Category: Email Security

Phishing Email Uses Google Drive to Get Past Microsoft Security

Phishing, email scams, tips to avoid spear-phishing
~ Brad Wyro ~ Leave a comment

This week, Threatpost reported on a new spear-phishing attack that uses email sent via Google Drive claiming to be the CEO of the targeted company sharing important information with the recipients.  The email came from Google Drive, but the sender address didn’t match the company’s standard naming convention for email addresses.

Because the message was sent by a legitimate email service, it was able to bypass Microsoft Exchange Online Protection on its way to users’ inboxes.

You can read the full article here.

No Spam Filter or Email Gateway can Block 100% of All Spam

Spam Filters and Email Gateways have proven quite effective at blocking most of the junk email that gets sent by the thousands on a daily basis, but cyber criminals are always looking for new ways to bypass email security measures through social engineering, new strains of malware, and newly-discovered security flaws reported in  Microsoft Exchange Server and cloud email platforms. That’s why user training will continue to be a top priority for all businesses that use  email.

Tips to Avoid Phishing and Business Email Compromise (BEC) Attacks

In a prior post, I listed the following 10 tips to avoid falling victim to phishing emails.. Here’s a brief summary. You can read the entire post here.

10 Tips to Identify a Phishing Email

  1. Watch out for messages disguised as something expected, like a shipment or payment notification.
  2. Watch for messages asking for personal information such as account numbers, Social Security numbers, and other personal information. Legitimate companies will never ask for this over email.
  3. Beware of urgent or threatening messages claiming that your account has been suspended and prompting you to click on a link to unlock your account.
  4. Check for poor grammar or spelling errors.
  5. Hover before you click!
  6. Check the Greeting – Is the message addressed to a generic recipient, such as “Valued customer” or “Sir/Madam?” If so, be careful & think twice!
  7. Check the Email Signature – In addition to the greeting, phishing emails often leave out important information in the signature. Legitimate businesses will always have accurate contact details in their signature, so if a message’s signature looks incomplete or inaccurate, chances are it’s spam.
  8. Don’t download Attachments
  9. Don’t trust the From address –Know the difference between the “envelope From” and the “header From” addresses.
  10. Don’t Enable Macros –  Never trust an email that asks you to enable macros before downloading a Word document.

These 10 tips are explained in more detail in this post.

10 Tips to Protect Against Business Email Compromise (BEC) Email Attacks

Business Email Compromise goes beyond standard spam techniques by exploiting human nature and the trust established between employees and members of the executive team. Scammers use social engineering, CEO impersonation, and a variety of other techniques to trick users in accounting, finance, or other high-power positions into transferring money into the scammer’s accounts. These attacks are well-executed and targeted at specific individuals, and often take more time to plan and launch due to the amount of research that goes into these attacks. Cyber criminals use publicly available information on sites such as LinkedIn, Facebook and even the website of the targeted victim to gain insight into the company’s business practices. They will often study the writing styles of the executive team, allowing them to craft convincing emails that appear authentic to employees.

Because Business Email Compromise attacks are often so well-crafted, they are able to bypass standard security measures. These tips should help you identify a Business Email Compromise attempt if one should slip through your spam filter or email gateway.

  1. Train Users to recognize these Common Impersonation Tactics used by Cybercriminals
    • Domain Name Spoofing
    • Display Name Spoofing
    • Lookalike Domain Spoofing
    • Compromised Account
  2. Secure your Domain by registering similar domains.
  3. Don’t Over-share on Social Media
  4. Use SPF, DKIM & DMARC to protect your domain from spoofing.
  5. Use Two-Factor Authentication
  6. Use Strong Passwords
  7. Don’t trust unknown sources
  8. Establish strict processes for wire transfers
  9. Provide regular end-user training
  10. Run antivirus software often

You can learn more on how to avoid Business Email Compromise attacks here.

No business is too big or too small to fall victim to email-borne scams. In fact, cyber criminals often target smaller businesses based on the assumption that smaller companies are less likely to have the latest security systems in place. MDaemon Email Server and Security Gateway for Email Servers include a variety of features to protect businesses from spam, malware, and leaks of sensitive business data.

15% discount during August, 2019 for MDaemon Email Server and Security Gateway for Email Servers

Looking for a secure, affordable email and collaboration server or email security gateway for your business? This month, we’re offering a 15% discount off the price of MDaemon Email Server (new purchases), and Security Gateway for Email Servers (new, renewal, and upgrades).

Comments? Question? Let us know. We’re here to help!

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Security Gateway’s Built-in Archiving and Cloud-Based Email Integration Just got a Major Update!

~ Brad Wyro ~ Leave a comment

fSecurity Gateway for Email Servers version 6.1. release with archiving, legal hold, and data retentionWhen it comes to email archiving, businesses require features that go beyond simple message replication in order to meet expanding regulations. And because every email solution, whether it’s on-premises or in the cloud, needs strong anti-spam/anti-malware filtering, it makes sense to combine archiving and security into a single product. To address the growing demand for a combined email security/archiving solution, archiving was added to Security Gateway for Email Servers in version 6.0.

Security Gateway’s Integrated Archiving Just Got a Lot Better!

With Security Gateway 6.1, the integrated archiving feature received a major upgrade with these new features for legal compliance and cloud email integration:

  • Legal Hold

Security Gateway’s new Legal Hold feature will prevent emails from being deleted from the archive, regardless of any other settings, user permissions, or retention periods.

Legal Hold - Security Gateway for Email Servers
Legal Hold – Security Gateway for Email Servers
  • Minimum Archive Retention Period

Businesses must meet a variety of data retention laws, and these laws vary by country or region. In the United States, many businesses must store archived emails in compliance with the following laws and retention policies:

  • IRS Regulations (for all companies) – 7 Years
  • Sarbanes Oxley Act (SOX – For all public companies) – 7 Years
  • Freedom of Information Act (FOIA – Federal, state & local agencies) – 3 Years
  • Department of Defense Regulations (for contractors) – 3 Years
  • Health Insurance Portability and Accountability Act (HIPAA) – 7 Years

To meet these and other growing regulations, administrators can assign a minimum retention period for all archived email messages. During this time, archived messages cannot be deleted regardless of any other settings or user permissions.

Email Retention Period - Security Gateway for Email Servers
Email Retention Period – Security Gateway for Email Servers

Improved Cloud/Hosted Email Integration for Microsoft Office 365 & Azure

Security Gateway’s automatic user creation feature helps reduce administrator workload by verifying whether an email sent to or from a local domain contains a valid email address, and then automatically adding the account once the email address has been verified.  With Security Gateway 6.1, this process has gotten much easier for businesses using cloud email services, with a new option to verify users by querying Microsoft Office 365 or Azure Active Directory.

Office 365 & Azure User Verificatioin - Security Gateway for Email Servers
Office 365 & Azure User Verification – Security Gateway for Email Servers

Other New Features

Other new features for Security Gateway include:

  • Whitelist & Blacklist Search – A search field was added to the Whitelist and Blacklist screens to help administrators find listed email addresses more easily.
  • Quarantine reports can now be sorted by score. This makes it easier to identify false-positives, which will likely have lower scores.

For the complete list of updates, please see the Security Gateway release notes.

If you aren’t yet protecting your business email with Security Gateway for Email Servers, visit the Security Gateway product page for an overview of its features, or visit the Download page to download a free trial!

Security Gateway Hosted/Cloud services are also available.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Not Today, Scammer! Today’s Phishing Attempt

~ Brad Wyro ~ Leave a comment

A brief glance through my Spam folder in MDaemon Webmail today reminded me of the need for on-going education on the topic of phishing and Business Email Compromise (BEC) scams. Because businesses have already lost millions of dollars to these scams and continue to fall victim every day, it bears repeating that, while spam filters and secure email gateways continue to improve, no solution is 100% fool-proof.

Today’s phishing example was scanned by MDaemon, determined to be spam, and placed in my Spam folder for review (MDaemon can also be configured to delete spam instead of placing it in the user’s spam folder).

Most of us will likely be immediately suspicious due to all-caps “REMINDER!!!” at the top of the message, but what other phishing clues can you identify?

