Business email settlement attacks are on the rise in Canada: Canadian Anti-Fraud Center

Business email settlement attacks are on the rise in Canada: Canadian Anti-Fraud Center

Last December, an employee working out of office for a Canadian firm allegedly received an email from the IT department asking them to reset their login credentials. 

This was the beginning of a complex scandal that cost the company $ 400,000 several months later due to the disorder caused by the COVID-19 epidemic. 

It falls into the category of fraud that police and security experts call "commercial email compromise" or BEC. 

BEC fraud is a big business because cyber criminals get cash in it. Credit card theft may be more common than numbers, the spread of ransomware and related data theft is accelerating but business email compromises are still good business for hackers. 

"The risk of BEC fraud is high today because there is a lot of use of the cloud and people working from home," says Tom Arnold, vice president of the payment software company, a division of the NCC Group, which investigated the Canadian scandal. COVID is making things worse, Arnold believes. "There is little in the way of control because of all remote access. 

This is quite a problem." The Anti-Fraud Center of Canada says there is a wide range of email fraud targeted by businesses. Many include urgent requests for wire transfers, while some also include requests to purchase prepaid card products. 

These scams are classified as javelin-phishing attacks and usually convince an employee to make changes to a standard business process, such as a bank account where the money usually goes. In 2019, the center received 1,041 javelin-phishing reports, 588 of which were classified as victims, reporting a total of $ 38.7 million - the largest of the $ 137 million reported in that year . 

In the first six months of this year, the center received 951 javelin-phishing reports, with 422 victims totaling $ 14.8 million in damages. Arnold, who heads his firm's forensic investigative unit, says what happened to the anonymous Canadian firm was specific. "The bad guys had established a domain similar to the corporate domain - they had certificates issued to make everything look right. They started saying [to Target] the email messages, 

'We're having problems, we're getting our cloud The email infrastructure will have to make some adjustments, and as part of this we need to reset your access credentials' included link. When an employee fell for it the attackers gained access to their email. 

In fact, they all Became a person between incoming and outgoing emails. From that account, he states that the attackers forwarded copies of the mail themselves to identify and compromise a dozen other employee accounts. 

This shows them that How the business works, and how it turns out the company received quarterly payments from the franchise. In the spring, hackers started sending notices, "We sent you this invoice, but forgot to tell you that due to COVID Bank account and routing number have changed. We had to open a separate account for your deposit. 

Please check your deposit Send the amount there. "As soon as the money was deposited, the attackers transferred the money to an unrecoverable account. 

With the money suddenly not coming to the actual bank, the accounts payable department of the firm began emailing the franchise to seek clarification. Hackers Was able to answer, in the mail. Cheek K. Sorry, this is COVID, we have been late to pay. 

"By the time the company found out it was cheated, it was worth about $ 400,000. .

The Canadian Fraud Center detailing spear phishing includes an "urgent" request from an executive to transfer a large sum of money into a foreign account for a commercial purpose; 

A similar fraud that specifically targets financial dealers, brokers, or banks from a customer who is asked to make an unusual bank transfer; 

A letter apparently issued by an employee requesting that his direct salary be deposited into a new bank account; A scammer pretending to be an executive and asking an employee to purchase gift cards whose numbers will be given to the phisher; 

And fraud on suppliers is like the Canadian case here. Recently, several cybersecurity vendors released reports on the latest trends in BEC scams. Barracuda Networks says it has identified 6,170 malicious accounts since January using Gmail, AOL, and other email services that have been responsible for more than 100,000 BEC attacks on nearly 6,600 organizations worldwide. 

Since April 1, malicious accounts have been behind 45 percent of detected BEC attacks. "Cybercriminals prefer their email malicious service to be Gmail, which makes sense because it is accessible, free, easy to sign up and has a reputation high enough to pass email security filters," the report says. Of the 6,600 incidents examined in several cases, cyber criminals used the same email addresses to attack different organizations. 

The number of organizations attacked by each malicious account ranged from one attack to one mass attack that affected 256 organizations - four percent of all organizations included in this research. 

While experts say multi-factor authentication is necessary to reduce the likelihood of email accounts being hacked, a report this month from Abnormal Security warns that it is seeing an increase in BEC attacks successfully hijacking email accounts despite the use of multi-factor authentication (MFA) and Microsoft's conditional access. Office. 

The report notes that legacy email protocols, including IMAP, SMTP, MAPI, and POP, do not support MFA, making it possible for attackers to easily bypass multi-factor authentication using these protocols. The report says many popular apps - such as those used by mobile email clients (for example, iOS Mail for iOS 10 and earlier) - do not support modern authentication. 

As a result, MFA cannot be enforced when the user logs into their account with one of these apps. Office 365 provides the ability to configure conditional access policies, which prevent access from legacy applications that are often targeted for password sprinkler campaigns. However, the report notes that conditional access is not included with all licenses. 

Legacy apps are still in widespread use in most organizations, so banning all users from legitimate access with these apps would be totally devastating to the workforce. Also, legacy access is enabled by default in the O365. 

"A common pattern we observed in account acquisitions is that after being banned by MFA, the attacker will immediately switch to using an outdated app," the report says. “In fact, most credential filling campaigns use legacy apps like IMAP4 to make sure they don't run into difficulties with the MFA at any point in time. 

Additionally, even with the conditional access policy enabled, Abnormal noticed successful account acquisitions where the attacker bypassed Policy by hiding the name of the application that he was using. " In one case, the attacker initially tried to log in with an old app but was blocked by Conditional Access. 

Then the attacker waited several days before trying again, this time with application information hidden, and gained access to the account. 

"This example demonstrates that while most account hijacking attempts employ brute force attacks and password-sprinkling techniques, some attackers are systematic and intentional." 

What should organizations do to thwart BEC attacks? 

Barracuda Networks urges ICT professionals to use solutions that can detect unusual senders, requests and other communications, leverage threat information and have employees undergo security awareness training. Arnold also says training employees to recognize phishing messages is vital. 

Employees also need to understand that management must be notified if someone requests changes to a specific payment process. Don't just believe the things that appear in your email, text messages, or phone calls. Pause, pause and say 'I'm back to you' and call the help desk.