The Business Email Compromise (BEC) Odyssey: Credential Phishing Attack
What is BEC
Business Email Compromise is a phishing attack vector in which threat actors use deceptive tactics to manipulate employees or attempt to gain unauthorized access to an environment. While this may not come in the traditional form malicious links and files. We see an increase in threat actors posing as legitimate organizations and sending invoices for services. Even more alarming, threat actors have been found to compromise the inboxes of leadership staff and send out emails to unsuspecting employees and partners. In this blog we analyze a recent BEC case by the BreachQuest Priori team.
BEC Insight
Year after year, the threat BEC poses has exponentially risen. Market and Market reports that in 2022 the estimated market for BEC is at 1.1 billion USD and is expected to increase to 2.8 billion USD by 2027. IBM’s Cost of a Data Breach Report 2022 illustrates that an email-related breach tends to be the costliest at 4.89 million USD across all industries and organizations. Defending against BEC attacks is especially difficult due to the human component. Successful BEC attacks depend on carelessness and oversight of unsuspecting employees, making it incredibly difficult to prevent them; once a compromise has been discovered, it is entirely too late.
Deep Inspection with the Priori BEC Module
The BEC Module powered by Priori is a solution that can catch threat actors before compromising a mailbox. The BEC module techniques are accomplished by monitoring impossible travel logins, known location patterns, known malicious IPs, mailbox summary services, abnormal forwarding rules, efficient mailbox triage, and header inspection before message delivery. Many BEC IR service providers take an average of 7-10 business days to provide results. The Priori platform takes 4-8 hours to offer actionable intelligence to assist an organization in mitigating any risk with BEC. Below we dissect a recent BEC case in which the customer knew that their email was breached but didn’t have the context behind the compromise. The BreachQuest team was able to quickly provide details of a breach before more damage was done through Priori.
Campaign
Business email compromise (BEC) is one of the most financially damaging online crimes. It exploits the fact that many rely on email to conduct personal and professional business.
On August 1st, 2022, a threat actor with an IP originating from Nigeria was able to compromise the inbox of the CFO of a U.S.-based business. Initially, access was made via O365 online exchange, then later used OfficeHome. The threat actor’s initial login was from Nigeria, which triggered a flag, but we also witnessed the threat actor using a VPN when using OfficeHome that flagged on impossible travel. These logins occurred during the span of 8/1/2022 through 9/23/2022. In that time frame, various files were viewed and downloaded. Information collected from the sensitive files was then used to impersonate the company’s CFO and add forwarding rules for specific vendors the threat actor was targeting.
Illustrated below is a snapshot of the data that the threat actor was able to access. The information gathered included financial documents, vendor contracts, and employee accounts. The threat actor leveraged this information to falsify documents with fraudulent bank account information and contacted vendors for payments related to services offered by the organization.
Summary
In this case, the Priori platform was used as a reaction to suspicious activity reported by vendors. While it can be used as a digital forensics tool, it can also be used in a more proactive approach to notifying security of suspicious email logins and account behavior. Within minutes of Priori BEC module deployment, the BreachQuest team was able to provide details regarding the incident and all parties affected. BreachQuest can deploy Priori in most environments regardless of maturity. Please contact sales@breachquest.com for inquiries and demos.