Phishing example, spam email
Phishing attempt with malicious file attachment

In this example, the scammer has used display name spoofing  to make the message appear to be from DHL. Most large businesses such as DHL have policies regarding email communications. DHL’s fraud awareness policy, which you can read here on their website, states:

“Please be advised that if you received an email suggesting that DHL is attempting to deliver a package requesting that you open the email attachment in order to affect delivery, this email is fraudulent, the package does not exist and the attachment may be a computer virus.

Please do not open the attachment. This email and attachment does not originate from DHL.”

But for most of us who remain unaware of DHL’s policies, it’s important to know what to look for to avoid becoming the next victim to phishing scams.

Using the DHL example, I’ve labeled the items to look out for when reviewing a suspicious email.

Phishing Example and What to Look For
Phishing Example and What to Look For

No business is too big or too small to educate its users about phishing. After all, it only takes one user to open a malicious attachment and unleash malware vicious enough to take down an entire company. Learn more about how to avoid being the next victim by reviewing these 10 tips to identify a phishing email.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

10 Tips to Identify a Phishing Email

~ Brad Wyro ~ Leave a comment

Don’t Risk Losing your Life Savings to Scammers. Follow these 10 Tips to Identify a Phishing Email.

Whether you run a Fortune-500 organization or a small boutique, by now you should be aware of the threats posed by cyber criminals to trick you into clicking a link, downloading an attachment, or parting ways with your money.

Modern day email scams are getting more sophisticated, leading to staggering losses for businesses of all sizes. According to the 2018 Verizon Data Breach Investigations Report, phishing was used in 93% of all reported breaches, with email being the main attack vector in 96% of reported cases.

While these figures are staggering, they continue to rise as scammers reap huge payouts from BEC (Business Email Compromise), CEO fraud and other phishing scams.

The real estate industry is a prime target for phishing because large sums of money change hands and there are various weak links in the transaction process. If any step within the transaction process becomes compromised with a successful phishing email, the attacker could gain access to a legitimate email address from which to launch other attacks. The fraudster could then lie in wait, scanning email messages for financial or transaction related details, and then send off fraudulent wire transfer instructions to an unsuspecting buyer, seller, or agent. For example, this happened to a 31 year-old first-time home buyer in San Antonio, Texas. You can read details about this case here, but the short version of the story is that she felt that she was in a time crunch to send in her down payment and finalize other closing tasks, and felt that the title company was dragging its feet. This state of high anxiety made her a prime target for a phishing email she received stating that she had previously been given the wrong wire transfer information, and that she needed to wire her down payment to a new account. With 5 hours left to get everything done, she attempted to contact her title company to confirm the change, but no one responded, so in a panic, she hastily ran to the bank and wire transferred her $52,000 down payment. Unfortunately, she sent her life savings to scammers.

The phishing industry is so lucrative for scammers because the barriers to entry are low relative to potential huge payouts. With botnets-for-hire and Malware as a Service (Maas), spammers have an impressive arsenal of tools at their disposal to propagate their campaigns, so to fight this scourge, an educated user is the best defense against phishing scams. With this in mind, here are my top 10 tips on how to identify and protect yourself from phishing attacks.

  1. Watch out for messages disguised as something expected, like a shipment or payment notification. These often contain links to malware sites. Hover your mouse over any links to make sure they’re safe. Think before you click! Here’s an example using a phishing email I received claiming to come from HSBC.

    Payment notification phishing email
    Watch for unexpected payment or shipment notices
  2. Watch for messages asking for personal information such as account numbers, Social Security numbers, and other personal information. Legitimate companies will never ask for this over email.
  3. Beware of urgent or threatening messages claiming that your account has been suspended and prompting you to click on a link to unlock your account.
  4. Check for poor grammar or spelling errors. While legitimate companies are very strict about emails they send out, Phishing emails often contain poor spelling or grammar.
  5. Hover before you click! Phishing emails often contain links to malware sites. Don’t trust the URL you see! Always hover your mouse over the link to view its real destination. If the link claims to point to a known, reputable site, it’s always safer to manually type the URL into your browser’s address bar.
  6. Check the Greeting – Is the message addressed to a generic recipient, such as “Valued customer” or “Sir/Madam?” If so, be careful & think twice! Legitimate businesses will often use your real first and last name. In our HSBC example, notice the generic greeting.

    Watch for generic greetings in email messages
    Watch for generic greetings in email messages
  7. Check the Signature – In addition to the greeting, phishing emails often leave out important information in the signature. Legitimate businesses will always have accurate contact details in their signature, so if a message’s signature looks incomplete or inaccurate, chances are it’s spam. In our HSBC example, the sender’s name and contact information are missing from the signature.

    Watch for generic signatures in phishing email messages.
    Watch for generic signatures in phishing email messages.
  8. Don’t download Attachments – With the proliferation of Ransomware as a Service (Raas), spammers have an easy mechanism for distributing malware-laden spam messages to thousands of users. And because the payout for ransomware can be quite high, even one successful ransomware infection could net the spammer large amounts of money. If there’s ANY doubt about the identity of the message sender or the contents of an attachment, play it safe and don’t download the attachment.
  9. Don’t trust the From address – Many phishing emails will have a forged sender address. The From address is displayed in two places. The Envelope From is used by mail servers to generate NDR messages, while the Header From is used by the email client to display information in the From field. Both of these headers can be spoofed. MDaemon Webmail has built-in security features to help users identify spoofed emails. Many mail clients hide the From address, only showing the From name, which can be easily spoofed. In MDaemon Webmail, the From address is always displayed, giving users a clearer view into the source of the email and helping them identify spoofed senders. Using our HSBC example, I’ve highlighted the actual sender.
    Phishing email highlighting the actual sending address
    Phishing email highlighting the actual sending address

    MDaemon Webmail will also display information in the Security tag to help users identify messages from verified senders, as shown here.

    MDaemon Webmail - DKIM-Verified Sender
    MDaemon Webmail – DKIM-Verified Sender
  10. Don’t Enable Macros – And while we’re on the subject of ransomware, another common vector for ransomware infections is through macros in Microsoft Word documents. These documents often arrive in phishing emails claiming to have important content from HR, Finance, or another important department, and to trick the user, they request the user to enable macros. Never trust an email that asks you to enable macros before downloading a Word document.

While anti-spam and anti-malware tools are quite effective at filtering out the majority of scams, there’s really no substitute for good old-fashioned user education. Know the potential costs to your business and don’t become the next victim!

If you’re the MDaemon or SecurityGateway administrator and need help with your security settings to help block as much phishing as possible before it reaches your users, give us a call or drop us an email support request.

 

 

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Another day, another attempt to scam me – but I know a phishing attempt when I see one!

~ Brad Wyro ~ Leave a comment

Avoid phishing scamsIt’s just a fact of life: If there’s email, there will always be spam. Now, how much spam you have to deal with will depend on how good your spam filtering solution is. Here at MDaemon Technologies, we use our own products – MDaemon and Security Gateway, to filter out spam, malware, phishing attempts, and all of the other junk that often floods inboxes of users whose email server or hosted service isn’t as effective.

“If I have a good spam filter, do I REALLY need to know how to recognize phishing scams?”

If an email security company or hosted provider tells you their spam filter will catch 100% of spam, they’re not being completely honest. Most companies say their products catch 99% or 99.5% in their SLA (Service Level Agreement), with a false-positive rate of %.0001 or less. That’s reasonable and to be expected, especially considering the statistics.

According to public data, spam made up over 71% of global email traffic in April, 2014. As of September, 2018, spam volume had decreased to 54%, but considering that over 281 billion email messages are sent per day worldwide, that’s still over 151 billion spam messages sent every day, and while spam may be decreasing in total volume, it’s becoming more dangerous, with cryptojacking overtaking ransomware as the attack vector of choice for cybercriminals, and malware-as-a service turning cybercrime into a commodity for the masses,

So no matter how good an email security product is, there is always that chance that new and emerging (and sometimes tried-and true) social engineering techniques will succeed in tricking the next unsuspecting victim to part ways with his or her company’s bank account details.

And that brings me to the point of today’s post. It bears repeating that companies of all sizes and industries should consider ongoing training with their employees on how to recognize phishing attempts.

In today’s example, the scammer is using a classic BEC (Business Email Compromise) attack to try to get the recipient to open a malicious ISO file.

