Cybercriminals stole $15 million from a U.S. company by inserting themselves in email correspondence relating to legitimate business fund transfers. The tactic is called Business Email Compromise (BEC) and is one of the most financially damaging online crimes according to the FBI. BEC is a lucrative scam because we rely on email to conduct financial business transactions, such as wire transfers. The traditional BEC scam process contains four steps: identifying a target, grooming that target, exchanging information with the victim, and then completing the wire transfer of funds. This scenario requires attackers to convince the victim that they are conducting a legitimate business transaction when they are dealing with a fraud.
Although the traditional BEC scam can be successful, most businesses have implemented training to spot these types of efforts. These scams can be thwarted by diligent targets easily, which is why this BEC campaign allowed business transactions to be negotiated by senior executives. Mitiga, the incident response company investigating the occurrence, said the threat actors spent weeks trying to compromise the chosen email accounts. They collected information from the victim’s inbox before setting up email for-warding rules to ensure that if they lost access to the account, they would still receive messages from the compromised account. The attackers also created Microsoft Office 365 email domains, with slight alterations to the domain names, to impersonate both parties of the trans-action when needed and registered these domains with GoDaddy as businesses. They monitored the inboxes for a month gathering information from senior executives about planned financial business transactions, then they took over the conversation at the opportune moment to provide altered wire transfer information using the fake domains.
The attackers still needed to make sure that the executives and financial officers at the company did not see the transaction as suspicious and flag it for investigation as the bank could still block the transfer of funds going to the wrong account. To hide transaction emails from the concerned parties, the attacker set up email filtering rules from the inbox to move emails from specific addresses to a hidden folder. The filtering of communications concerning the money transfer from the legitimate inbox owner lasted for two weeks, which was sufficient time for the attackers to successfully move the funds to a foreign bank account.
Microsoft and law enforcement agencies are investigating the incidents. Still, there is little hope of reclaiming the lost funds once transferred outside US jurisdiction. Mitiga said they have seen a dramatic in-crease in BEC attacks this year. The Mitiga CEO, Tal Mozes, said that BEC attacks are up 63%, mostly originating from African countries and targeting U.S. businesses.