Story by João Paulo Campello, originaly published in July 2016 on the previous version of the Tempest Blog
Billion-dollar financial losses faced by organisations in past years
According to a research from Mimecast, the number of BEC (Business Email Compromise) attacks has grown about 55% in 2015 in comparison with the previous year. This threat is one kind of social engineering attack more focused on corporate environments, which is also known as CEO Fraud and Whaling attack. Some alerts were given months before, for instance the FBI’s PSA (Public Service Announcement) published last August warning about the steady increase in BEC attacks since early 2015. According to this announcement, between October 2013 and August 2015 several organisations from United States and other 79 countries would have experienced financial losses of around 1.2 billion dollars resulting from such kind of cyber threat. These numbers include statistics provided by US and other countries’ law enforcement agencies. At least another alert was given even earlier — a story published by Deloitte in February 2015 that warned about the rise in ‘Fake President’ fraud attacks. Besides the warning, this article described a few steps commonly used in a typical BEC attack scenario:
- Establish initial contact;
- Make an urgent and exceptional request;
- Use a persuasive speech:
This could be based on authority / hierarchy, secrecy, pressure for the execution of the required activity and even in the supposed employee valorisation for the efficiency in quickly and discreetly performing the requested actions.
- Demand the execution of a financial transfer order:
The fraudster would ask the targeted employee to make a bank transfer ‘manually’, either by a direct phone call to the account’s manager at the financial institution or by an email or fax. While this approach may not follow standard procedures, it is commonly used by organisations in urgent cases and often accepted by banks, especially when requested by large customers. Sometimes the fraudster itself will contact the account’s manager asking for the financial transfer, provided he has gathered enough information about the victims.
Other interesting information regarding Mimecast’s research is that in 70% of BEC incidents the fraudulent e-mail messages were sent from spoofed domain names which resemble the legitimate domain from the targeted institutions. Attacks based on ‘top-level squatting’ would be associated to 16% of the incidents. In these attacks, fraudsters modify the last part of a domain name (changing .com to .biz, for instance) and the rest usually remains the same.
Moreover, it is very important to note that sending forged e-mail messages which appear to originate from the legitimate domain name of the targeted institution is a trivial task and it makes the attack yet more difficult to be spotted by ordinary users. This can also be associated to using a specific SMTP header ( ‘Reply-To’) in order that any replies to the fake message will be, by default, sent to an e-mail address under the fraudster’s control, enabling him to receive and read the responses. The use of such SMTP header is also a trivial task for an attacker to carry out.
Still according to Mimecast, the large-scale usage of social networks and media by C-level executives and managers has made it even easier to gather information about those individuals to perform BEC-style attacks.
At last, it is also worth mentioning that security incidents related to BEC attacks are quite common and regularly identified, however some events stand out because of their scale. For instance, two recent attacks disclosed in January 2016: FACC Operations GmbH, an Australian airplane parts manufacturer, would have been stolen by cyber fraudsters in up to 50 million euros; and a Belgian bank named Crelan that would have lost over 70 million euros, both of them due to BEC-style social engineering attacks.
First, it is interesting to note that successful BEC (Business Email Compromise) attacks are usually carried out by individuals who are somehow familiar with the internal structure of a targeted organisation. However, it does not mean that successful attacks are always performed by an insider. As mentioned earlier in this report, the large-scale usage of social networks by high-level managers is of great value for cyber criminals to map the structure and hierarchy of their targets. Regarding the modus operandi of BEC-style attacks, fraudsters usually send e-mail messages to a company’s employee while trying to impersonate a co-worker — who is often of a higher hierarchical level — and asking for (or even demanding) a high-value bank transfer. The grounds on why the transfer is requested may vary according to the position of the targeted individual and also of the impersonated employee.
Other threats are also possible as a result of BEC incidents, such as an attacker who has compromised corporate electronic mailboxes and then starts to dig through them in search of PII (Personally Identifiable Information) that can be used in other types of fraud. Besides, the fraudster can also use the compromised mailboxes to ask other employees to send personal, corporate or even financial information from individuals of their interest. These requests are typically made by fraudsters to employees who are co-workers or subordinate to the compromised individual, such as personal assistants.
A BEC campaign targeting ‘lower level’ employees was disclosed by Symantec on Twitter on March 3rd. This time the fraudsters transmitted spoofed e-mail messages asking the recipients to send W-2 forms of the company’s employees. A w-2 form is a document issued by employers and sent to the United States IRS (Internal Revenue Service) and to the employee itself, detailing annual wages and the amount of taxes withheld from his pay check. As stated in the previous paragraph, this kind of information is very valuable to cyber criminals because it can be used in other types of fraud.
