Security experts have discovered a major new Business Email Compromise (BEC) campaign that has already stolen over $15 million from a possible 150 organizations.
Israeli incident response specialist Mitiga was first called in after a multimillion-dollar transaction went awry, according to head of research, Andrey Shomer.
It appears that a cyber-criminal was monitoring email communications between a corporate buyer and seller, and at the last minute, stepped in to impersonate the seller, sending over new wire payment instructions.
“Upon investigation, Mitiga’s incident response team identified rogue domains through which the threat actor’s emails were sent. These domains were similar to the buyer’s and seller’s own domains, but with minor changes which were difficult to notice. For example, if the original domain was ‘buyer.com,’ the rogue domain was ‘buyerr.com’,” Shomer explained.
“All the malicious domains utilized in this BEC attack were registered through a GoDaddy-owned domain registrar called Wild West Domains.”
The attackers linked Office 365 email accounts to these domains to add legitimacy to their communications and fly under the radar of email security filters.
They achieved an initial foothold into a victim organization by sending phishing emails to senior executives. Once an account was hijacked, they would set up a forwarding rule to automatically send any emails to their own accounts.
“This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided,” said Shomer.
“The threat actor then used filtering rules to discreetly move messages originating from certain email addresses from the inbox folder into a concealed folder. This was done to hide unwanted communication from the actual mailbox owner, for example, emails expressing concern from the legitimate parties — thereby extending the time to discovery of the attack in order to complete obfuscation of the wire transfer.”
All the 150 domains discovered in this campaign are registered with Wild West Domains and ape legitimate businesses. They’re each connected to one of 15 Office 365 accounts.
BEC cost global organizations $1.8 billion in 2019, over half the $3.5 billion total for cybercrime losses, according to the FBI.