FBI’s Internet Crime Complaint Center (IC3) has issued today a public service announcement warning of cybercriminals abusing popular cloud-based email services as part of Business Email Compromise (BEC) attacks.
This is the second time within a month that the FBI has warned of malicious actors abusing cloud email to conduct BEC scams, with a private industry notification (PIN) on the same subject having been issued on March 3.
While previously the FBI singled out Microsoft Office 365 and Google G Suite as the ones targeted in such attacks, this time the agency refers to them only as “two popular cloud-based email services.”
“Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite,” the FBI said in the PIN.
“While most cloud-based email services have security features that can help prevent BEC, many of these features must be manually configured and enabled.”
Cloud email and BEC scams
The crooks’ move to attacking trough cloud-based email services matches organizations’ migration to the same type of services from on-premises email.
To abuse cloud email services, the scammers use email service-aware phish kits that closely imitate the services’ interface and designed to trick a target’s employees into handing over their account credentials.
The targets are redirected to the phishing kits used as part of these BEC attacks via large scale phishing campaigns, with the phishing kits being able of identifying the “service associated with each set of compromised credentials” and displayed the correct user interface.
“Upon compromising victim email accounts, cybercriminals analyze the content to look for evidence of financial transactions,” the FBI explained today.
“Using the information gathered from compromised accounts, cybercriminals impersonate email communications between compromised businesses and third parties, such as vendors or customers.”
The scammers will then impersonate employees or business partners, with the end goal of redirecting payments to bank accounts they control.
They will also collect and exfiltrate partner contacts from the infiltrated email accounts which will later be used to launch other phishing attacks and compromise other businesses, making it easy to pivot to other targets within the same or related industry sectors.
Increasing number of COVID-19 related BEC attacks
The FBI also warned today of a boost in the number of BEC scams designed to exploit the COVID-19 pandemic targeting US municipalities, financial institutions, and bank customers.
“Recently, there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19,” the FBI says in a press release.
Among the BEC attempts reported or observed by the agency recently, the FBI highlights two examples:
• A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
• A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because their regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.
A scammer group tracked by Agari researchers as Ancient Tortoise were the first ones spotted while using the COVID-19 outbreak as leverage in a BEC attack as BleepingComputer reported last month.
FBI’s Internet Crime Complaint Center (IC3) 2019 Internet Crime Report published in February says that BEC was the cybercrime type with the highest reported total victim losses in 2019 as it reached roughly $1.8 billion in individual and business losses.
How to defend against BEC attacks
Although Google G Suite, Microsoft Office 365, and other popular cloud-based email services come with built-in security features that could help block BEC attempts, many of these features aren’t enabled by default and have to be manually configured or toggled on by IT admins and security teams.
Because of this, “small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams,” the FBI explains.
The FBI recommends IT admins to take the following measures that could block BEC attacks:
• Prohibit automatic forwarding of email to external addresses.
• Add an email banner to messages coming from outside your organization.
• Prohibit legacy email protocols such as POP, IMAP, and SMTP that can be used to circumvent multi-factor authentication.
• Ensure mailbox logon and settings changes are logged and retained for at least 90 days.
• Enable alerts for suspicious activity such as foreign logins.
• Enable security features that block malicious email such as anti-phishing and anti-spoofing policies.
• Configure Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and to validate email.
• Disable legacy account authentication.
Users can follow these recommendations to defend against BEC scammers:
• Enable multi-factor authentication for all email accounts.
• Verify all payment changes and transactions in-person or via a known telephone number.
• Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
Is your business effected by a COVID-19 / Coronavirus related Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol is available 24/7.
UK +44 20 8089 9944