Anatomy of a Business Email Compromise (BEC)
Business Email Compromise (BEC) is a type of scam that ultimately targets a company’s financial resources. The scam can employ a wide variety of angles to lure its victims. Here are three examples of how a BEC attack can begin:
Spoofing an email (website): This is when there is a slight variation in the email/web address that can pass as legitimate and be acted upon.
Targeted spear phishing emails: This is an authentic-looking email that ultimately tricks the employee to type their credentials for an account. The criminals can then access accounts, calendars, mail, and so on. Typically, high-level executives are the most targeted victims since they have the highest privilege levels followed by those in finance departments.
Malware: This is malicious software that can be installed in many ways. Victims can simply click on file or visit a malicious website where the software is downloaded without the employee becoming aware. Through this approach, adversaries can gain access to systems that allow them to schedule payments and insert invoices to be paid that typically won’t be questioned due to their legitimate look and feel as well as their closeness to high-level executives that appear to be associated with them.
The complexity of how systems and credentials are breached are ever changing. Staying on top of employee training is a must. These various methods can be explored at the Anti-Phishing Working Group (APWG). In their 4Q20 report, they note the impacts as follows:
The number of phishing attacks observed by APWG and its members grew throughout 2020, doubling over the course of the year.
Business email compromise scams are becoming more costly for victims. The average wire transfer request in BEC attacks increased from $48,000 in Q3 to $75,000 in Q4.
The financial institution, webmail and SaaS site category was the one most frequently victimized by phishing in this quarter.
In looking at a recent event, an executive was a victim of spearphishing and he unwittingly gave away his credentials. It turns out this executive had MS Admin privilege levels enabled and thus this journey:
1. The credentials were obtained through spearphishing.
a. Note the executive did not have multi-factor authentication (MFA) enabled for their ID.
2. The night before the big move – the attacker logged in.
a. Note this was from an abnormal IP and ISP provider in another state.
3. Early the next morning the attacker initiated multiple MS SharePoint File Previews.
a. These were primarily financial documents – note nothing was downloaded.
b. The attacker identified their investment bank, account numbers and access contacts.
4. At this point, within a 45-minute window, he started changing the O365 rules & authorizations.
a. Granted Send On Behalf Of privilege to the Executive Assistant for the CEO.
b. Granted Send As permission for both the CFO and CEO.
c. Granted Mailbox permissions, with Full Access.
d. Setup a backdoor email with Full Access.
e. Established rules to delete emails after being sent to avoid suspicion and delete incoming
emails from MS to prevent detection.
5. Following all the changes, he then sent an email to the investment bank contact from the CEO/CFO with his personal credentials for full account authorization.
6. The individual was caught, and immediate incident response activity addressed any/all changes made.
7. Additionally, a review of all privilege levels was conducted, and Admin rights were reduced to User rights for all but key IT personnel as well as MFA enabled.
There are many lessons that can be taken away from just this one all-too-common scenario:
Always have MFA in place, regardless of who might complain about it.
Always know who has what privilege levels and manage accordingly.
Provide constant training, especially for executives, on the various techniques used to gain access to credentials.
Don’t put “blind faith” in your email provider’s ability to protect you or your bolt-on email security provider – things will get through.
Make sure all your audit logs are being sent to a SIEM tool that has deep capabilities with behavioral rules that can catch these steps (behavior patterns) as they are occurring and alert the cybersecurity teams in real-time.
One item to note regarding M/O365, is that Microsoft has many different layers of offerings and each of these impacts how timely audit logs are sent to the SIEM tools and what security levels you get.
Fluency Security is a market-leading behavioral automation SIEM tool that has extensive pre-built rules for various email providers, email security vendors and most major vendors. Fluency Security also ingresses all network feed data to include NetFlow so we can provide organizations with the most comprehensive cybersecurity coverage possible when abnormal things happen.
Again, things will get through and your ability to catch them in real-time is tied directly to tracking behavior patterns that aren’t normal and do so as the data is streaming in as opposed to storing the data and writing queries to look for them. Fluency is your last layer of defense when all the others can’t stop what’s happening.