In addition, a fraudster can also leverage the compromised mailboxes to ask for bank transfers without needing to use an external spoofed domain or to tamper with SMTP headers, as mentioned earlier. It is important to notice that BEC attacks may be used by external actors with the goal of better understanding the internal structure of a potential target, as well as to be aware of its hierarchy, jargons, operational procedures and other information that can ease the performing of subsequent attacks, be them financially motivated or not. It is very important to draw attention to the fact that PII, corporate and financial data gathered by fraudsters can also be used in criminal plots even outside the corporate environment, ranging from setting up fraudulent credit cards on behalf of victims to the simple purchase of gadgets and consumer goods, for instance high-value clothing and smartphones.
Recently, Tempest’s team has identified in Latin America an elaborate plot — that was not publicly disclosed — involving multiple fraud schemes that abused attack vectors originated from a BEC incident involving a company’s executive. The plot is briefly outlined below:
- Bank transfers from the executive’s checking account were fraudulently carried out by means of unauthorized access to his online banking services;
- The transfer was spotted as potentially fraudulent by his financial institution, what resulted in his manager sending an e-mail message to confirm or deny the transaction.
The fraudster — who had access to the executive’s mailbox — sent a reply claiming that the transfer was actually legitimate.
- The fraudster had obtained control over the mobile number of the executive (who was travelling abroad). When the bank manager additionally called the executive’s number to ask if he had actually made the electronic transfer, the fraudster answered the call and confirmed it.
It is interesting to note that the fraudster had obtained control over the executive’s mobile number through an ‘offline fraud’ usually referred to as ‘SIM swap’. He requested the telecom provider to block the GSM chip associated to the mobile number and to redeem another one. This is a common procedure when the owner of a mobile number has lost his phone or the chip itself.
The fraudster then went to a physical store of the telecom provider and showed counterfeit documents containing the name and official IDs of the executive. It is probable that the executive’s personal information have been obtained from the breach of his corporate mailbox or from another action arising out of this incident. This fraud has probably been made while the executive was travelling abroad in order to make it harder for him to spot any fraudulent transfers in his checking account, besides also giving the fraudster more valuable time to maintain control of the hijacked mobile number. The very identification of the executive’s trip probably resulted from the compromise of his corporate e-mail account, since it contained some travel information such as flight check-in reminders and e-mail messages about the trip sent by his personal assistant.
Other fraud schemes were spotted, for instance the purchase of high-value smartphones using other executive’s credit card who also had his corporate e-mail account compromised. In addition, the fraudsters used other employees’ login credentials of a paid online service, which resulted in some fraudulent fares worth around 5 thousand ‘reais’ (about 1250 dollars) each incident. The forensic analysts believe these fraud schemes may also be due to BEC-style attacks against the company’s employees who had the clearance to use the online service, such as executives, high-level managers and their personal assistants.
At last, it is important to remember that the spotted fraud schemes were held through the usage of multiple attack vectors, but most of them had a common denominator: the compromise of corporate e-mail accounts that probably led to the gathering of personal, corporate and financial data of several employees from the targeted company, rendering this a sophisticated but yet typical Business Email Compromise incident.
Regarding protective measures, the best practices suggest to:
- Provide regular and effective security training against Business Email Compromise and other forms of Phishing attacks, which must include all employees (not only executives and managers);
- Verify if a request is legitimate by calling back the person using his previously stored contact, not any number or information given during the demand, had it been made by phone or e-mail;
- Deploy strict procedures for initiating money transfers;
- Start or maintain intelligence gathering programs and services, for instance (but not limiting to) domain name registration alerts that warn companies when similar domains are registered.
However, even if all these recommendations are followed, it is still possible that fraudsters can launch successful BEC attacks. For instance, as previously described, a criminal had taken control over an executive’s mobile and confirmed a fraudulent transaction when the bank manager called this number, rendering ineffective the suggested call back verification procedure.
To such an extent, Tempest recommends the deployment of a corporate authorization system based on a workflow model, so any critical actions must be requested, strictly authorized and properly accounted. It is imperative for this system to have 2FA (Two-Factor Authentication) or stronger authentication mechanisms already deployed and that it must undergo periodic security audits, penetration tests and compliance inspections. If this system covers any critical request, such as (but not limiting to) bank transfers and the sending of sensitive information of any employee, these requests — and its approval flow — will be archived in a central location and can be later audited and scrutinized, if necessary.
The use of 2FA or stronger authentication mechanisms will provide another layer of protection for cases in which an adversary has already managed to compromise the victim’s password through a BEC-style or Phishing attack. It is also strongly advised that the 2nd factor of authentication be based on an external single-purpose device (such as an OTP token) in order to reduce the risks of an adversary also compromising the 2nd factor, for instance if it is based on a multi-purpose smartphone that can likewise be hacked. At last, this approach should be considered a complementary solution and thus be used together with the recommendations previously made throughout this section.