Cybercriminals who use Business Email Compromise (BEC) attacks are switching up their tactics, with some groups now targeting actual merchandise instead of money in their phishing attacks.
Trustwave’s email security solution MailMarshal is aware of and investigating this new methodology. MailMarshal is capable of defending an organization against BEC attacks.
This Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the U.S. Department of Agriculture (USDA) issued a special joint cybersecurity on Dec. 16, 2022, detailing recent incidents where threat actors stole large shipments of food, produce, and ingredients.
BEC is one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center, victims losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses. However, the vast majority of these incidents saw the criminals attempting to simply convince a target to send them money via a wire transfer using a fake contract or invoice.
The joint cybersecurity advisory included several examples of attempted and completed thefts, mostly involving dairy products and, in one case, a large amount of sugar. However, the agencies gave no reason why the attackers singled out this particular product nor where the stolen goods were shipped.
The attacks took place from February to August 2022. In each case, the target company received a fraudulent email, or an order placed through an online purchasing portal. The BEC actors continue to use their standard tactics that have unfortunately worked so well with their prior fraudulent efforts. These include:
- Creating email accounts and websites that closely mimic those of a legitimate company.
- Gaining access to a legitimate company’s email system to send fraudulent emails. Spear phishing is one of the most prevalent techniques used for initial access to IT networks; personnel may open malicious attachments or links contained in emails from threat actors to execute malicious payloads that allow access to the network.
- Adding legitimacy to the scam by using the names of actual officers or employees of a legitimate business to communicate with the victim company.
- Copying company logos to lend authenticity to their fraudulent emails and documents.
- Deceiving the victim company into extending credit by falsifying a credit application. The scammer provides the factual information of a legitimate company, so the credit check results in the application being approved. The victim company ships the product but never receives payment.
Two successful attacks discussed in the advisory resulted in the victims losing in excess of several hundred thousand dollars.
In April 2022, a U.S. food manufacturer and supplier received a request through its web portal inquiring about pricing for whole milk powder purportedly from another food company. The attackers spoofed a legitimate food company using a version of its email configuration and the name of the company’s actual president and the company’s real physical address. The ingredient supplier ran a credit check on the company, which came up acceptable as it is a real company and extended a line of credit, and the first of two shipments – valued at more than $100,000 – was picked up from the “supplier.”
Luckily, the victim company refused to release the second load until payment was received, and only then realized the email address used by the criminals was a slight variation on the actual company’s domain name. As a result, the victim contacted the legitimate company, which confirmed that attackers have previously used their identity in similar scams.
In a separate incident in February 2022, four fraudulent companies placed large orders for whole milk powder and non-fat dry milk from a food manufacturer. The orders, valued at almost $600,000, were picked up, and the victim company was unaware something was wrong until it did not receive payment. In all four instances, the threat actors used real employee names and slight variations of legitimate domain names.
The advisory noted that one BEC was foiled due to the fact that the target company used proper email security procedures.
In August 2022, a U.S. sugar supplier received a request through its web portal for an entire truckload of sugar to be purchased on credit. The request contained grammatical errors, which the victim noted, and purportedly came from a senior officer of a U.S. non-food company. The sugar supplier identified that the email address had an extra letter in the domain name and independently contacted the company to verify there was no employee by that name working there.
Trustwave SpiderLabs recommends a combination of technology and employee training that all companies should implement to ensure emails are legitimate.
- Deploying an email security gateway - on-premises or in the cloud with multiple layers of technology, including anti-spam, anti-malware, and flexible policy-based content filtering capabilities
- Locking down inbound email traffic content as much as possible. Carefully consider employing a strict inbound email policy
- Quarantine or flag all executable files, including Java, scripts such as .js and .vbs, and all unusual file attachments
- Create exceptions or alternative mechanisms for handling legitimate inbound sources of these files
- Blocking or flagging macros in Microsoft documents
- Blocking or flagging password-protected archive files and blocking odd or unusual archive types, such as .ace, .img, .iso
- Keeping client software such as Microsoft 365 and Adobe Reader fully patched and promptly up to date. Many email attacks succeed because of unpatched client software
- Ensuring potentially malicious or phishing links in emails can be checked, either with the email gateway or a web; gateway, or both
Deploying anti-spoofing technologies on your domains at the email gateway and deploying techniques to detect domain misspellings to detect phishing and BEC attacks. Also, ensure there are robust processes in place for approving financial payments via email
- Educating users – inform the rank and file up to the C-suite on the nature of today’s email attacks
- Conducting mock phishing exercises against your staff to show employees that phishing attacks are a real threat of which they need to be aware
