We are in the middle of business email compromise (BEC) season and there is a new tactic that is currently running rampant. Most organizations are only noticing it after they see:

• A mass of emails being sent from a user’s email box
• They are alerted by a vendor that their website has a fake
• They detect a new rule added to a user’s email box

Who Can Be Affected?

Currently, we are seeing this attack mainly in the financial sector with banks, credit unions, title companies, loan originators, and financial people in other verticals. Although, any company that uses email can be affected.

How Does This Attack Work?

This attack is similar to previous BECs with some key differences. The attackers scrape the website of the victim’s company to gain trust for downstream compromises. We can tell their volume with these compromises is high, not only because we have been seeing a lot of them, but also because the attackers have an autologin app they’ve created that tests the login from various US and Canada hosting resources. We assume this is an automated login to see if the account is still compromised. It might be several days later, but a live attacker then logs in from a foreign IP and goes to work.

The process is:

1. It is spread by the victim’s email account, via the attacker, once a new email account has been compromised.
2. Victim gets an email that is from an account they are used to working with.
3. Email has a link to, what looks like, the sender’s company website for an encrypted document.

4. The victim clicks the link and is asked for creds to read encrypted attachment.

5. Once creds are given the attacker eventually logs into the victim’s email by either noon victim’s time, or 5 PM victim’s time
6. Attacker will search for financial data in email and attachments
7. Once financial data is found, the attacker opens Teams session to transfer it to their own data stores

8. Finally, the attacker scrapes the email for logs and active link opportunities.
9. Creates a believable website on the attacker’s own resources sometimes inside the US.
10. Uses a script to harvest contacts from the victim.
11. Propagates the attack to harvested contacts.
12. Starts all over at a new org.

What Can You Do?

• Implement MFA and train users to deny MFA requests they aren’t sure about
• Implement email sandboxing along with SPF, DKIM, and DMARC – Check: https://mxtoolbox.com/
• Implement country code blocking on firewalls and cloud resources
• Check out the SBS Blog: Six Controls to Dramatically Reduce Cyber Risk of Incidents: https://sbscyber.com/resources/six-controls-to-dramatically-reduce-cyber-risk-of-incidents

Incident Response Assistance: If your organization needs immediate assistance with an active incident or security breach situation, call 605-923-8722 to speak to our Incident Response Team. 

Written by: 
Buzz Hillestad, GCFE
SVP - Information Security Consultant - SBS CyberSecurity, LLC