We had to deal with a situation the other day at a client, where one of the accounts staff received an email from the CEO, asking them to “pay the attached outstanding invoice, to the account shown below”. Obviously, the email was a spoof, and the CEO had not sent it – neither did the person in accounts pay it, although they got close before realising something was wrong. The client asked one of our team how it had happened, which is when it got to my desk – but as the client did not want to pay for me to check the logs and carry out an investigation, we could not give them an answer as to what had happened.
Here is some free advice!
There was one thing we did though, because they are our clients. Our Operations Manager has a script for checking all the email rules in an instance of Microsoft 365, and he ran this. Why? Because rogue email rules can be an indication of this type of cyber attack – referred to as Business Email Compromise (Bakarich and Baranek. 2020).
We were not getting paid to investigate, but I could not leave it alone…
I did not check the logs as I did not have permission but I did have a copy of the offending email and comments from the client about them not knowing how the threat actors got access to their email.
Now this was not a sophisticated attack, there were no rules in Microsoft 365 covering up illicit activity or credential compromise. This looked as if it was just trying to exploit a trust relationship between CEO and employee (Cross and Gillett. 2020). All this attack took was a little open source intelligence (OSINT) and possibly a reply to an email sent to enquiries.
- The names and positions of the people in the company are there for everyone to see on the website – with their email addresses.
- The reply to the enquiry email gave me the formatting of their email footer and the required graphic.
Now all I need is Notepad++ to hand code the email, an anonymous email service and financial tools that can handle stolen money and is not traceable to me or too difficult for law enforcement to pursue.
What you need to take from this
We have helped clients set up internal financial controls that can make this type of cyber attack nearly impossible – we use similar cut-offs in our own accounting procedures. We have also reviewed social media, websites and other sources of OSINT for clients, closing the doors where necessary on the sources that were giving too much away. As part of our online training, we run through several scenarios of this type of attack and how organisations can defend against them.
Internal accounting controls and controlled social media are part of the answer, as is staff awareness of the possibility of business email compromise cyber attacks – think about both of these today before you are the victim of such spoofing.
On Thursday we are going to go back to looking at the insider threat.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
References
Bakarich, K. M., & Baranek, D. (2020). Something phish-y is going on here: A teaching case on business email compromise. Current Issues in Auditing, 14(1), A1-A9.
Cross, & Gillett, R. (2020). Exploiting trust for financial gain: an overview of business email compromise (BEC) fraud. Journal of Financial Crime., 27(3), 871–884. https://doi.org/10.1108/JFC-02-2020-0026