Why is Business Email Compromise (BEC) posing such a threat to organisations both large and small? How are international organised crime networks successfully hijacking invoices?
A look at how the scams are taking place and the lengths the fraudsters are going to is extremely revealing.
IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered and analysed the Modus Operandi (MO) of a BEC threat group in the first half of 2018.
The investigation started after the team experienced a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. Nearly all of these cases were Invoice Hijacking where the fraudsters successfully used business email compromise (BEC) scams to convince accounts payable personnel to make payments via wire transfer to bank accounts that were controlled by the fraudsters. The attacks resulted in the theft of millions of dollars.
- How fraudsters used email as both the way in and as the means of perpetrating the frauds
- The sophisticated social engineering tactics that underpinned the deception
- How the attacks were carried out without compromising IT security
The attackers targeted the accounts payable teams within businesses. In order to get in they needed access to the email addresses. They targeted Microsoft 365 users – not because it was easy to compromise, but because once inside the fraudsters had the information and tools needed for success.
Using publicly available information, the fraudsters sent a mass ‘phishing’ email with links to a fraudulent ‘DocuSign’ portal requesting the user to authenticate via his or her email provider to download a document. Neither the email or portal contained any malware to be downloaded to the user’s machine.
For those companies with single-factor authentication for their MS 365 account (e.g. username and password), any user who followed the instructions had now provided access to their emails. Targeting the email web portals ensured that the attackers were able to break in without compromising the victim’s corporate network.
Once inside a user’s email account, the whole corporate address book is opened up. It was then possible for attackers to specifically target personnel within the organisation’s accounts payable department and compromise their accounts in the same way.
X-Force IRIS analysts suggest that it was likely that attackers undertook a reconnaissance phase, looking through activity within the user’s email folders in search of subjects and opportunities to exploit and, eventually, creating or inserting themselves into relevant conversations.
The fraudsters used tactics that play on common flaws in accounts payable practice. In the view of the analysts, attackers chose to impersonate vendors or associated companies with established relationships to the client and targeted specific people in the organisational chart to enhance the credibility of the scam. It is believed that there was a significant investment of time to research, understand processes, identify victims and mimic patterns of communication and language.
To keep victims whose email accounts had been compromised unaware of the scam, the attackers created email rules to filter emails and replies out of the inbox.
Once a fraudster has access to an email account they are able to pose as that user.
They now need to execute a credible deception. One such scam involves getting the organisation’s clients to divert payments for real-life invoices into accounts controlled by the fraudster. This is as simple as creating a believable basis for changing the destination bank account.
This scenario has proved successful in a number of cases:
- An expected invoice is released by the genuine user with payment terms of 30-days
- A few days ahead of the expected payment date an email from the user’s account is sent by the fraudster. It tells clients that their bank account has been hacked and to “PLEASE HOLD OFF PAYMENTS ON ALL OUTSTANDING INVOICES”
- A few days later a subsequent email is sent from the user’s account by the fraudster – telling clients that the issue has been resolved, but to do this has required a change of bank account. Here are the new details
- The Accounts Payable contact updates the payment details, relieved that the security risk has been averted (not knowing that they are actually making payment to an account controlled by the fraudsters)
- The deception is not detected until the Accounts Receivable process for late payment kicks in – by which time the money has been whisked away by the attackers.
In some cases an Accounts Payable team may put in a protection measure whereby any change in bank details has to be verified with a phone call to the supplier. However, this is easily overcome by a fraudster inserting a step between (1) and (2) with an email requesting that clients update the contact details they hold on file for the supplier – setting up a credible telephone number is not difficult.
This is just one of a number of scams made possible by compromising an organisation’s email account (see this article for more examples of the common ‘stings’). Most alarming in the scenario above is:
- The fraudsters’ ability to circumvent the organisation’s network security
- The targeting of an organisation’s clients
- The ability to subvert a routine process typical to Accounts Payable teams in most organisations
As X-force IRIS highlight in their analysis, attackers are constantly honing their craft to create more believable scams and increase the difficulty in identifying falsified emails. This means that an organisation is only as strong as its weakest supplier.
Simply training employees on phishing threats and BEC scams is not always sufficient. The risks of being targeted by a low-tech social-engineering campaign are high. The only solution is to implement processes for Accounts Payable where receipt of invoices and information on where payments should be made are kept well away from email.