Phishing email using common Business Email Compromise tactics
Phishing email using common Business Email Compromise tactics

Because the threat of phishing and Business Email Compromise will continue well into the future, I will revisit this topic regularly throughout the year.

Meanwhile,  I would recommend sharing with all employees and business executives these 10 best practices for avoiding common email scams.

Business Email Compromise Protection Tips

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Prevent Leaks of Sensitive Business Data with Security Gateway for Email Servers

~ Brad Wyro ~ Leave a comment

Data Leak Prevention - SecurityGatewayBusinesses of all types must maintain records containing personal information about their employees and customers, and executives and clients alike have a mutual interest in protecting that data. But there’s no guarantee that every employee will treat confidential account numbers, Social Security numbers, passport numbers or other personal data with the same amount of care. So how can we prevent this sensitive data from getting into the wrong hands?

We’ll show you how and give you a sneak preview of upcoming new data leak prevention rules in our latest Security Gateway for Email Servers video!

Click here for a detailed explanation of all DLP features.

If you’re not yet a Security Gateway user and would like to try it out, click here for a free trial.

Comments or questions? Let us know!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Seedworm Operation Spreads Malware via Phishing Attacks

~ Brad Wyro ~ Leave a comment

Phishing Spam Graphic2018 has been a busy year for new threats spread via email, with spear-phishing and Business-Email-Compromise (CEO fraud) the rising star for cyber-criminals intent on draining your bank account. Recent victims include Google and Facebook ($100 million lost), McEwan University (almost $12 million lost), a New York judge ($1 million), and a Dutch cinema chain (over $21.5 million). These threats will continue to grow as cyber-criminals try new tactics to separate you from your money. The latest trend involves using encrypted HTTPS connections to trick users into thinking they’re visiting a secure site.  This means users can no longer trust a site that displays the green padlock icon in the address bar. Always verify that you’re visiting a legitimate site before entering any personal information such as Social Security or credit card numbers, otherwise, your private data could be transmitted to a hacker.

As we continue to bring awareness to these threats, new ones emerge almost daily. In the past three months, a cyber-espionage group known as Seedworm (aka MuddyWater) has used spear-phishing attacks to infect 131 individuals with the Powermuddy backdoor (a new variant of their Powermud backdoor). Once a system has been compromised, this malware runs a tool that steals passwords from a user’s browser and email, often leading to access to the victim’s email and social media accounts.

Protect Yourself from the Latest Threats

Over the years, I’ve posted many times about phishing, spear-phishing, and other threats, with a variety of suggestions for protecting yourself and your business from becoming the next victim. Throughout these posts (from oldest to newest), you’ll find lots of tips to avoid being tricked by these email-borne scams.

As the threat landscape continues to evolve, businesses of all sizes must maintain awareness of the latest email-borne threats and educate staff at all levels, from entry level to C-suite. After all, without the right tools and procedures in place, it only takes one misguided mouse click to damage a business’ reputation or send it into bankruptcy.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Avoid Business Email Compromise and CEO Fraud Attacks with these 10 Best Practices to Protect Your Business

~ Brad Wyro ~ Leave a comment

Top 10 Business Email Compromise Protection TipsIn part one of our three-part series on Business Email Compromise (BEC), I explained what a BEC attack is and provided examples and statistics. As you’ll recall from the examples discussed, businesses have suffered staggering losses to these attacks, and while users are becoming more aware of them, their own human nature dictates that these threats will continue. In fact, a recent report by Get Safe Online indicated that over a third (37%) of employees don’t know what to look for to identify common email scams. The report also stated that one in 20 email fraud victims were so ashamed that they hid their mistakes from their colleagues.

In part two, I discussed the following 4 steps cybercriminals take to conduct a BEC attack.

  1. Identify the target victim
  2. Grooming
  3. Exchange of information
  4. Payment

Businesses can make Step 1 more difficult by carefully crafting and monitoring online content such as company websites, LinkedIn profiles and other publicly available information, but as long as employees can be influenced by excessive trust, intimidation, or simply lack of awareness, businesses will need to implement additional preventive measures to avoid potentially devastating losses. After all, once a credible target has been identified, the best defense is a well-informed workforce.

