Business Email Compromise – Cipher

We are kicking off Cybersecurity Awareness Month by looking at a pervasive scam technique that criminals have used for years in order to defraud companies and individuals. This scam is known as Business Email Compromise, also referred to by its acronym “BEC.” As a 2020 Cybersecurity Month Champion, Cipher is planning to release informative content throughout the month to educate our audience.

At its heart, BEC relies on the oldest trick in a scammer’s handbook: Deception. The level of sophistication in this multifaceted global fraud is unprecedented, and professional businesses continue to fall victim to the scheme. Cipher has seen cyber criminals target organizations of all size and industry in every U.S. state and nearly every country around the world.

According to the United States Federal Bureau of Investigation, Business Email Compromise is carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers. Since they started tracking this in October 2013, there the FBI reports that there have been over $26 billion US Dollars in theft from this activity. According to a recent FBI public service announcement, between May 2018 and July 2019, there was a 100 percent increase in identified global exposed losses. The increase is also due in part to greater awareness of the scam, which encourages reporting to the FBI and international and financial partners. The scam has been reported in all 50 states and 177 countries. Fraudulent transfers have been sent to at least 140 countries.

There are two definitions of BEC that are widely used in the INFOSEC community. The most readily accepted definition of this scam is when a threat actor compromises a legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized activities. In other definitions of this scam, the threat actor does not actually gain access to a legitimate account but will attempt to spoof or mimic a legitimate account. We will explore both scenarios in this post.

BEC Type 1: Compromise of a Business Email Account

This scenario is more complex for the attacker to carry out; however, the sophistication is much higher and more difficult to detect by the attacker’s target without the aid of certain security services.

Image via MITRE ATT&CK®

When it comes to conducting this spoofing activity, the MITRE PRE-ATT&CK Matrix does a very good job of explaining the sequence of events. It usually begins with threat actors identify an organization they want to target (TA0014) and then conduct reconnaissance activities (TA0017). This can be using open source and publicly available information (T1277) such as reviewing the company’s executive leadership on their website as well as via social media platforms, especially LinkedIn. The threat actor will then attempt to establish infrastructure to launch the attack (TA0022).

In most cases, additional technical reconnaissance is conducted (TA0015) typically on the email service or email hosting provider. Once a vulnerability is identified, the threat actor attempts to exploit that vulnerability. This process varies greatly, but there are a few common examples. In some cases, a technical vulnerability is found on the email server or email hosting provider network whereby the threat actor can send malicious code to trigger the vulnerability and gain access to the system (T1189, T1190).

In other cases, the attacker may attempt to take advantage of weak Identity and Access Management (or IAM) controls (T1078). Password spray attacks, credential stuffing, and other attempts to gain access to the account are attempted. Another popular method to gain access to an account is through social engineering operations, mainly spear phishing (T1566). In other cases, application access tokens (T1528) and/or web session cookies are stolen (T1539) or hijacked. Regardless of the method, eventually the threat actors successfully compromise a targeted account.

With this access, the threat actor then attempts to conduct discovery techniques of the email account. They will review data repositories such as SharePoint files for client/customer information (T1213). They will also look to collect historical emails that were sent and received from the account (T1114). In some cases, an email forwarding rule is established to forward any inbound email to an external third-party email account controlled by the threat actor (T1114-003). This allows for the threat actor to establish some level of persistence in the event they lose access to the email account or are discovered by cyber defense personnel.

At this point, they conduct their primary objective which is to use the account to steal funds. They will use the compromised email account to communicate with other members of the organization, or possibly even replay communications with individuals external to the organization, such as vendors or customers. There are several creative scenarios where the attacker will attempt to initiate wire transfers or send fake invoices to clients for services that must be paid. Of course, the destination of any of these activities will be a bank account controlled by the threat actor. As you can see, this is much more difficult for the everyday person to recognize.

BEC Type 2: Business Email Spoofing

When it comes to spoofing business emails, the initial reconnaissance activities are the same as described above. The threat actor identifies which organization to target. Without access to the organization, they attempt to mimic it through various methods. One such example is the establishment of a domain on the Internet (T1328) that looks very similar to the legitimate company domain. This is known as typo-squatting or domain squatting. A fake persona is then established (TA0023) and associated to this newly created malicious domain. Typically, this is done by establishing an email account on the domain and impersonating a legitimate C-Level executive within a company. The CEO and CFO are common positions that are impersonated because they command respect within an organization and recipients of emails from an apparent CEO or CFO usually gain the attention of employees.

From here, the threat actor identifies specific targets within the organization, usually in the accounting and payroll departments, but not always. Then they initiate the communication via email. Sometimes they will ask to initiate a wire transfer, sometimes they send a malicious document or URL with a message that entices the target to click or download a file, and in other times they find non-traditional methods to elicit funds such as getting gift cards, etc. The threat actor hopes that their targets will respond by falling victim to this activity.

CipherBox MDR

Customers that use CipherBox MDR can rest easy knowing that Cipher can rapidly detect and respond when attempted or confirmed unauthorized access has occurred. This service has been specifically designed to detect Business Email Compromise, among many other attack techniques.