According to an alert published by FBI on January 2019, Business Email Compromise (BEC) and Email Account Compromise (EAC) have10 Billion losses since October 2013. Traditionally, social engineering and Phishing techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. Especially BEC attack shall be targeted for CEOs, CIOs, CFOs and Finance controllers of an entity. Millions of dollars are stolen every year from victims who are tricked into initiating wire transfer payments through social engineering tactics and email breaches.
Traditional way for compromising the enterprise email account:
- Social engineering and email tricking: Humans are more vulnerable, hence hackers will use social engineering to show as a colleague, Partners or vendor and send fake requests for information or the transfer of funds. These emails shall be representing as same as legitimate email but register in fake domain (ex: gmail.in instead of gmail.com). Hence the email shall appear to belong to a colleague or vendor mail in first glance.
- Account takeover: Attackers use phishing and some malware to gain access to get control over enterprise email account. The most of the target would be CEOs, CIOs, CFOs, finance controller’s and Vendor Manager Enterprise email. Once the hacker gets the control they can also edit the mailbox rules so that victim’s email messages are forwarded to the hackers or emails sent by the hackers are deleted from the list of sent emails.
The above mentioned techniques have served threat actors on previous years. But now hackers are more advanced in technologies and more expeditious methods emerge to gain access to business email accounts. Stolen credentials being offered on hackers forums, vulnerable through misconfigured backups and unencrypted plain text data transfer make the opportunity to profit from BEC easier than ever. Email is also being used not just to request wire transfers or financial stealing, but to steal Personal identical information (PII) stored within these accounts or company trade secrets and patterns communicated through enterprise email.
Here’s how hackers are exploiting with new method of work:
- Paying for access. Hackers shall steal the enterprise email login credential and sell in hackers forums and shared among hackers. The emails of CEO, CIO and CFO would be the most targeted among hackers other than employees. It’s even possible to outsource this work to online hackers who will acquire company credentials for a percentage of earnings or a set fee beginning as low as $200 as base price.
- Hacking by previously compromised credentials. Employees would frequently reuse same password for different accounts and applications. As per cyber security research, it has been detected that more than 30,000 finance department and CXOs email has been hacked due to often reuse of same password for different application. With many email username and password combinations of finance department and CXOs email accounts already compromised, hackers can get lucky.
- Searching across misconfigured email archives and file stores. Inboxes, particularly those of finance departments and CEO/CFOs, are completely with financial sensitive information such as Vendor Invoice, Purchase order and contract agreements. By exploiting those corporate email accounts information shall be replete with financially-sensitive information such as contract scans, purchase orders, and payroll and tax documents. This information can be used for hackers and they sell that information for the competitor. The worst vulnerability is storing email archives in misconfigured file storage system where hackers can easily get all the sensitive information.
Risk Mitigation plan for BEC Attack:
- Security Awareness culture has to be developed within organization through security awareness program. BEC case studies shall be included in security awareness training. This should be a part of new hire training and be part of monthly security awareness training for the employees and especially who works in finance team.
- As per separation of duties, any sensitive or critical task has to be approved by two or multiple associates to authorize the work. This information security principle shall be implemented in wire transfer and any financial transactions. Wire transfer applications shall be multiple person authorization and manual control to approve any wire transfer.
- Monitor for email traffic and exposed credentials. This is crucial for your finance department emails and CXOs email, but it’s important for all user accounts. Multifactor authentication makes life difficult for hackers for hacking account takeover. Hence Multifactor authentication shall be implemented for finance team and CXOs mailbox.
- Prevent email archives from being publicly exposed. For services like Server Message Block (SMB), Rsync and the File Transfer Protocol (FTP), use a strong, unique password and disable guest or anonymous access and firewall the port off from the Internet. If there is requirement to be in internet then IPs shall be whitelisted which are permitted to access the email archive.
- Employees backing up the email archive in their personal storage device should be prohibited. Ideally, organizations should provide training on the risks of using personal storage device. Any kind of email archive or company proprietary information shall be done through enterprise backup so that vendors and employees don’t feel the need to back up through personal device.
BEC is becoming increasingly profitable for Hackers as organizations are making it easy for hackers to gain access to the valuable information that sits within these inboxes. However, with the right combination of people, processes and technology, organizations can mitigate the risk.