Top 10 Business Email Compromise  Protection Tips

  1. Train Users to recognize these Common Impersonation Tactics used by Cybercriminals

Domain Name Spoofing – Domain name spoofing involves either spoofing the sender’s “Mail From”  to match the recipient’s domain in the message envelope, or using a legitimate domain in the “Mail From” value but using a spoofed “Reply-To” domain in the message header.

Here is an example that has been spoofed to look like it was sent from HSBC Bank:

Domain Name SpoofingA quick examination of the message headers reveals a return-path address that is not associated with the From address. A reply to this message would go to frank.thomas@example.com.

Domain Name Spoofing

 

 

 

 

 

 

 

Display Name Spoofing – Most BEC attacks use this technique. With display name spoofing, the attacker will register a free email account that may contain the name of a company executive. The attacker would then configure the display name to match your CEO or some other executive, and then send phishing messages from this account. This technique works because recipients often only look at the display name and not the actual email address. In fact, many email clients (particularly on mobile devices) will only show the display name when viewing the message, making it easier to hide the sender’s real identity. Because the sender’s email address is not forged, messages using this spoofing technique are often more difficult to block than those using domain name spoofing, where the addition of three DNS records (DKIM, SPF and DMARC) have been shown to be more effective at blocking spoofed emails.

Here is an example showing a spoofed display name of HSBC Bank. To help users identify suspect emails, MDaemon Webmail has a handy security feature that displays the actual sender address as well as the display name.

Display Name Spoofing
Display Name Spoofing

Lookalike Domain Spoofing – Lookalike domain name spoofing involves registering fake domains that contain characters that look similar to others and sending phishing emails from them in an attempt to trick the recipient into thinking the message is from a legitimate domain.  An example would be using an upper-case I in place of a lower-case L.

Business Email Compromise email using lookalike domain
Business Email Compromise email using lookalike domain

Compromised Email Account – Another common tactic is the use of legitimate email accounts that have been compromised through malware or social engineering to steal data or funds.

  1. Secure your domain

Register domain names similar to yours to protect against lookalike domain spoofing.

  1. Don’t over-share on social media

Be careful what you post on social media, especially job titles and responsibilities, corporate structure information, and out-of-office details.

  1. Use SPF, DKIM and DMARC

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) are anti-spoofing and email authentication techniques that use DNS records to validate the sender of an email. Make sure your domain has valid SPF, DKIM and DMARC records, and make sure your mail server/provider is analyzing all inbound email traffic using these tools. For more information, refer to this blog post.

  1. Use two-factor authentication

With two-factor authentication, users must provide two forms of authentication – a password and another form of verification such as a unique verification code or a fingerprint. Two-factor authentication is discussed further in this blog post.

  1. Use strong password policies

Use strong passwords and require regular password changes. Strong passwords must meet the following criteria:

  • Must meet a minimum length requirement.
  • Must contain both letters and numbers.
  • Must contain both upper and lower case letters.
  • May not contain the account mailbox or full name data.
  • Never use commonly guessed passwords such as Password1 or Letmein.
  1. Don’t trust unknown sources

Never open emails, click on links, or download files from unknown senders. To help users verify the identity of a message sender, MDaemon Webmail displays the full email header in addition to the display name.

  1. Establish strict processes for wire transfers

You may recall from my previous post that cybercriminals have been known to target all parties in a real estate transaction. If you receive a request to change the payment type or the original recipient’s financial information, be sure to verify the information through already-established channels of communication.

Before responding to wire transfer requests, verify the identity of approved vendors and the authenticity of their invoices. Confirm in person or by phone using previously known numbers. Don’t trust the phone number on the invoice.

  1. Provide regular end-user training

User education must be reinforced on a regular basis for stronger awareness. Every employee who uses email should know how to recognize a spoofed email or a phishing attempt.

  1. Run antivirus software often

Make sure your antivirus software is up-to-date and run it regularly.

