The FBI has warned businesses that cyber-criminals are exploiting an email forwarding vulnerability on remote workers’ webmail clients to make BEC attacks more successful.
In a Private Industry Notification released last week but just made public, the Feds explained that auto-forwarding rules are commonly used in BEC scams once attackers have compromised an employee’s inbox.
This means emails with specifically chosen keywords like “bank” and “invoice” are automatically sent on to the attacker’s inbox. They can then monitor communications between that employee and other users, and delete certain emails to hide their activity.
Eventually the attacker steps in, pretending to be a legitimate contact such as a supplier, and sends a fake invoice or similar to be paid by the employee’s company.
The FBI warned that if IT administrators don’t sync staff web and desktop email clients, then auto-forwarding rules updated by an attacker will only appear in the former, meaning security teams have no idea that a scam may be taking place.
“While IT personnel traditionally implement auto-alerts through security monitoring appliances to alert when rule updates appear on their networks, such alerts can miss updates on remote workstations using web-based email,” it continued.
“If businesses do not configure their network to routinely sync their employees’ web-based emails to the internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email application.”
Even if a bank or law enforcement sounds the alarm, a victim organization may still miss the rule update unless they audit both applications, giving attackers even more time, the FBI added.
This oversight led to a $175,000 loss at a US medical equipment company in August 2020, it warned.
The alert urged administrators to ensure desktop and web email clients are running the same version to enable easy syncing and updates. It also advised them to prohibit automatic email forwarding to external addresses and to monitor for suspicious behavior such as last-minute changes in established email addresses.
