Trend: Hackers Leveraging Work-from-Home to Heist Wire Transfers
June 2020 by Check Point
As professionals work from home during coronavirus outbreak, cyber gangs impersonate CEOs and CFOs to trick employees to send wire transfers to the wrong place.
• Fraudsters carefully research and closely monitor their potential target victims and their organizations for months, tracking behaviors or deals to come
• Private Equity, Venture Capital and money allocators are primary targets
• Check Point provides example of a sophisticated cyber gang that heisted $1.3 million from three private equity firms
• FBI deems scam as #1 threat in terms of money
Researchers at Check Point say the shift to a work-from-home environment is inspiring hackers to steal wire transfers. As we depend more on email to conduct business, hackers are orchestrating what researchers call a "BEC" scam to take advantage of people not seeing each other face-to-face.
What is a BEC Scam?
BEC, which stands for "business email compromise", is a type of scam targeting companies who conduct wire transfers. A BEC scam begins with a cybercriminal hacking and spoofing emails to impersonate a company’s supervisors, usually the CEO and CFO, or sometimes vendors. Once in, the cybercriminal requests a seemingly legitimate business payment. The email looks authentic, appears to come from a known authority figure, so the employee complies. Typically, the fraudster will ask for money to be wired or checks to be deposited. Unknowingly, the employee wires the funds into a cybercriminals bank account of choice.
BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. As said, they impersonate the CEO or any executive authorized to do wire transfers. In addition, fraudsters carefully research and closely monitor their potential target victims and their organizations for months, tracking behaviors or deals to come.
BEC Transitions to Organized Crime during Coronavirus
Normally, a BEC scam is carried out by a single individual. However, as of late, Check Point researchers observe that these scams are increasing in sophistication, classifying them now as organized crime. In April 2020, Check Point researchers published a paper on how they unraveled a scheme where a cyber gang, which researchers dubbed "the Florentine Banker", heisted $1.3M between three private equity firms. For months, the group studied its targets emails, manipulating correspondences, registering lookalike domains, and cashing out immediately in strategic phases. Emergency intervention by Check Point Incident Response led to the recovery of just over half the heisted amount, leaving the rest as permanently lost funds.
Private Equity, Venture Capital and Money Allocators are Primary Targets Check Point researchers believe private equity and venture capital firms are primary targets for BEC scams, since hackers know that large sums of money are transferred from these organizations frequently. These financial institutions should better understand how exactly hackers try to take advantage of them.
Accordingly, Check Point researchers profile the attack methodology in five:
1. Observation. Once the attackers gain control over the victim’s email account, they start reading their emails. Cyber gangs can spend days, weeks or even months doing reconnaissance before actively intervening in the communication, patiently mapping the business scheme and procedures.
2. Control and Isolation. The attackers start to isolate the victim from third parties and internal colleagues by creating malicious mailbox rules. These email rules divert any emails with filtered content or subjects into a folder monitored by the threat group, essentially creating a “Man in the Middle” attack.
3. Lookalike setup. The attackers register lookalike domains - domains that look visually similar to the legitimate domains of the entities involved in the email correspondences they want to intercept. The attacker starts sending emails from the lookalike domains. They either create a new conversation or continue an existing one - thus deceiving the target into presuming the source of the email is legitimate.
4. Request for money. The attackers begin injecting fraudulent bank account information through the following two techniques:
o Intercepting legitimate wire transfers
o Generating new wire transfer requests
5. Money transfer. Cyber gangs manipulate the conversation until the third party approves the new banking details and confirms the transaction. If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers are there to fix the rejects until the money is in their own hands. Check Point’s Manager of Threat Intelligence, Lotem Finkelsteen said: "We’re in the midst of a massive paradigm shift in hacker activity. Hackers are taking advantage of all of us working from home. We see BEC scams as part of this broader trend. If you are a business or organization that is known to transfer large sums of money, you should know that you are a primary target for this scam type. As you work from home, someone can be monitoring and manipulating each one of your emails, especially if you’re a designated person within an organization that allocates money. We feel obliged to educate businesses, especially financial institutions, on what these scams are and how they can stay safe; because, we expect more to surface in 2020 given the work-from-home culture."
How to Protect your Organization from BEC
Check Point believes the below are good guidelines to follow:
1. Enable multi-factor authentication for business email accounts. This type of authentication requires multiple pieces of information to log in, such as a password. Implementing multi-factor authentication makes it more difficult for a cybercriminal to gain access to employees’ email.
2. Don’t open any email from unknown parties. If you do, do not click on links or open attachments as these often contain malware that accesses your computer system.
3. Double-check the sender’s email address. A spoofed email address often has an extension similar to the legitimate email address.
4. Always verify before sending money or data. Make it standard operating procedure for employees to confirm email requests for a wire transfer or confidential information.
5. “Forward,” don’t “reply” to business emails. By forwarding the email, the correct email address has to be manually typed in or selected from the address book. Forwarding ensures you use the intended recipient’s correct e-mail address.