In this post, we try to talk about one of the most common and destructive network attacks in recent years, known as the “Business Email Compromise (BEC)”. This attack focuses on email scams. Example invoice scams and spear phishing spoof attacks. The first and most obvious result of this attack is a violation of privacy. The person who intends to use this type of attack must ultimately be proficient in the concepts and methods of social engineering.
This attack is typically as follows:
An attacker sends one or more fake emails to a company employee. For example, an employee in the financial unit of the organization who is responsible for the financial payments of the organization. The sender of this fake letter claims that he is a member of the board or the CEO of the organization, which for some reason is currently unable to login his organizational email. (Social engineering skills are used here). In the email, he asks the employee to transfer a sum of money to the bank account of a person or an organization. Who is that person or organization? It is clear that a bank account that belongs to the attacker or is at his disposal anyway.
The FBI’s Internet Crime Complaint Center (IC3) reported BEC attacks has led to $1.7 billion losses in 2019. (Only in USA). Elsewhere in the same report, we read that BEC attack topped the list of attacks that caused the most loss to organizations. In fact, the loss caused by this attack accounted for almost half of the loss caused by the all network attacks this 2019. ($ 1.78 billion from $ 3.5 billion). You can view this report here.
So it is clear how important it is to protect the organization and its staff against this type of attack. Because the attacker sometimes introduces himself as a supplier of goods, sometimes as a customer, sometimes as a business partner, sometimes as a board member, and sometimes even as a upstream supervisory authority (for example, an official from the FBI or a person from the prosecutor’s office). In fact, the goal is not always to transfer money. Sometimes the attacker’s intention is to gain information. For example, contact information of customers and partners of an organization, or even personal information (such as where you live or personal contact number).
You need to know the truth first. No method will protect you 100% against this attack. Also, we can never be 100% sure that we have prevented this attack. An important part of the preventation and protection process is to familiarize employees with the common symptoms of these types of emails and to emphasize that they should never pay attention to such emails.
Education
Common symptoms of these fake emails include:
Out-of-character emails from senior management
For example, there is usually a management hierarchy in organizations. If the CEO wants to pay money to a bank account, he or she will instruct the finance manager. It is not the case that he communicates directly with an employee of the financial unit (either by e-mail or otherwise). So if an employee of the financial unit receives an email in which the sender of the email claims to be the CEO or board member, the employee must doubt the authenticity of the e-mail and inform his or her superior.
It is also not common for the CEO to engage in minor issues. If an employee receives an email in which the CEO has requested immediate access to a detailed part of the enterprise software, he or she must still doubt the authenticity of this email.
Spelling and grammatical errors
Emails, however, are a subset of office correspondence. It is common for an administrative letter should not include misspelled or misspelled. So if an employee receives an email that has Spelling and grammatical errors, the employee should doubt the authenticity of the letter. Of course, not every email that contains such errors will be a fake email. Grammatical and spelling errors are always possible.
Requests to bypass policies
Employees should be very wary of any emails that ask them to bypass company policies. Even if the sender of the email claims to be the CEO of the organization.
Source: securityboulevard.com
Authentication and Policies
Apart from these, there are also solutions to reduce the organization’s vulnerability to these attacks.
Enable two-factor authentication on email accounts: Two-factor authentication (2FA) requires the user to input a secondary piece of information (such as a second password) in addition to the user’s login credentials. This technique reduces the BEC scams Possibility. Read this post about 2FA and MFA (Multi-factor authentication).
Verify requests for payments: Organizations should implement a two-step verification process for all wire transfer requests. Additional control (such as requiring a second person to authorize transfers) should enforced for payments. It is better the verification process should involve another form of communication such as a phone call because essentially, BEC attack based on email hacking.
Minimize financial authorization: The number of employees allowed to perform financial transfer processes, as well as employees who have access to confidential and organizational information, should be kept to a minimum. It reduces the number of potential victims of BEC attacks. They also should to be fully trained about such attacks.
Source: emsisoft.com
Technology
There are a number of authentication mechanisms that can be used to verify the authenticity of an email. It is better to use these mechanisms in combination.
Sender Policy Framework (SPF)
SPF allows the owner of a domain to specify which servers can send emails on its behalf. It enables the receiving mail server to check during delivery that the incoming email originated from a domain that was authorized by that domain’s administrator. If the email is sent from a non-authorized server, the receiving server considers the message fraudulent and can step in to prevent delivery.
Of course, SPF has shortcomings that make it unreliable in protect against BEC.
What’s problem? We know Emails come with two FROM addresses:
- Envelope FROM: The address where the email originated.
- Header FROM: The email address used by the email client to populate the FROM Field.
SPF was designed to protect the envelope sender. In other words, it cannot validate header FROM addresses, which are commonly spoofed in BEC scams. And we know that employees (in generally, all persons) when receive an email, they usually pay attention to the header from address.
There is a another problem and that is that SPF designed for only SMTP Protocol, while several other email protocols are also used in communications.
DomainKeys Identified Mail (DKIM)
DKIM allows the recipient of an email to verify that an email was sent by the owner of that domain by attaching a digital signature to outgoing emails. The recipient’s system can determine if an email has been signed with a valid DKIM signature? The absence of a valid DKIM signature signifies that the email may be forged.
DMARC
Domain-based Message Authentication Reporting and Conformance (DMARC) enables domain owners to:
- Specify which authentication method (SPF, DKIM or both) is used when sending emails from that domain
- Choose what happens to an email message if it fails authentication (example reject the email or quarantine it).
Despite all these benefits, very few companies still use this method.
———————————
Sources:
