Business Email Compromise: When You Don’t Need to Phish
October 4, 2018
According to the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Financially-sensitive information constantly flows through company emails, such as contract scans, purchase orders, and payroll information. All these make inboxes lucrative targets for attackers, who use social engineering and intrusion techniques to gain access to business email accounts.
Decreased Barriers to Entry
In our latest research report, Pst! Cybercriminals on the Outlook for Your Emails, we outline the declining barriers to entry for this type of fraud. There are three main ways for cybercriminals to gain access to these emails without conducting a phishing campaign or network intrusion: 1) pay for access to a corporate account, 2) get lucky with previously compromised credentials, and 3) leverage email archives already exposed through misconfigured backups and file sharing services. In this blog post, I’ll outline how actors turn to the cybercriminal forums to gain access to these accounts.
Business Emails Offered on Criminal Forums
It’s common for accounts to be shared and sold across criminal forums, with actors looking to take over customer accounts for a variety of fraud purposes. The emails of finance departments and CEO/CFOs are no exception, and so it’s unsurprising that online criminal forums are replete with individuals requesting access to corporate email accounts.
We identified numerous examples of the demand and supply of these accounts. For example, in Figure 1 we detected individuals on a Russian-speaking, closed source criminal forum specifically searching for company emails that contained “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.
Figure 1: Corporate emails requested on a closed source Russian-speaking criminal forum
As-a-service offerings exist, and the prices can be low. As well as those offering services for acquiring business emails, services are offered for as little as $150 per compromised business email (see Figure 2), although closed web-based services will start at $200.
Figure 2: Corporate email hacking service advertised on a criminal forum
HUMINT Engagement Uncovers Targeted Campaigns
Not all requests and transactions will be handled on criminal forum boards, conversations will often move to private channels to finalize the details. Through HUMINT interaction with a Russian-speaking actor, we identified an individual seeking emails from the accounting departments of companies in specific industries and geographies, searching for “accountspayable@”, “accountsreceivables@”, “payables@”, and “receivables@” (see below).
Figure 3: A Jabber conversation with a Russian-speaking criminal planning a BEC campaign. (Source: Digital Shadows HUMINT).
After engaging on a criminal forum, the conversation quickly moved to a private jabber channel to discuss specific targets. Rather than paying a set fee for credentials, the actor offered to pay 20% of the proceeds they would make from their campaigns. With a specified list of 100 targets, most commonly in construction, property, public services, and higher education, this has the potential to be highly lucrative for threat actors. Construction and property services will be handling a large number of size-able transactions on a daily basis, and so the potential for BEC is significant. In this case, the majority (79%) of these targets were in the United Kingdom, Australia, and Singapore – demonstrating the global nature of BEC.
The potential to monetize access to the email boxes of financial departments is clear, and cybercriminals are looking to capitalize on this. In following blogs, I’ll discuss the extent to which previously compromised credentials can leave email inboxes exposed, and how the exposure of email archives across misconfigured online file stores even renders this unnecessary. If you can’t wait for that, download a copy of our report, Pst! Cybercriminals on the Outlook for Your Emails.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.