Hackers stole about $15 million between April and September 2020 by targeting over 150 organizations through a business email compromise (BEC) scam, according to an Israeli-based cybersecurity firm Mitiga. The firm revealed that cybercriminals would impersonate senior executives using perceived legitimate Microsoft Office 365 email addresses, and convinced the victims to deposit money in different accounts owned by the criminals.
The BEC scam involved creating email server domains that were easily confused with legitimate ones through homograph techniques. The attack targeted US firms operating in various sectors such as construction, retail, finance, and law.
BEC scam techniques employed by attackers
Mitiga discovered the BEC scam campaign when a hacker impersonated a payment recipient after learning about a planned wire transfer. The attacker obtained the information by hacking an employee’s MS Office 365 email account. The fraudster then provided new payment instructions that misled the company to deposit the money into the scammer’s wallet instead of the legitimate account.
Upon investigations, the cybersecurity firm discovered 15 Office 365 accounts used to register 150 domains used in the BEC scams. All the domains were registered with GoDaddy’s Wild West Domains and employed a homograph technique to trick the victims. This attack method exploits closely-related domains that are hard to distinguish, for example, paypal.com and paypaI.com or PayPall.com.
Mitiga says that the threat actors chose Microsoft Office 365 email addresses because of the service’s credibility. Using the same technology stack prevented email security filters from detecting suspicious behavior, allowing the BEC scam emails to sail through.
BEC attacks more prevalent and coordinated
Mitiga’s discovery of BEC attacks was just the tip of the iceberg. The FBI revealed that between January 2014 and October 2019, organizations lost about $2.1 billion through similar attacks. Experts also found that every BEC scam earned the fraudsters about $80,000 during Q2 2020. This amount increased from the $54,000 earned during the first quarter of the year (Q1 2020).
The federal agency also said that attackers preferred “two popular cloud-based email services.” However, the FBI did not disclose the names of email services regularly exploited by BEC fraudsters.
In a case investigated by the FBI, a fraudster instructed a company to make an urgent payment to a different account. The scammer alleged that the company had introduced operational changes because of the COVID-19 pandemic. Coincidentally, the targeted company had a scheduled payment of $1 million with the impersonated client.
Law enforcement agents also investigated another BEC scam in which Encore Energy lost $2 million to criminals impersonating a regular client. The Feds discovered that Encore’s BEC scam was an intricate criminal syndicate where the stolen money ended up in a Hong Kong Bank account.
Similarly, Mitiga found related digital signatures on over a dozen clusters used in the BEC scam. The discovery suggested that the attackers used each cluster to execute a coordinated attack.
Despite being easy to prevent, BEC scam campaigns cost businesses millions of dollars. Companies should always confirm client communication through other channels instead of trusting email communication, which is easily spoofed.
“Organizations want to enable robust procedures and verification for any money sent to vendors or suppliers,” says James McQuiggan, a Security Awareness Advocate at KnowBe4. “It’s essential to not rely solely on email for account changes, payments, or other financial changes. Using a verification method with multiple parties that is based on a tiered payment system can reduce the risk of money lost to criminals.”
McQuiggan advises companies to train employees on detecting transactional red flags, malicious emails, and rogue URLs.
“End users should double-check email addresses and verify the sender by thinking about whether or not an email was expected. Trust but verify is a reliable method to ensure you don’t fall victim to any email scams.”