Business Email Compromise incidents, (Fri, May 18th)

Over the past 12 months we have seen a sharp increase in the number of incidents relating to the compromise of business emails. Often O365, but also some Gmail and on premise systems with webmail access.

The objective is simple, use the system to convince the organisation, or a customer of the organisation to pay a fake invoice and transfer the money overseas. The average net of these breaches is around $85,000, but there have been cases well into the 7 figures. So quite worthwhile for the attacker.  Most organisations are not set up to prevent or detect this kind of attack until it is too late. 

Whilst similar to whaling emails the approach is more thought out and structured. The attacks are typically targeted. There are two scenarios we usually see:

  1. Compromise victim company, identify invoices to be paid by the victim, spoof the company to be paid and convince the victim to pay to an incorrect account.
  2. Compromise victim company, identify customer invoices to be paid to the victim, Spoof the victim and convince customers to pay invoices into an incorrect account.

The steps in the attack are relatively similar:

  1. Send Spear phishing email to selected targets 
    • This will have been harvested from your web sites, linkedin or other social media. 
    • The email is often a “here is a document”, your o365/Gmail account password has expired, etc. Although we have seen incidents where the password may have just been a lucky guess.
  2. The victim “logs in” to the service, exposing their password.
    • In most incidents the owner of the mailbox can’t rember. Check the proxy logs, you’ll find the click. 
  3. Attacker logs into the victim’s email
    • sets up forwarding rules to an external email address and may also set up rules for emails with certain subjects or from certain email addresses to be sent directly to trash. 
    • Often the mailbox owner never sees any of the emails.
  4. The attacker monitors/searches the emails for opportunities.
    • They look for invoices recently sent, about to be sent or received or about to be paid.
  5. Change payment details
    • Emails are sent saying there is an issue or banking details have changed.
  6. Put on pressure to pay
    • We’ve seen emails being used in this, reaching out to multiple people in an organisation, but also actual phone calls. 
  7. Transfer money overseas. 
    • Usually we don’t see this, but when talking to the banks usually we find the money has been transfered overseas. Lately however, they have been using several banks in Hong Kong and use swift payments to get the money overseas

Often other internal compromised accounts are cc’ed ,adding some legitimacy.  In several instances the attackers created a domain, web site and appropriate email addresses on a slightly different domain than the company whose invoice needed to be paid. This provided them with much more control over the conversation. Including a phone number to call in the event that there is a problem with the transfer. 

In several cases, once the payment detail notification was sent through, a follow up phone call is placed to make sure it sticks and of course also to head off the possibility that the victim company makes a verification call.  

There are a few opportunities to detect or prevent these kinds of attacks:

  • Prevent
    • Have a robust payment changing process – validate using details you have in your database and call them regardless of whether someone called you
    • Don’t pay to overseas accounts – especially when previous invoices were payed within the country.
    • Check previous payments – Where did they go, is this different, if so halt the payment. 
    • Disallow forwarding rules to external addresses – This won’t stop it, but does make it more difficult
    • Multi Factor Authentication (MFA) on mail 
  • Detect
    • Logins from locations other than your office
    • Logins where the IP address changes – we see many use open proxies when logging into a victim account. In logs that looks like the person travels rapidly across the globe.
    • Regularly interrogate rules created in the email product – this is often how we find the other compromised accounts. 

With some education of the accounts payables team, some log monitoring, MFA on mailboxes and some decent payment change processes this attack will be less effective and devastating.  


Mark H – Shearwater

PS if you have nice ways of detecting or preventing this kind of attack, by all means share. 





(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

No comments yet.

Leave a Reply

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 1,343,191 bad guys.