The business email compromise attack targeted more than 120 businesses

How a business email compromise attack targeted businesses with a gift card scam

Microsoft has exposed a large Business Email Compromise attack targeting businesses across the globe. The attackers are trying to trick people into buying gift cards. Understandably, they are using typo-squatted domains to make their emails look legitimate.

The BEC attack has targeted more than 120 businesses across the globe. This includes firms in manufacturing, real estate, agriculture, consumer goods, and professional services as well.

Without proper training, these attacks are difficult to spot. And, they can be really costly. This is evident by the financial losses attributed to such attacks. Last year, businesses lost $1.8 billion to BEC.

How a business email compromise attack targeted businesses with a gift card scam

Before we look at the Microsoft report, first, let’s try to understand what business email compromise is. In the last part, we’d look at how you can mitigate the risk, and how good training can help you secure your business against BEC attacks.

What is Business Email Compromise?

Do you receive emails from your CEO asking you to authorize money transfers on his behalf? Or, do vendors email you payment requests regularly?

Criminals actively scan organizations for such interactions. And, when the time is ripe for exploitation, they raise a fake payment request, a request that looks real, but asks you to wire payments to a bank account that’s under their control. This is Business Email Compromise.

Another version of such attack is when the malicious email asks you to buy gift cards.

The scam detected by Microsoft belongs to the second category. As per the report, the attack is being carried out using newly bought domains that are typo-squatted versions of legitimate websites. BEC gangs prefer such domains as messages sent from them can fool an unsuspecting target easily.

How Business Email Compromise attacks work?

In this campaign, attackers have targeted executives of more than 120 businesses.

First, the targeted individual is sent a vague request for help. The email is disguised to impersonate a member of the workforce known to the target. When the person replies to the message, the attackers send a second email. This time, the message tries to lure the potential victim into buying gift cards.

In some cases, the attackers send an email with a fake reply in it. The trick can fool a target into replying to the attacker, thinking that the message is a part of an ongoing conversation. Generally, such baits can be caught by checking the headers. As the header of the email won’t have the In-Reply-to and References header. But, in this case, Microsoft discovered that the attackers were modifying the email headers as a well.

In some cases, the attackers send an email with a fake reply in it.

Other Types of Business Email Compromise

However, BEC scams aren’t limited to demands of gift cards. Let us look at the other four common forms of the attack.

  1. The attacker would pretend to be a vendor requesting payments for services. Often such attacks impersonate real vendors, and forge an email similar to the messages you receive regularly.
  2. In this case, the attacker would pretend to be the CEO or another higher official of your business. Generally, such attacks ask you to make invoice payments or wire money to an account shared in the message.
  3. Another form of BEC attacks, impersonate the legal firm used by your organization. The email would make requests for sensitive information or payments, and would also ask you to maintain confidentiality.
  4. A more dangerous form of BEC involves hacking of an employee’s account. The hacked account is then used to request payments or a change of banking information.

BEC attacks aren’t limited to financial crimes only. Criminals use these attacks to steal sensitive information, compromise more users, and to install malware as well. Last year, researchers uncovered a BEC attack, disguised as a corporate request that tried to install the Netwire RAT over victim computers. The emails had a fake sales quotation as an attachment. Clicking the attachment would drop the malware over the computer.

How to protect against Business Email Compromise?

Unfortunately, these attacks aren’t easy to spot. This is because BEC gangs are well-known for studying their targets. To do this, first, they compromise the emailing systems of their target. Sometimes, the attackers sit in the system for months to understand your habits, and look for an opportune moment. Then, as the appropriate time, they would drop you a fake email, asking you to make the payments. It could come as an email from your mortgage company asking you to close the escrow, or an urgent wire request from your CEO to close a business deal.

The best protection against BEC attacks is vigilance. First, take a close look at the emails that you receive. Look for grammatical mistakes, deviations from the sender’s emailing style, and grow cautious, if the email tries to impose a sense of urgency. Secondly, verify transactions using a different channel. Call the person, but never use phone numbers given in the email. Most importantly, activate multi-factor authentication for your financial transactions.

And lastly, learn secure email habits. This includes, inspecting email attachments and links, and checking the email address of the sender.

How to identify email spoofing

Microsoft lists three types of email address spoofing, namely –

  1. User impersonation

The sender address would look like the real one, but on close inspection, you’d find that the threat actor has made subtle changes to it by using spelling tricks or adding special characters.

For instance, johndoe@gmail.com would become johnd0e@gmail.com. Notice that the character ‘o’ of Doe has been replaced with zero ‘0’.

  1. Domain impersonation

In this case, the threat actors use a spoofed domain to mimic the sender’s email address. They would send a payment request from johndoe@gmai1.com expecting that you wouldn’t notice the replacement of ‘l’ of Gmail with the numeral ‘1’.

  1. Exact domain spoofing

Unfortunately, such spoofing cannot be spotted by studying the sender field. The fake emails use a replica of the sender’s email. In such cases, the threat actor would send the email from BEC@theif.com, but when you’d check the sender field, you’d see johndoe@gmail.com, which is the correct email address of your vendor. Such attacks are difficult to spot.

And this is why you need to consider multi-factor authentication for all your financial transactions. Moreover, you should activate 2FA on your email addresses as well.

Business Email Compromise Training

In our opinion, only good training can prepare your team for such malicious attacks. Spotting spoofed emails, in the midst of a chaotic day, can be difficult. Without proper training, anyone can miss the subtle difference between an ‘l’ and a ‘1’. Spotting such an attack demands practice, and knowledge of how email threats work. A well-designed training can provide you both.

When you train your employees, consider adding strong password practices, good email habits, and proper use of mobile devices to your training module. This is because criminals use multiple methods to compromise email accounts. This includes, password attacks and hacking mobile devices using WiFi.

Besides, BEC isn’t the only cyber threat out there. Malware and Ransomware attacks can be equally damaging. Your team should know about them. Along with cyber threats, you should train them on physical security too. The training would help them guard against unintentional disclosures. BEC threat actors have been known to infiltrate their targets physically as well.

Like this post? Subscribe to receive updates directly in your inbox.