While traditional security measures such as network defenses and email gateways can be effective at blocking most varieties of spam, the bottom line is that user awareness and education are critical to avoid falling victim to BEC attacks.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Four-Step Swindle: The Anatomy of a Business Email Compromise Attack

~ Brad Wyro ~ Leave a comment

This week, we continue our series on Business Email Compromise. Click here to read Part 1, which includes an overview and various statistics on this growing threat.

It takes time and effort to launch a successful Business Email Compromise (BEC) attack. In a typical attack, several messages are exchanged in an attempt to convince the target to authorize large payments to the attacker’s bank account. From start to finish, the steps involved in a BEC attack consist of identifying a target, grooming, exchanging information, and finally, transfer of funds.

Let’s go over these four steps in detail.

Step 1 – Identify the Target Victim

Step 1 – Identify the Target Victim The first step in a BEC attack may be the most time-consuming. During this step, a criminal organization researches the victim to develop an accurate profile of the company. Through publicly available information, attackers look for the names and positions of company executives, especially those on the finance team. They scour social media, online articles, and anything else that will provide specific details about the company and its employees. Scammers who are able to infiltrate a company’s network with malware may spend weeks or months monitoring information on the company’s vendors, billing and payment systems, and employee vacation schedules. They have also been known to monitor the executive’s writing style in order to craft a convincing email using a spoofed email address or lookalike domain claiming to come from the CEO.

Step 2 – Grooming

Phishing - Business Email CompromiseArmed with the information obtained in Step 1, the scammer moves on to Step 2. During this step, the scammer uses spear-phishing, phone calls or other social engineering tactics to target employees with access to company finances. The grooming phase often takes several days of back and forth communication in order to build up trust. During this phase, the scammer may impersonate the CEO or another company executive and use his or her authority to pressure the employee to act quickly.

Here is an example sent to one of our Finance executives in which the sender used display name spoofing to spoof the name of our CEO. Cybercriminals will often use a free email address (notice the comcast.net domain), which can be easy to miss if you’re using a mobile device or some other client that doesn’t display the full email header.

Spear-phishing with Spoofed Display Name
Spear-phishing with Spoofed Display Name

 

 

 

 

 

 

 

 

Step 3 – Exchange of Information

phishing back accountDuring step 3, the victim is convinced that he is conducting a legitimate business transaction, and is then provided with wire transfer instructions.

Step 4 – Payment

And finally, funds are transferred and deposited into a bank account controlled by the criminal organization.Business Email Compromise bank transfer

What to Do if You Are a Victim

If you’ve suffered losses due to Business Email Compromise schemes, it is important to act quickly.

  • Contact your financial institution immediately.
  • Request your financial institution contact the institution that received the fraudulent funds.
  • Contact your local FBI office and report the incident.
  • File a complaint with the FBI’s Internet Crime Complaint Center (IC3).

You can find more detailed instructions in the FBI’s Public Service Announcement.

Want to learn more about how to protect yourself from Business Email Compromise scams? In Part 3, we’ll go over a few best practices, so check back soon!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  

Business Email Compromise – The 12 Billion Dollar Threat to Your Business

~ Brad Wyro ~ Leave a comment

This week, we begin a three-part series on the threats posed by Business Email Compromise (BEC) attacks. In Part 1, we’ll explain what BEC is and discuss various types of BEC scams. In Part 2, we’ll explain how cybercriminals launch a BEC attack, and in Part 3, we’ll discuss best practices for avoiding these types of threats.

Business Email Compromise - Recent Statistics

Email is the preferred communication method for businesses around the world. It’s also the preferred attack vector for cybercriminals due to its ease of use and low cost, and since the beginning days of email, spam techniques have continued to evolve into a variety of sophisticated threats.

One particularly menacing threat that is continuing to grow in popularity is Business Email Compromise (BEC).

BEC attacks (also known as whaling, spear-phishing or CEO fraud) use various deception tactics to impersonate a trusted contact. They employ a combination of research and social engineering techniques to impersonate business executives, real-estate firms, title companies, law firms, and even the FBI in an attempt to elicit transfers of large sums of money or the exchange of personally identifiable information (PII), which can be used in future BEC attacks and other types of cybercrime.  Victims of BEC attacks are often tricked into believing they are carrying out a routine transaction, such as filling an order with a supplier, transferring funds for an executive, or sending sensitive data to an HR representative.

