POP, don’t support MFA, the report notes, making it possible for attackers to easily bypass multi-factor authentication using these protocols.
Many common applications — such as those used by mobile email clients (for example, iOS Mail for iOS 10 and older) — do not support modern authentication, the report says. As a result MFA can’t be enforced when a user signs into their account using one of these applications.
Office 365 offers the ability to configure Conditional Access policies, which block access from legacy applications that are often targeted for password-spraying campaigns. However, the report notes, Conditional Access is not included with all licenses. And legacy applications are still in widespread use in most enterprises, so completely blocking all users from legitimate access using these applications will be quite disruptive to the workforce. Also, legacy access is enabled by default on O365.
“A common pattern we have observed in account takeovers is that after being blocked by MFA an attacker will immediately switch to using a legacy application,” says the report. “In fact, most credential stuffing campaigns utilize legacy applications such as IMAP4 to ensure they do not encounter difficulties from MFA at any point. Additionally, even with a Conditional Access policy enabled, Abnormal has observed successful account takeovers where the attacker bypasses the policy by obscuring the name of the app they were using.”
In one case, the attacker initially attempted to sign in using a legacy application but was blocked by Conditional Access. The attacker then waited several days before trying again, this time with the app information obscured, and successfully gained access to the account.
“This example demonstrates that while most account takeover attempts utilize brute force attacks and password spraying techniques, some attackers are methodical and deliberate.”
What should organizations do to foil BEC attacks?
Barracuda Networks urges infosec pros to use solutions that can spot unusual senders, requests, and other communications, take advantage of threat intelligence and make staff undergo security awareness training.
Arnold also says training employees to recognize phishing messages is vital. Staff also need to understand that management should be notified if someone requests changes to an established payment process.
“Don’t just believe things that show up in your email, your text messaging or phone calls. Pause, stop and say ‘I’ll get back to you’ and call the help desk.”