In the last year, there has been a trend towards the commission of payment scams that target employees of companies by attempting to convince them to transfer money to cyber criminals. Commonly referred to as business email compromise (BEC) scams, they generally involve scammers sending emails that appear to come from senior staff at an organisation (hence sometimes being referred to as “CEO fraud”) and requesting that a sum of money be transferred to a third party’s bank account (controlled by the scammers). Brian Krebs has written about these attempts in his blog, here and here. According to the Federal Bureau of Investigation (FBI), these scams have generated reported losses of $1.2 billion internationally between October 2013 and August 2015.
Two recent examples of these scams reported to us by our clients demonstrate the different types of organisations that can be targeted by these scams.
The first scam described below targeted a sporting club and demonstrates how a business email scam can be executed in a relatively simple and innocuous fashion. The second is an example of a slightly more complex version targeted at a financial technology company that required more effort to execute, and which ultimately needed execution of the company’s incident response plan to investigate and resolve the incident.
Case Study — A Sports Club is Targeted
The first business email scam targeted a small sporting club that had published the contact details and roles for all of its board members on its website. This meant the scammer had to exercise a minimum amount of effort in order to craft the scam — all the contact details and roles for the board members were clearly available. Initial contact was made by the scammer via email (posing as the President) to the Treasurer, John, to start the conversation.
In this case, the Treasurer became suspicious and was quick-thinking enough to call the President to seek verbal confirmation of the transfer request. This gave the game away and revealed that the club was being scammed.
Hivint was contacted to provide further analysis and advice on the email scam, as the club staff members who were targeted in the scam were unsure if the scam indicated a system compromise or similar. Once the emails were received, a simple check of the email headers (below) of the original email identified the ruse.
As the email headers reveal, the “Authenticated sender” or real scammer’s email was different from the address shown in the actual email. A google search shows [email protected] to have been used before in scams.
In addition, the “Reply-To” address of [email protected] did not actually belong to the club’s President, and directed the target’s response to an email address controlled by the scammer. A check of the return email address when responding would also have given this away.
The Second Scam — A Financial Technology Company
The next occurrence of a business email scam that Hivint was made aware of came from a financial technology company we work with. They had received a phishing email similarly requesting money from the financial team.
This attempt took more effort as the scam clearly involved more research and customisation by the scammer.
While the content of the email was consistent with most business email scams (see below), there were some distinguishing features which contributed to the scam almost being successful.
In this case, the attacker registered a domain with a very similar domain to the target business — an extra letter was added to the domain name — e.g. www.domain.com was registered as www.domaiin.com. This meant that the reply-to address closely resembled an email address that belonged to the company’s actual registered domain name, making the scam harder to detect unless anything more than a cursory examination of the reply-to address was undertaken.
There are a number of attacks which are high volume/low value. For example, attempting to force payment through cryptolocker only works if the price is within the victim’s “pain point” or ability to pay. The business email scam, however, has no force behind the request for payment. The scam only works if the victim doesn’t know they’re getting scammed. And this takes effort, which means that the payoff has to be worth it for the perpetrator.
Even spending a few weeks on researching a victim and crafting an attack for a five figure payout would still be highly profitable for a scammer, and a growing $1.2 billion pot of money derived from these scams shows that they can be lucrative.
That there is continuing growth in these scams demonstrates that this threat is worth countering, and there are some fairly basic steps to undertake should you want to reduce the risk of these types of attacks occurring at your company, and the likelihood that they will be successful.
Exercise proper security hygiene to protect your online identity.
Don’t publish the contact details and position names of specific staff on publicly accessible places on the internet; particularly staff with payment-related responsibilities. Instead, use an email form that sends to a generic email address — [email protected] — and distribute emails to relevant personnel from there.
Separation of Duties
Should a request come to an individual for payment of a sum of money (whether for an invoice or otherwise), a check should be made that the payment is in fact legitimate (e.g. through verbal confirmation, or confirmation there is an associated Purchase Order number or invoice) and approved by a relevant authority.
Basically, no business processes should fundamentally tie the receipt of an email with a money transfer.
Ensure education on email scams is included in your organisational security awareness program.
Check your registered domains
Andrew Horton’s URLCrazy (included in Kali Linux) can be used to keep an eye on domains registered with similar domain names to your business.
Buy the domains that you can, and consider blocking emails from similar domains already registered, or generating an alert should an email arrive from these domains.
Remember, if something about an email doesn’t seem right, making simple checks that you’re corresponding with a legitimate sender will go a long way to ensure you are not defrauded. In particular:
- Double check whom you’re actually responding to — if the reply address for the email is different once you’ve hit “reply” then it may have been sent by a scammer. If the email looks legitimate, then check the spelling of the email address to ensure the domain name is not misspelt.
- Contact the purported sender of the email using a known telephone number (i.e. not a contact number given in the email) before executing any money transfers. Even if an attacker has gone out of their way not to just spoof an email address, but has control of your entire IT environment, using an “out-of-band” method to contact the legitimate person can help verify the authenticity of the email.
And finally, should you still fall victim to a payment scam, contact your financial institution as soon as possible.
By Ben Waters, Senior Security Advisor at Hivint. For more of Hivint’s latest cyber security research, as well as to access our extensive library of re-usable cyber security resources for organisations, visit Security Colony