Advanced Deception with BEC Fraud Attacks

Background

Business Email Compromise (BEC) email fraud, also known as "CEO Fraud" or "Whaling", has become a major financial cyber threat, affecting businesses of all sizes globally. In such attacks a fraudster impersonates an executive of an organization to trick individuals in the organization into sending money or sensitive information. According to the FBI, such scams have cost their victims over USD $12 billion since 2013 and have recently led to global coordinated arrests in an effort to disrupt these scammers.

In contrast to most cyber-attacks, basic BEC fraud attacks do not require the sophistication to exploit any technical vulnerabilities or use any malware. Instead, individuals working in an organization are targeted, exploiting human trust to further the fraudster's malicious purposes.

In this blog we highlight some tricks and new techniques that we have observed over the past 12 months that are leveraged by cybercriminals to carry out BEC scams.

Although attackers are constantly evolving their approach towards BEC attacks, wire fraud is still the most common form of BEC scam. These messages are typically short and require a response without providing much detail, and convey urgency to avoid suspicion, as shown in Figures 1 and 2.

Fig1

Figure 1: Typical short BEC fraud message, demanding urgency and a wire transfer

Fig2

Figure 2: BEC fraud message, sent to the Finance department from a look-alike domain.

Spoofed BEC Messages

Many BEC Fraud emails contain headers that falsify the origin of the email using spoofed details of the target organization i.e. using the target's real domain in the "From" address field (masquerading the sender address of an email message so that it appears that it is from another person). This technique makes the BEC Fraud email appear to be coming from within the organization.

BEC Basic Header Trickery

A common and simple technique adopted by BEC scammers is to use a spoofed organization's real domain in the "From" address, but a different domain in the "Reply-To" address as shown in Figure 3. When a victim clicks on the reply button, the reply goes to the email supplied in the "Reply-To" field controlled by the scammer. This difference in the "From" and "Reply-To" fields is a good indicator of an anomaly and often is used in BEC scam emails.

Around 19% of BEC emails have a different "Reply-To: address compared to the "From" address and 12% use the target organization's domain as the "From" domain.

Fig3

Figure 3: The W-2 variant of the BEC scam usually begins to surface near the end of the calendar year. In this example (which is rare) the BEC/BES W2 email contained an upload link to an attacker-controlled FTP server

BEC Business Domain Similarity Attacks

Another scenario is where the attacker will use a "From" domain that is similar to the target domain. Emails appearing to be from the CEO or the CFO of the company are crafted using attacker-controlled look-alike domains and are sent to genuine subordinate staff, often requesting an urgent wire transfer to an overseas bank account. Diligent employees who speedily process such requests fall prey to such scams, resulting in monetary loss to the organization.

There are several different ways the scammers achieve similar looking domains as listed below:

  1. Brand name embedding in domain name with a dash ('-'): In such scenarios attackers' register domains containing the brand name as a prefix or a postfix to a random dictionary word that is often separated by a dash ('-') e.g. facebook-randomdictionaryword.com
  2. Brand name homograph: In such domains, some letters of the brand name are replaced with numbers, common examples include replacing 'O' with '0' (zero digit) and 'I' or 'L' with '1' etc.
  3. Miss-spelled brand names: Attackers register domains that are intentional typo's or miss-spelled variants of target domains e.g. "facebok.com" or "iphnoe.com"
  4. Brand name embedded in sub-domains: In this scenario attackers often use free domain registrars and register the target brand name as a sub-domain, thus the brand name is appended to the original domain with a dot ('.') e.g. facebook.freewebhostingdomain.com
  5. Another TLD: Brand name registered with an uncommon generic top-level domain or TLD e.g. brandname.xyz or brandname.top.

Around 4% of BEC emails use domain similarity tricks in the "From" address.

Executive Name Forgery

Also common in BEC Fraud email is ID spoofing, in which the attacker uses an executive name (such as "Bill Gates") in the display name part of the email header "From" field. Note the name is shown in the "Real Name" part of the email "From" field and not necessarily the email address part. Note it is just the "Real Name" part that is spoofed, and the actual email address is completely unrelated to the target and usually just the domain of the free webmail platform used to send the message, like Gmail or Comcast. Around 84% BEC emails fall into this category.

This sort of title-spoofing traditionally uses titles of CEOs and CFOs in the display name part of the email "From" field. However, attackers are now adding more executives and influencers in an organization, targeting employees across multiple departments, indicating deeper background study on the target, as shown in Figure 4, 5 and 6.

Fig4

Figure 4: BEC message sent from free email account

Fig5

Figure 5: BEC email from free email account, with a spoofed name and title of managing director

Fig6

Figure 6: BEC scam email sent with a legitimate appearing spoofed address of the CEO in the From field, but a scammer-controlled email in the Reply-To header.

Use of Attachments

Some BEC messages use PDF attachments containing wire information for their victims. The attachments often contain forged logos and bank details to convey the impression of a legit request. Screenshots of such messages are illustrated in figure 7 and 8.

Fig77

Figure 7: BEC message containing a PDF attachment with account details and wire transfer instructions

Fig8

Figure 8: PDF attachment sent by scammers with the BEC message containing account details and wire transfer instructions

BEC Encoded Message Attack

In addition to carefully studying their targets, some BEC Fraud scammers are using encoding tricks by substituting certain characters in the message, to avoid detection by email gateways. This BEC message appears like any ordinary email when opened in an email client (Thunderbird in this example). However, a closer look under a hex editor reveals its true nature. The message has been deliberately tampered to swap certain ascii characters like 'a', 'c', 'e', 'y' in some places with equivalent Cyrillic characters as shown in Figure 9, 10 and 11.

Fig10

Figure 9: Message containing some encoded UTF characters, as rendered by the Thunderbird email client


Fig10

Figure 10: Message viewed in a hex editor


Fig10

Figure 11: Notice the encoded/messed up characters in some place for the characters: 'a', 'c', 'e', 'y'. The hex code for 'e' is highlighted here 'D0B5' this is utf-8 encoding for Cyrillic small letter e.

BEC Advanced From Header Trickery

Some BEC messages use specially crafted "From" headers to conceal the attacker's true email address. These tricks try to fool the email client to display another address that is embedded somewhere else in the "From" field. Figure 12 shows the attackers email is concealed as an additional email address in the "From" field as shown in Thunderbird, user must click to view the additional address. The expanded version is shown in Figure 12, while the Outlook example just shows a single "From" address as can be seen in figure 13. A raw text representation of this specially crafted "From" address string is shown in Figure 14. Multiple addresses and addresses within quotes are good indicators to watch out for. When a victim replies to such a message the reply is sent instead to the embedded attacker's email. It is important to note here that such messages may appear different in different email clients.

Fig13

Figure 12: BEC message with multiple from field addresses shown in Thunderbird

Fig13

Figure 13: BEC message with multiple from addresses shown in Outlook


Fig13

Figure 14: Specially crafted strings similar to this are used by attacker in the From field of the email to evade detection and conceal the malicious email in email clients.

BEC attacks using long scenarios to lure victims

A relatively new trend observed in BEC scams is that of a long, personalized message inviting the victim into sworn secrecy due to legal implications of a sensitive business requirement. Such BEC messages often involve references to legal firms, informing the victim that they must comply with company lawyers to fulfil certain legal and business requirements discreetly to avoid leaks due to the sensitivity and legality of the business matter. This is followed by a demand from the attackers to provide the company bank statements. These statements provide a wealth of information to the attackers about the financial working of the organization. After studying these transactions, the attackers may demand fund transfers to a specific account that they may forge using similar bank titles opened with different or the same bank in different geographies. One such message is illustrated here in Figure 15.

Fig15

Figure 15: Long BEC scam message building a story and requesting sensitive banking information from the victim

BEC emails demanding gift cards

Recently we have observed BEC messages demanding iTunes, Amazon and Walmart gift cards from their victims. This attack is carried out using the familiar concise message template insisting urgency, but this time requesting credentials of the physical gift cards instead of the usual wire transfer request as shown in Figure 16 and 17.

Fig17

Figure 16: BEC scam message requesting iTunes gift cards


Fig17

Figure 17: BEC scam message requesting iTunes gift card from victim

BEC attackers targeting schools and academic institutes

Another trend observed are BEC scam emails ostensibly originating from the head of school or principal, targeting recipients in the school faculty, demanding wire transfers or gift cards. One such example is illustrated here in Figure 18.

Fig18

Figure 18: BEC scam message targeting a school

Example of a BEC Conversation

We have observed how BEC scammers lure their victims into believing that their CEO requires a quick favor from them and then gradually rip them off. One such account of a complete BEC conversation that happened in November 2017 between a CEO scammer and a victim was recently reported in one of our blog posts here. This provides an insight into the scam from start to finish and makes an excellent read.

Conclusion

Cybercriminals are leveraging social engineering methods by sending email impersonating an executive of an organization to deceive trusted employees into performing actions that lead to monetary loss.

BEC Fraud is increasingly big business for the scammers. Organizations have deeper pockets than individuals, and the scam preys on the willingness of employees to please the boss. The number of scammers jumping on this bandwagon has increased markedly, as it has proven lucrative for them.

The BEC scammers continue to evolve their techniques to further their objectives. We have witnessed an increase in BEC attacks that are now targeting all organizations big or small across different industry sectors. The menace of BEC is very real and is costing businesses real money.

Note for SEG Customers

Trustwave Secure Email Gateway (SEG) and SEG Cloud customers have a range of features available to them to help counteract BEC Fraud, including rules and specialized filters that are aimed squarely at the unique nature of BEC scams. It's a complex area, and to help explain it all we have produced a couple of in- depth documents that explain much background detail and configuration options. These details are included in our BEC Fraud Protection Guides, which are available in the documentation area of the website (customer login required). The SEG Cloud guide can be found here.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.