Threat actors from likely Nigerian origin are using business email compromise scams (BECs) to target Fortune 500 companies.
The BEC scam is designed to trick accounts payable staff into initiating millions of dollars in fraudulent wire transfers, resulting in the theft of millions of dollars.
IBM X-Force Incident Response and Intelligence Services (IRIS) researchers identified threat actors are using widespread credential harvesting and phishing campaign designed to steal financial assets. The IBM security team said the BEC scammers use two separate yet connected goals.
First, the scammers attempt to harvest large numbers of business user credentials via a targeted phishing campaign.
The second goal is to use the stolen credentials to impersonate the victims in an effort to trick employees into wiring funds to the attacker’s bank accounts.
Attackers are focusing on companies who use just a single-factor authentication (username and password) to login to an email web portal, such as Microsoft Office 365 accounts. In other words, companies who have not enabled two-factor authentication on their email web portals allow attackers with stolen credentials to login without compromising the victim’s corporate network.
Furthermore, no malware is needed to stay hidden from corporate monitoring systems.
Once in, the attackers typically undertake a reconnaissance phase — they observe internal email activity to include subjects and future opportunities to exploit.
The scammers then insert themselves into internal conversations among employees and then target accounts payable employees to trick them into sending the fraudulent wire transfers.
A known trait of clever phishing tricks, the attackers also setup domains very similar to those used by vendors used by the targeted company. For example, using a .net instead of .com in the top level domain of the vendor’s domain name or doubling a letter in the company name of the URL.
The IBM IRIS team recommends the following safeguards to protect themselves from BEC scams:
- