Today’s digital frontier can be very much likened to the old days of the Wild West. In this present era identified by the ubiquitous nature of the Internet, cybercriminals are calling the shots; constantly blazing new trails in increasing sophistication in cybercrime and profiting unscrupulously off the backs of unsuspecting victims who rarely know what hit them until it is too late.
Cybercriminals are constantly pushing the boundaries of organized crime and are constantly coming up with new ways to expand their business operations and increase profits. They come up with schemes and rackets that encompass almost all aspects of traditional crime including fraud, extortion, theft, hijacking and even blackmail in the digital world long before law enforcement agencies and security professionals are able to discover and eventually catch up to them.
It is therefore not surprising today, if I tell you that most of us can now say goodbye to the traditional 419 scam which is slowly fading away into a thing of the past and say hello to the future of a much more insidious form of email scam which employs the use of social engineering, malicious software and computer intrusions, known in the information security community as Business Email Compromise Scam.
Yes, you can forget about the almost extinct forms of 419 scams where you typically receive an email from a widow or self styled investor promising you a huge payout usually in the millions, for your assistance in transferring funds belonging to some deceased wealthy corrupt government official or other important notable public figure. The format of a typical 419-email scam preys on our vulnerabilities as human beings who naturally have a tendency to help one another by using deception and playing on our susceptibility of our desire to get ahead in life by offering us a get rich quick scheme.
However, today most of us would spot a typical 419 from a mile away. To say the least these emails usually end up in your spam folder assuming that you use the services of an email hosting provider with basic spam and email filtering rules.
A recent quite interesting 419 scam of a somewhat cosmic and comical proportion tells the unbelievable story of a Nigerian astronaut who needs $3 million dollars to come back to Earth after being stranded in outer space.
What is a Business Email Compromise Scam?
The FBI defines Business Email Compromise (BEC) as a sophisticated scam targeting businesses working with foreign suppliers who regularly perform wire transfer payments in exchange for large quantities of goods. Formerly known as Man-in-the-Email scams, these schemes compromise official business email accounts to conduct unauthorized fund transfers. According to them, BEC scams have cost US victims nearly $750 million dollars and affected more than 7,000 people between October 2013 and August 2015. Globally, cybercriminals scammed more than $50 million dollars from victims outside of the US.
Business Email Compromise (BEC) crimes overshadow by far all other types of crime. These scams are financially motivated and leverage on social engineering tactics, using various forms of computer intrusion techniques targeting business email in-boxes, resulting in financial loss due to unauthorized transfer of funds into fraudulent destination bank accounts.
BEC Scams Come in Three Different Versions
This version which I am going to focus a lot on during the course of this write up can also been referred to as “Invoice Payment Fraud”, “The Buyer Swindle”, and “Invoice Modification Scheme”, and usually involves a business that has an established relationship with a supplier. The fraudster inserts himself in the middle of the email communication exchange and asks the buyer to wire funds for invoice payment to an alternate, fraudulent account via a spoofed email. A spoofed email is a fake email assuming the identity of a legitimate entity.
In this version, the fraudsters identify themselves as high-level executives (CFO, CEO, CTO, etc.), lawyers, or other types of legal representatives and purport to be handling confidential or time-sensitive matters and initiate a wire transfer to an account they control. In some cases, the fraudulent request for wire transfer is sent directly to the financial institution with instructions to urgently send funds to a bank. This scam is also known as “CEO Fraud”, “Business Executive Scam”, “Masquerading”, and “Financial Industry Wire Frauds”.
Similar to the other two versions, an email account of an employee is hacked and then used to make requests for invoice payments to fraudster-controlled bank accounts. Email messages are sent to multiple vendors identified from the employee’s contact list. The business may not become aware of the scheme until their vendors follow up to check for the status of the invoice payment.
Invoice Payment Fraud Threat Intelligence
Threat intelligence is simply a situational awareness of a particular type of threat including the techniques and tactics employed by the threat actor. This section will try to explain why I choose to focus more on the threat of Invoice Payment Fraud in this article.
Working with clients across the Africa and Middle Eastern regions, I have come across multiple incidents involving Invoice Payment Fraud scams and have ultimately gathered that this version of BEC scam is more popular in the MEA region. This is quite likely due to the nature of the region’s business and economic ecosystem, which I dare say, largely consists of the importation or shipment of raw materials and supplies used in manufacturing, agriculture and other forms of small scale processing.
The buying and selling of consumer goods by small and medium sized businesses typically drive these economies as compared to the service-based economies of the more advanced developed countries, which revolve around bigger more established business players. These bigger players from my analysis would be more susceptible to versions 2 and 3 of BEC scams.
Coupled with a lower sense of awareness of the risks of cyber security threats, a lack of basic cyber security hygiene and security practice, this creates the perfect playing field for cybercriminals who are focusing more attacks via invoice payment fraud scams to the region. This will be our focus in the next sections as this scam has the highest potential to impact many small and medium sized businesses who fit the criteria for invoice modification fraud. A few of these invoice fraud scams I have worked on recently have involved businesses that have incurred losses of up to $100 thousand dollars within a very short space of time.
This however does not mean that this trend will continue to stay the same in the coming future as things change from a global market perspective.
How Invoice Payment Fraud Works
This is quite a complex sequence of events that only those businesses who have supplier relations and are more familiar with these kinds of wire transfer transactions can easily relate to and will hopefully understand how the attackers will patiently wait, observe and then strike at the opportune time to scam their victims out of huge amounts of cash.
The attackers behind these scams use intrusion techniques to attack email servers that have a weak security configuration and sit man-in-the-middle style intercepting and redirecting messages between buyer and supplier business email exchange in order to score a big payout.
Once they are inside a compromised mail server they seek out high-value transactions that are in the pre-order phase. Another tactic these cybercriminals use is usually through malware and phishing methods to get employees to click on malicious links that are then used to download and install a keylogger to record keyboard strokes on the victim’s host.
Once the keylogger software has been installed the attackers use a message feedback mechanism to alert them when specific keywords are observed from the victims keystrokes such as ‘invoice’, ‘purchase order’ etc. to seek out high-value transactions in the pre-order phase which are moving to the payment confirmation stage.
Usually in these types of transactions buyers send a purchase order to the seller’s business email account after which the seller then replies to the buyer’s email with an invoice and payment instructions. Upon monitoring the compromised email account or recorded keystrokes which will obviously reveal the username and password of business email accounts by recording every single keystroke of the victims infected computer, the fraudster will try to determine who initiates wires and who requests them.
After figuring all this out, the attacker clones both the buyer and sellers email addresses usually creating a new address that is slightly different but similar to the company they’re targeting, in order to spoof emails that convince the target that they are dealing with the other legitimate party. One very important aspect to note here is that they will alter the email return path or return address to redirect the replies to their own attacker controlled email accounts after which they can modify the message and forward it to the then intended recipients.
An example of the email cloning mechanism used by these cybercriminals would be in the form where, say we have a business email address for a sales person from mybusiness.com, a buyer company dealing in the manufacture of plastic chairs to email@example.com. The attacker would register a new email address at a different domain and clone Kofi’s business email address firstname.lastname@example.org that will be controlled by him and also to which he will receive messages from the supplier company that Kofi is looking to source raw materials from and vice versa.
The attackers are then able to modify the invoice and change bank account numbers, location and SWIFT codes needed to complete the fraudulent transaction. They also modify the payment destination account in the invoice document to a fake destination bank account by stating some bogus reason such as their accounts are currently being audited etc. and sitting in the middle, forward this new instruction to the buyer, who then wires money to the attacker-controlled fraudulent account.
Defending Against the Scam
Businesses should stay vigilant and educate employees on how to prevent being victimized by BEC scams and other similar attacks. It’s important to know that cybercriminals do not care about your company’s size – the more victims, the better. Additionally, cybercriminals need not to be highly technical as they can find tools and services that cater to all levels of technical expertise in the cybercriminal underground. As the world relies more and more on Web services such as webmail, a single compromised account is all it could take to steal from a business. As such, here are some tips on how you can stay protected and secure:
- Install and maintain a good anti-virus software and use a third party email hosting company that provides a secure mail infrastructure with email filters to reduce some of the phishing traffic and potential malware infections.
- It is strongly recommended to use the “Forward” function instead of “Reply” or “Reply All” so you can type the email address of your contact and ensure that the correct address is being used and not the attackers spoofed fake email address.
- Educate and train your employees. While employees are a company’s biggest assets, they are also usually its weakest link when it comes to security. Commit to training employees according to the company’s best practices. Remind them that adhering to company policies is one thing, but developing good security habits is another.
- Verify any changes in supplier payment and destination bank account details by using phone verification as part of two-factor authentication. Confirm requests for transfer of funds by using known business numbers and speaking with familiar or known verified backup personnel.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised.
Edem Glymin is the lead cyber security and risk consultant for Global Secure Solutions. He is currently working on an MSSP project in the Middle East as a cyber threat and incident response specialist. You can send your comments email@example.com