FBI Warns of Business Email Compromise (BEC) Attacks

With BEC (Business Email Compromise) attacks resulting in $1.7 in business losses world-wide last year, the FBI is warning of an even bigger spike this year due to the COVID-related shift to a remote workforce.

It's a horror playing out daily, an unsuspecting user takes the bait and opens a phishing email.  They click on a link, or download an accompanying attachment, and a payload is delivered.  That malicious payload can be the springboard to all kinds of nightmare scenarios, from a ransomware attack to a BEC.

GDF's vulnerability assessments, penetration testing, and real-world-type phishing and spear phishing awareness testing go a long way in helping identifying the weak spots in your cybersecurity posture to help keep these kinds of nightmare scenarios at bay.  So call 1-800-868-8189 today and let's get started.

“All it takes is one user to bite the lure for a horrific cyber event to unfold.”

This is the PIN (Private Industry Notification) released by the FBI on November 25, 2020, in coordination with DHS-CISA:

"Cyber Criminals Exploit Email Rule Vulnerability to Increase the Likelihood of Successful Business Email Compromise

Summary

The COVID-19 pandemic prompted a mass shift to telework among many US businesses, resulting in increased use of web-based email applications. According to recent FBI reporting, cyber criminals are implementing auto-forwarding rules on victims’ web-based email clients to conceal their activities. The web-based client’s forwarding

rules often do not sync with the desktop client, limiting the rules’ visibility to cyber security administrators. Cyber criminals then capitalize on this reduced visibility to increase the likelihood of a successful business email compromise (BEC). BEC schemes resulted in more than $1.7 billion in worldwide losses reported to the Internet

Crime Complaint Center (IC3) in 2019. The FBI is sharing this information to inform companies of this email rule forwarding vulnerability, which may leave businesses more susceptible to BEC.

Threat Overview

BEC is a sophisticated scam targeting businesses that perform electronic payments such as wire or automated clearing house transfers. A cyber criminal initially compromises a business email account through social engineering or computer intrusion techniques. Following the initial intrusion, the cyber criminal uses the system access to conduct reconnaissance on the victim’s email communications. Using information gathered from the compromised accounts and reconnaissance efforts created by system access following the initial intrusion, the cyber criminal then impersonates an employee over email communications to redirect pending or future payments to fraudulent bank accounts. BEC actors create auto-forwarding rules within email accounts after they obtain employee credentials to decrease the victims’ ability to observe fraudulent communications. After obtaining access to a victim’s email account, cyber criminals update the auto-forwarding email rules in the web-based client. If administrators do not actively sync their web and desktop email clients, the auto-forwarding rules may only appear in the web client, limiting the rules’ visibility to security administrators. While IT personnel traditionally implement auto-alerts through security monitoring appliances to alert when rule updates appear on their networks, such alerts can miss updates on remote workstations using web-based email. If businesses do not configure their network to routinely sync their employees’ web-based emails to the internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email application. This leaves the employee and all connected networks vulnerable to cyber criminals. Even after a financial institution or law enforcement contact warns a victimized business of a potential BEC, a system audit may not identify the updated email rules if it does not audit both applications, increasing the time a cyber criminal can retain email access and continue BEC activity.

Cyber criminals may also use auto-forwarding rules to delete records from the recycle bin to further obfuscate their activities.

• In August 2020, cyber criminals created auto-forwarding email rules on the recently upgraded web client of a US-based medical equipment company. The webmail did not sync to the desktop application and went unnoticed by the victim company, which only observed autoforwarding rules on the desktop client. RSS was also not enabled on the desktop application. After the BEC actors obtained access to the network, they impersonated a known international vendor. The actors created a domain with similar spelling to the victim and communicated with the vendor using a UK-based IP address to further increase the likelihood of payment. The actors obtained $175,000 from the victim.
• During another incident in August 2020, the same actor created three forwarding rules within the web-based email used by a company in the manufacturing industry. The first rule autoforwarded any emails with the search terms "bank," "payment," "invoice," "wire," or "check" to the cyber criminal’s email address. The other two rules were based off the sender's domain and again forwarded to the same email address.

Recommended Mitigations

• Ensure both the desktop and web applications are running the same version to allow appropriate syncing and updates.
• Be wary of last-minute changes in established email account addresses.
• Carefully check email addresses for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
• Enable multi-factor authentication for all email accounts.
• Prohibit automatic forwarding of email to external addresses.
• Frequently monitor the Email Exchange server for changes in configuration and custom rules for specific accounts. "

Phishing/Spear Phishing Awareness Testing

At GDF, we understand you have a lot on your plate these days. But just imagine how much more will be on your plate if your client calls wondering why they haven't received the money transfer from you for the big purchase they are waiting to deliver. You could swear it was sent, you did the transfer yourself. But wait, thanks to a BEC that started from a phishing attack, an attacker had access to all your email, connections and previous communications to know exactly how to pose as your real client and have you send a monster payment to a fraudulent account. One successful phishing/spear phishing social engineering attack could bring that reality to fruition. To beat these threats, everyone in the organization has to know what to look for, and how to respond should they receive a phishing/spear phishing email, or any other kind of social engineering attack.

GDF can help you get everyone on the same page and raise awareness substantially company-wide with safe, realistic phishing/spear phishing attacks that will put your people to the test. We’ve found there is no greater training tool for this kind of awareness than actually catching some hands in the cookie jar. You’ll get an instant idea of how susceptible your workforce is to these types of social engineering attacks. And they are so realistic, to date we have never failed to get at least one user to bite (and that’s all it can take).

We’ll craft an email that looks legitimate, create a dummy website to look like it is one of your own, and we’ll ask your users for their credentials or other PII, whatever best fits your situation. We’ll send it out to your user email list and in just a few days, we’ll have your results. Armed with this valuable information, your management team can decide on the best approach to shore up the weak links (policy changes, regular training, prominent reminders like posters, PowerPoint presentations, regular testing, etc.) And GDF can help you on those fronts to.

So don’t wait, it’s easy, it’s fast, it’s affordable, and it has never been more necessary than today. Call 1-800-868-8189 and let’s set up a customized, safe and effective phishing/spear phishing test. Survive and thrive in today’s dangerous digital world, stop threats like BEC attacks BEFORE the unthinkable happens.

Fill out the form below today and we'll contact you soon to discuss your vulnerability assessment, penetration testing and phishing/spear phishing/social engineering testing needs.