Email scams known as "CEO Fraud" are very common right now. They are a type of "Business Email Compromise" (BEC). There have been numerous recent cases reported in the media, and we too, are seeing many reports by our customers. One customer described these attacks as 'rampant'. The US FBI recently put the estimate of losses in 2015 associated with BEC frauds in the hundreds of millions of dollars. This blog will give a bit of background to CEO fraud scams, show some real-life examples, and suggest a few email security measures organizations can take to help protect themselves. Trustwave Secure Email Gateway customers can also download and implement a new BEC Fraud package which provides protection against these types of scams.
The basic premise of the scam is where an attacker sends an email, pretending to be the CEO of a company , to a suitably high level person in a department such as finance, or HR, and request sensitive information or money transfers. Sometimes numerous emails fly back and forth before the scam is complete. Attackers do their homework, they google which companies to target, the CEO's name and email address, and the names and email addresses of key people in the organization. The use of the CEO's name is key to these attacks, it lends an air of authenticity and authority to the scams. Employees tend to take requests from the CEO seriously. Take that away, and there is not much difference between CEO fraud scams and your regular 419/Nigerian-type scam. Beyond the usual scams, CEO Fraud emails can also point to malware, as you will see later.
There appears to be multiple groups of attackers behind the scams, with varying levels of sophistication. However, collectively they are casting a wide net, many organizations are receiving these scam emails, often repeatedly. What follows are some recent real-life samples, except for names and addresses have been fictionalized or removed.
Most cases of CEO fraud involve a short message, with no links or attachments, suggesting that the CEO is 'busy' and needs some kind of urgent transaction done.
Would you be suspicious of this email from your CEO? However, if you replied to this and were watchful, you might have noticed that the Reply-To address is different to the original From address, as you can see in the header below, and the address, of course, belongs to the attacker. You can also see in the header that some kind of Webmail client was used to send the message.
Often the initial scam email is very simple, with little obvious 'scammy' elements in the body text. Note in this example, the from address, while it has the CEO's real name, is from an unusual gmail address. Different email clients display addresses in different ways, so you may or may not see the actual from address depending on the client and its configuration.
This example gets straight to the point and supplies all the details up front, including the transfer amount of $28,850 up-front. It is also the type of email you may get after several emails to and fro with the scamster.
Recently we came across a CEO Fraud email that points to malware. This example shows a "document" which is actually an image. If you click on the image it will prompt you to download a malicious data stealing executable from a Dropbox link.
The presence of malware takes these CEO Fraud emails to a new level - they are no longer just about scams and money transfers. This is not the only malware sample we have seen, you can find a more in-depth analysis of another sample here.
The problem with these fraud emails is that they are targeted, and of such low volume that they may fly beneath the radar of regular spam filters. But is there anything we can we do at the email gateway to try and detect these sorts of messages? There are indeed a number of options. Note, some of what follows below relates to the Trustwave Secure Email Gateway (SEG), but the general ideas are applicable to any email gateway.
This is where your real domain is used in the From line. Most often it is accompanied by a different Reply-To address:
From: "CEO Name" <ceo.email.address@example.com>
Reply-To: "CEO Name" <email.address@attackerdomain.com>
In this case, anti-spoofing, if implemented correctly, will block this. SEG considers this an inbound email, with a local domain in the From address, but sent from an unknown source IP. It is therefore suspicious.
You should also consider setting up SPF/SenderID records in your DNS that publish all the mail servers allowed to send email for your domain. You can then use the SenderID feature to check against any inbound email from your domain. Careful thought must be given to your SPF/SenderID policy, and allowances must be made for all mail servers and third-parties sending email on your behalf. This is a complex area beyond the scope of this blog, but there are many resources on the web to help.
This is where the attacker will own the misspelt domain name, which closely resembles your domain, but is usually off by one character.
From: "CEO Name" <ceo.email.address@examplle.com>
In this case, anti-spoofing will not identify these messages. Instead, regular expressions can be applied to the From: line in order to identify the misspellings. Below are two regular expressions for a domain called example.com. These expressions are useful not just for these scams, but phishing in general. For efficiency, the regexes assume the first character is never changed, which is a fairly safe assumption because otherwise the domain would not look similar enough. Simply copy the pattern and apply to your own domain(s).
This expression identifies a domain where one of the letters in the domain has been replaced. It works by checking each letter for substitution (for instance [^m] means "any letter but m").
@e(?:[^x]ample|x[^a]mple|xa[^m]ple|xam[^p]le|xamp[^l]e|xampl[^e])\.com
This expression identifies a domain part where a character has been added. It works by matching even if a single extra character has been added between each pair of letters [.?].
@e(?!xample\.com).?x.?a.?m.?p.?l.?e\.com
This is where the CEO's name will appear in the From "real name" area in the From line (perhaps also with the CEO's email address). However the actual From: address is unrelated.
From: "CEO Name" <address@unrelated-domain.com>
Or
From: "ceo.email.address@example.com" <address@unrelated-domain.com>
To identify this sort of attack, header regular expressions can be used to look for the CEO's name or email address in the From line, and combine it with an inbound rule. The SEG has the concept of inbound message, where the message is addressed to a local recipient. At the email gateway, CEOs should typically not be sending inbound mail, they should only be sending outbound mail. The regex can be fairly simple, like the one below.
CEO\sName|ceo\.email.address@example\.com
All the ideas above can be implemented in the Trustwave Secure Email Gateway, and customers can download a special "BEC Fraud" package which makes it easy. In addition, the package also includes a special category script that identifies many traits associated with these CEO Fraud scams. The package including documentation can be obtained here (requires customer login).
CEO Fraud emails have been increasing in volume and variety, and have also branched into malware. Its safe to say this technique is not going away anytime soon - the social engineering power of the CEO's name is too great. This blog illustrates a number of things you can consider for your email gateway to help mitigate the impact.
The other parts of the equation are awareness and systems. Staff should be made aware of these sorts of emails, and given some pointers on the sorts of things that indicate a possible scam. Organizations should also have very clear procedures in place for verifying payment transfers or sensitive information requests, especially via email.
