Security Researchers Spot $36m BEC Attack

Written by

Security experts have warned of the growing threat from business email compromise (BEC) attacks spoofing victims’ vendors and suppliers, after revealing an audacious attempt to steal tens of millions of dollars.

The email in question was sent to an escrow officer at an insurance company, cc’ing in the presumed client, an enterprise in commercial real estate. It was spoofed to appear as if sent from the SVP and general counsel of a trusted, long-term partner company of the enterprise, according to Abnormal Security.

The scam email contained an invoice and payment instructions for what is described as a loan in excess of $36.4m.

The threat actor sought to add legitimacy to the scam by using forged company letterhead, and to hide the real origin of the spoofed email by changing just one letter of the sender domain, from “.com” to “.cam.”

“To further bolster their credibility, the attacker cc’d a second well-known real estate investment company on the email, again using a newly created domain that ended in [.cam],” Abnormal Security continued.

“Because the enterprise involved in this attack works in commercial real estate where they often facilitate large-sum loans, and the invoice appeared to be legitimate with legitimate recipients, there was little reason for immediate concern about the validity of the wire transfer request.”

Read more on BEC: BEC Attacks Surge 81% in 2022.

However, the security firm used AI technology to spot a few tell-tale signs that this was indeed a BEC attempt, besides the spoofed sender domain:

  • Minor discrepancies on the wiring instructions, such as “Reference: Name,” instead of “Reference Name,” and a missing state in the disclaimer text
  • The sender and cc’d domains were registered less than a week before the email was sent
  • A high-value payment request with alternative payment details
  • Irregular language patterns in the body of the email, indicative of fraud

“The totality of these signals is suspicious enough for an email security platform to take action by detecting and remediating the attack,” the security vendor concluded.

“However, since the Abnormal customer was actually cc’d on the email rather than the direct recipient, we are unable to determine if the original recipient was protected or if the invoice was in fact paid out.”

BEC lost its spot as the most lucrative cybercrime type last year, but dropped only to second place, with cyber-criminals netting over $2.7bn from these scams in 2022. Given this is only the sum reported to the FBI, the real figure could be many times greater.

What’s hot on Infosecurity Magazine?