Business email compromise scams are some of the most difficult yet lucrative targeted cons that attackers can create. According to IBM, there’s a sophisticated new one aimed at accounts payable personnel at some Fortune 500 companies which have resulted in the theft of millions of dollars.
In a blog this week the company’s X-Force Incident Response and Intelligence Services team said the scam uses stolen email credentials and sophisticated social engineering tactics. IBM customers, many in the retail, healthcare, financial and professional services industries. first reported signs of this latest campaign in the fall of 2017.
Business email compromise (BEC) scams involve taking over or impersonating a trusted user’s email account, then sending a message to that staffer with financial responsibilities to wire money on a phony pretext to an attacker-controlled account.
In this case the attackers first steal or buy large numbers of business user email credentials, break into those victims’ accounts and send phishing messages to people on the contact lists. Those message use publicly-available company information to craft a believable message, which contains a link purported to lead to a business document. People who clicked the link were redirected to a fraudulent “DocuSign” portal requesting the user to authenticate via his or her email provider to download the document.
Neither the email nor the fraudulent “DocuSign” portals contain malware that is downloaded onto the user’s machine. But having a new stash of credentials the attackers looked for victims whos companies use single-factor authentication and an email web portal. “The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts.” Then, probably after looking through a victim’s email for subjects and opportunities to exploit, inserting themselves into conversations purporting to be someone they knew.
In these messages the attackers impersonate vendors or associated companies with established relations to the client and target specific people in the organizational chart to increase the believability of the scam, says IBM. The attackers also set up domains similar but not quite identical to the target company’s vendors — for example, doubling a letter of the company name in the URL or registering the vendor’s name with a different top-level domain (TLD), such as .net instead of .com. These were then used to set up email accounts purporting to belong to known employees, and emails from those accounts were sent directly to the targets.
The key is that the attackers use the victim’s email account to send the fraudulent message back to the victim (as opposed to an outside email account, which might be detected as a phony). Think of the stream of messages as a loop, coming and going from one place.
To keep a victim whose compromised email was being used unaware of what was going on, says the report, the attackers created email rules to filter the emails out of the victim’s inbox. In other instances, the attackers use a typo-changed email address in the “reply to” field so the compromised user would not receive responses. If the receiver did not scrutinize the “reply-to” field, which often requires expanding the email header, the email would appear to come from a legitimate contact.
The attacker auto-forwards email responses to a different email to read the responses without logging in to the compromised account.
The final act of the scam is a message from a higher-up requesting a money transfer. The attackers in one case registered a new domain to send fake approval messages impersonating different levels of the supervisory chain, including copying email signatures of the relevant business executives. But usually in BEC scams there’s a sense of urgency to pay — for example, ‘this has to be done by end of day.’
One possible warning sign — although scammers in this con look for companies that commonly wire money internationally — is the money often has to be sent to banks in China and Hong Kong. However, money is often shifted out of the initial account to avoid tracking.
IBM offers this advice for avoiding being a victim of these scams:
- Implement two-factor authentication (2FA) for account logins;
- Create banners that identify emails coming from external email addresses;
- Block the ability to auto-forward emails outside of the organization;
- Implement strict international wire transfer policies. Employees involved in financial transactions should receive role-based training with ample information about BEC scams. Those with account access should be required to use digital certificates to validate the legitimacy of emails they receive. In addition, setting an obligatory time delay requirement for overseas transactions can reduce the ability of attackers to impart a sense of urgency and trigger the employee into hasty action.
- Verify the vendor. If something does not seem right, an account has been changed or the wire amount is higher than typically requested, employees should call the vendor using a validated phone number. Having to obtain sign-off in person or over the phone from the employee supposedly requesting the transfer/change of account can help organizations stop a fraudulent wire before it occurs.