Millions Stolen in BEC Scam CampaignResearchers Describe How the Scheme Works
A recently uncovered business email compromise scam that’s targeting executives' Microsoft Office 365 accounts has hit over 150 organizations worldwide so far and netted the scammers about $15 million, according to incident response firm Mitiga.
The Israeli security firm discovered the scam after being notified by one of the victims following what the company called a suspicious "multimillion dollar" transfer. Mitiga has provided details to law enforcement officials as well as Microsoft, notes Andrey Shomer, the company's head of research.
"Our investigation determined that the threat actor’s attack extended over several months and included careful preparation as well as monitoring and manipulation of email traffic before and during the transfer of funds," Shomer notes in the report released Wednesday.
How the Scam Works
The BEC scheme that Mitiga uncovered starts with the fraudsters compromising the Office 365 accounts of executives.
The fraudsters also register malicious domains with a firm called Wild West Domains - a domain registrar owned by GoDaddy, according to the report. These domains have names similar to victims' sites, usually with a letter added.
The compromised Office 365 accounts are then linked to these malicious domains, which enables fraudsters to monitor email traffic between executives at a company and its partners and suppliers. The attackers create a "forwarding" rule that allows copies of victims' emails to be collected and read without raising suspicion, according to the report, Mitiga says.
"We believe that the threat actor chose to use Office 365 in order to improve the likelihood of a successful attack, thanks to the credibility it can generate," Shomer says. "The threat actor’s use of the same technology stack reduced both suspicious discrepancies and the likelihood of triggering malicious detection filtering, which ultimately contributed to the rogue emails slipping through."
Once the fraudsters have access to the email accounts, they locate and manipulate payment and bank details - for example, by changing account numbers so fund transfers go to accounts controlled by the BEC attackers, the report notes.
To help prevent such scams, organizations need to use strict verification methods for large money transfers, says James McQuiggan, a security awareness advocate at KnowBe4.
"It's essential to not rely solely on email for account changes, payments or other financial changes,” he says. “Using a verification method with multiple parties that is based on a tiered payment system can reduce the risk of money lost to criminals.”
Other Recent Scams
Other security firms have also encountered these types of large-scale BEC schemes that have specifically targeted executives and their Office 365 accounts.
In May, security firm Group-IB found an ongoing phishing campaign run by fraudsters in Nigeria that targeted more than 150 businesses with the goal of targeting executives' Office 365 accounts to steal confidential documents and contact lists (see: Phishing Campaigns Target Senior Executives via Office 365).
In August, another BEC scam targeted the Office 365 accounts of business executives at over 1,000 companies worldwide to steal 800 sets of credential payment data, according to the security firm Trend Micro (see: BEC Scam Targets Executives' Office 365 Accounts).
Over the last several years, BEC scams have become increasingly lucrative for fraudsters. The FBI's Internet Crime Complaint Center's annual cybercrime report, released in February, found that BEC schemes accounted for about $1.7 billion in losses in 2019 (see: FBI: BEC Losses Totalled $1.7 Billion in 2019).
A September report by the Anti-Phishing Working Group found that the average amount stolen in a business email compromise scam increased 48%, to $80,000, during the second quarter of this year, compared to the the previous quarter (see: BEC Scam Losses Surge as the Number of Attacks Diminish).