FBI: BEC Scams Are Using Email Auto-ForwardingFraudsters' Tactics Make Detection More Difficult
Fraudsters are increasingly exploiting the auto-forwarding feature in compromised email accounts to help conduct business email compromise scams, the FBI warns.
See Also: A Toolkit for CISOs
The agency notes in an alert made public this week that since the COVID-19 pandemic began, leading to an increasingly remote workforce, BEC scammers have been taking advantage of the auto-forwarding feature within compromised email inboxes to trick employees to send them money under the guise of legitimate payments to third parties.
This tactic works because most organizations do not sync their web-based email client forwarding features with their desktop client counterparts. This limits the ability of system administrators to detect any suspicious activities and enables the fraudsters to send malicious emails from the compromised accounts without being detected, the alert, sent to organizations in November and made public this week, notes.
"If businesses do not configure their network to routinely sync their employees' web-based emails to their internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email applications," the FBI says. "This leaves the employee and all connected networks vulnerable to cybercriminals."
Because system audits will not detect email discrepancies or updates, BEC scammers can retain email access to the compromised accounts and then continue with their malicious activities, the alert notes.
The FBI reported earlier this year that the bureau had received nearly 24,000 BEC-related complaints in 2019, with the scams generating a total loss of $1.7 billion and an average loss per incident of about $72,000 (see: FBI: BEC Losses Totaled $1.7 Billion in 2019).
The FBI alert highlights two types of BEC scams that are taking advantage of email-forwarding rules.
The first was detected in August when fraudsters used the email forwarding feature in the compromised accounts of a U.S.-based medical company. The attackers then posed as an international vendor and tricked the victim to make a fraudulent payment of $175,000, according to the alert.
Because the targeted organization did not sync its webmail with its desktop application, it was not able to detect the malicious activity, the FBI notes.
In a second case in August, the FBI found fraudsters created three forwarding rules within a compromised email account.
"The first rule auto-forwarded any email with the search terms 'bank,' 'payment,' 'invoice,' 'wire,' or 'check' to cybercriminals' email accounts," the alert notes. "The other two rules were based on the sender's domain and again forwarded to the same email addresses."
Chris Morales, head of security analytics at security firm Vectra AI, says that in addition to reaping fraudulent payments, fraudsters can use email-forwarding to plant malware or malicious links in documents to circumvent prevention controls or to steal data and hold it for ransom.
BEC Scams: A Growing Threat
In in a keynote presentation at Group-IB's CyberCrimeCon 2020 virtual conference in November, Craig Jones, director of cybercrime at Interpol, noted that BEC scammers are among the threat actors that are retooling their attacks to take advantage of the COVID-19 pandemic (see: Botnet Operators Ditch Banking Trojans for Ransomware).
Interpol revealed that it recently worked with others to uncover a massive Nigerian business email compromise gang that was active across more than 150 countries. Several members of the criminal organization were arrested (see: Interpol Busts Massive Nigerian BEC Gang).
"With the COVID-19 pandemic continuing to remain in the forefront of public consciousness, organized criminal groups are taking advantage of new working arrangements and global brands to steal large sums of money," says Mark Chaplin, principal at the London-based Information Security Forum.
"Uncertainty will continue to provide criminals with further opportunities. BEC sits firmly on every organization's threat radar and will remain there for the foreseeable future."
The FBI recommends several steps that businesses can take to mitigate BEC threats:
- Ensure the organization is running the same version of desktop and web applications to allow appropriate synching and updates;
- Track changes established in email account addresses;
- Prohibit automatic forwarding of email to external addresses;
- Monitor the email Exchange servers for changes in configuration and custom rules for specific accounts.