Business Email Compromise email using lookalike domain
Business Email Compromise email using lookalike domain

With the exception of those with spoofed sender addresses, many BEC attacks are sent from valid email addresses using credentials obtained through phishing, brute force attacks, or data obtained in a database breach like the one that hit Yahoo in 2013.

BEC attacks often contain no malware, malicious links, or suspicious code. As a result, in many cases they are able to bypass traditional security measures, which makes them especially dangerous.

Watch Out for These Common Scams

Some of the most common examples of Business Email Compromise include:

  • Real Estate Transactions: During a real estate transaction, criminals may impersonate sellers, realtors, title companies, or law firms to trick the home buyer into transferring funds into a fraudulent account.
  • Data and W-2 Theft: Criminals use a spoofed or compromised executive email account to send fraudulent requests for W-2 information or other personally identifiable information to HR staff or others within the business who maintain confidential employee records.
  • Supply Chain: Criminals send fraudulent wire transfer requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by organized crime groups.
  • Law Firms: Criminals discover information about pending litigation or trusts and impersonate a law firm’s client to change the recipient bank information to a fraudulent account.

 Over 41,000 Victims and Growing

The statistics are staggering.  In July, 2018, the FBI released a public service announcement indicating that victims lost over $12.5 billion to BEC attacks between October 2013 and May 2018. In the United States, BEC attacks claimed over 41,000 victims during this five year period at a total loss of over $2.9 billion. In 2017 alone, the Internet Crime Complaint Center (IC3) received over 15,000 reports of BEC attacks with estimated losses of over $675 million.

Based on victim complaint data, BEC scams targeting the real estate industry are on the rise. From 2015 to 2017, there was over an 1100% rise in the number of victims of real estate BEC scams and an almost 2200% rise in financial losses. May 2018 had the highest number of real estate victims since 2015, and September 2017 reported the highest victim loss.

Recent High-Profile Incidents of BEC Scams

In 2013, Google and Facebook lost over $100 million in a scheme that impersonated a large Asian manufacturer.

In August, 2017, MacEwan University lost almost $12 million to a spear-phishing campaign that impersonated a construction and contracting company.

In June, 2017, a New York judge lost over $1M in Real Estate Scam that began as an email claiming to come from her real-estate lawyer.

And this week a report surfaced about a Dutch cinema chain losing over $21.5 million to a “strictly confidential” funds transfer request sent to the company’s CFO.

Despite efforts to raise awareness of these scams, a recent Gartner Research report indicated that BEC attacks will continue to be persistent and evasive, leading to large financial fraud losses for businesses and data breaches for healthcare and government organizations.

Why are Business Email Compromise threats so dangerous?

Business Email Compromise attacks are designed to bypass standard security mechanisms such as spam filters and anti-virus software, and are dangerous for a variety of reasons.

  • They contain no malware. BEC attacks normally don’t contain malware. Instead, they use crafty social engineering to trick users into thinking they are legitimate.
  • They are able to bypass many spam filters. BEC scams are often well-crafted with no spelling or grammatical errors. As a result, they are often able to bypass many spam filters.
  • They are highly personalized. Scammers take their time researching the victim long before an attack is launched. They scour public websites, social media, and even the dark web to find specific information, including names and background information of company executives. Armed with this information and with knowledge of an executive’s writing style, their emails appear authentic.

What is being done to stop BEC attacks?

Recently, multiple countries launched a coordinated effort to dismantle international BEC schemes. This effort, known as Operation WireWire and involving the Department of Homeland Security, the Department of the Treasury, and the U.S.  Postal Service, resulted in 74 arrests across multiple countries. Unfortunately, these attacks will continue as long as human nature can be exploited for personal gain. In fact, a recent report by Get Safe Online indicated that over a third (37%) of employees don’t know what to look for to identify common email scams. The report also stated that one in 20 email fraud victims were so ashamed that they hid their mistakes from their colleagues.

Businesses of all sizes must remain vigilant against these threats. As the old saying goes, knowledge is power, and knowing how BEC attacks are launched and how to identify and avoid them is key.  We’ll discuss these topics in parts 2 and 3 of this series, so stay tuned!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •