Breaking Down Business Email Compromise
What is a Business Email Compromise and why should cyber security professionals care?
Author: Keith Roberts, Senior Information Security Analyst
The FBI categorizes business email compromise (BEC) scams into three specific brands. While there are certainly hybrid forms, for this article we are focusing on the big three. Today we’re going to dive into the “Account Compromise” BEC attack.
Company A has an employee email account compromised. Fake invoices are sent to company B, which is in a business relationship with Company A. The invoices will fool all but the savviest of finance team members. Prevention should include process review from the finance team.
The “fake invoice” scam (otherwise known as Vendor Email Compromise)
Fraudsters research a target organization. They send the target organization an invoice requesting payment from a company that the target does business with. Though not as efficient as the next tactic, it is much easier to pull off
Criminals spoof an organization’s domain and send emails appearing to originate from the CEO to high risk employees (finance, HR, executives), usually asking for a “wire transfer,” though this attack is not limited to only wire transfer requests.
The Four Phases of Account Compromise Attacks
Phase 1– Initial Compromise
I’ve seen many Account Compromise BEC attacks in the past five years through industry peers and personal experience. Some were very well crafted and were caught only by well-trained eyes, others poorly written and containing many clues to their illegitimacy – these unfortunately do succeed. Almost all these BEC attacks started with a simple landing page.
Figure 1: Spoofed 0365 Login Page
An employee at company A was phished with a credential harvesting email. The recipient entered their credentials and now the criminal has control of that email account. The preparation can take months while the fraudster gathers intelligence on the target using open source gathering from social media sites and online searching. This opening phase is arguably the most important in the hacker’s attack – underpreparation comes with the risk of a failed operation.
This phish would have been one of two types:
- Specifically crafted with research into the targets company, colleagues and business partners of the victim.
- Opportunistic mass phish, where the attacker casts a wide net hoping for a bite.
Phase 2 of the Attack – Waiting
Now the hacker sits and waits, observing the email traffic coming in and out of the account. They may have set an auto forward rule into the victim’s email – this way they can slip into an email thread without the victim knowing, collecting information such as:
- Invoices, payment slips
- Employee names and contact information
- Names of colleagues in the victim(s) department
- Payment cadence
- Email tone and punctuation between company representatives
The perpetrator is gathering intelligence and waiting for the perfect time to execute the next phase of the attack. The attacker needs to understand the victim organizations entire workflow. Payment schedules are noted here because if the fraudster send an invoice before one is due, that would draw unwanted attention to the attack. The goal here is to observe transactions, conversations, and exchanges taking place within that compromised email account. This is crucial for when the fake email is created to the point of being undetectable.
Phase 3 of the Attack – The Switch
The third phase will involve the criminal sending an email from company A’s compromised email account to a finance employee at company B. If they’re good at what they do, the fake invoice will be near perfect, with minor changes including address, bank account, routing number and phone number. The hacker could have been sitting on communications from company B if they were auto forwarded to his/her account. So, the subject line could read something like “URGENT: LATE PAYMENT” or “PAYMENT NOT RECEIVED” and finally “NOTICE OF BANK CHANGE”. This tactic is intended for the recipient to elicit an emotional response.
Figure 2:Original Invoice on the Left – Altered Invoice on the Right
Phase 4 of the Attack – Financial Fraud
Urgency can leave the recipient in a panicked state and they don’t always see the clear mistakes in the email body and on the invoice. This is where the company B employee makes a payment to the criminal’s bank account. Though things did not add up, the proper verifications were not checked, and the payment was made. This can often leave both companies involved in the fraud in a financial and potentially legal bind, but more on that later.