cfo phishing / fraud attacks – bec (business email compromise)€¦ · bec (business email...
TRANSCRIPT
Mul
ti A
war
d W
inni
ng
BEC (Business Email Compromise) incidents are on
the rise, costing companies more than £9.5 billion
over the last 5 years.
BEC attacks involve the use of multiple disciplines
to be effective. The BEC campaigns are usually
multi-staged as there is a degree of familiarity
required with the company policies and staff for the
attack to be carried out successfully.
While using domains that are virtually
indistinguishable from the original in the initial phishing
stage of the attack, the actual attacks are carried out
using internal mail accounts that have been
compromised, making detection of fraudulent mails
that much harder. Some of the tactics used, include
sending mails from high level staff, the attackers
inserting themselves into a legitimate mail exchange,
and the manipulation of mail filtering and rule to ensure
the mail users are only communicating with them.
ISO 9001 • ISO 14001 • ISO 22301 • ISO 27001 • OHSAS 18001
Trusted Partner of the Cyber Defence Alliance (CDA). Working collaboratively
to fight cyber threats and crime
For more information contact Brookcourt Solutions t: +44 (0) 1737 886 111 www.brookcourtsolutions.com
CFO Phishing / Fraud Attacks – BEC (Business Email Compromise)
In companies with additional steps in place for payments (documentation or approval) the attackers found the relevant paper work on the
company network and filled it out after researching previous use of that paperwork to ensure there are no suspect mistakes.
BEC (Business Email Compromise) campaigns involve the following stages;Stage 1
• Credential harvesting – Typically found in large data dumps available online
• Social Engineering
• Phishing / Targeted Phishing
Stage 2
• Endpoint / User Reconnaissance – Learning about the language, templates
and tone of messages on the network
• Learning about how the targeted user interact
Stage 3
• Manipulation of emails \ email system to send mail that appears to be from the
relevant user, in the correct format
• Registering a domain \ Domains that are similar to the company domain
Mul
ti A
war
d W
inni
ngHow can Brookcourt’s Cyber Surveillance Team help?
• Monitor for mentions of the company across criminal forums and the dark web
• Monitor for mentions of key staff members online, including criminal forums and the dark web
• Monitor domain registrations related to either the company directly, or, partners, third-parties and suppliers as well
• Provide additional information on any suspect indicators of compromise through our request for Intelligence service
• Provide security awareness videos to educate staff on the dangers of and indicators used in campaigns of this nature
• Provide machine readable intelligence to enrichment SIEM’s and Firewall’s to potentially malicious IP addresses logged on the network
ISO 9001 • ISO 14001 • ISO 22301 • ISO 27001 • OHSAS 18001
For more information contact Brookcourt Solutions t: +44 (0) 1737 886 111 www.brookcourtsolutions.com
What to watch for: C-Level and Finance Staff
• Suspicious or unexpected requests (over email or phone) from
third-parties or internal staff involving payments – If in doubt be
sure to use a number on file to contact the person in question
to verify the payment request. Never use the number provided
within the mail as this can easily be directed to the attacker
• Do not enable Macro’s on mail attachments, this is an age old
and common form of infecting an endpoint with Malware
What to watch for: Cyber Security and IT staff
• Alerts on the network involving Trojan software
• Suspicious staff logins, typically out of hours, or from a suspect
location
• Phishing mails targeting C-level staff, staff involved in the approval
of, or payment of wire transfers or invoices either internally or for
external parties
• Suspicious IP addresses showing up in monitoring software
• Suspicious connections coming from unexpected countries
or regions
Due to the nature of these threats and the sophistication of the attack, the main defence is vigilance. The threats come from known users, looking perfectly normal, adhering to the company standard format and requirements
Often the only change in the mail are the account details and numbers. Double check these against details on record to ensure they are correct. A small amount of time checking could save thousands
Resourceshttps://www.scmagazineuk.com/new-email-scam-targeting-accounts-personnel-fortune-500-companies/article/1473214https://www.telegraph.co.uk/finance/personalfinance/bank-accounts/11528119/Beware-invoice-email-scam-to-steal-bank-details.htmlhttps://teiss.co.uk/threats/bec-attacks-business-cost/https://krebsonsecurity.com/tag/bec/
C o l l a b o r a t i v e S o l u t i o n s brookcourt
Trusted Partner of the Cyber Defence Alliance (CDA). Working collaboratively
to fight cyber threats and crime