We are in the middle of business email compromise (BEC) season and there is a new tactic that is currently running rampant. Most organizations are only noticing it after they see:
- A mass of emails being sent from a user’s email box
- They are alerted by a vendor that their website has a fake
- They detect a new rule added to a user’s email box
Who Can Be Affected?
Currently, we are seeing this attack mainly in the financial sector with banks, credit unions, title companies, loan originators, and financial people in other verticals. Although, any company that uses email can be affected.
How Does This Attack Work?
This attack is similar to previous BECs with some key differences. The attackers scrape the website of the victim’s company to gain trust for downstream compromises. We can tell their volume with these compromises is high, not only because we have been seeing a lot of them, but also because the attackers have an autologin app they’ve created that tests the login from various US and Canada hosting resources. We assume this is an automated login to see if the account is still compromised. It might be several days later, but a live attacker then logs in from a foreign IP and goes to work.
The process is:
- It is spread by the victim’s email account, via the attacker, once a new email account has been compromised.
- Victim gets an email that is from an account they are used to working with.
- Email has a link to, what looks like, the sender’s company website for an encrypted document.
- The victim clicks the link and is asked for creds to read encrypted attachment.
- Once creds are given the attacker eventually logs into the victim’s email by either noon victim’s time, or 5 PM victim’s time
- Attacker will search for financial data in email and attachments
- Once financial data is found, the attacker opens Teams session to transfer it to their own data stores
- Finally, the attacker scrapes the email for logs and active link opportunities.
- Creates a believable website on the attacker’s own resources sometimes inside the US.
- Uses a script to harvest contacts from the victim.
- Propagates the attack to harvested contacts.
- Starts all over at a new org.
What Can You Do?
Incident Response Assistance: If your organization needs immediate assistance with an active incident or security breach situation, call 605-923-8722 to speak to our Incident Response Team.
Buzz Hillestad, GCFE
SVP - Information Security Consultant - SBS CyberSecurity, LLC
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.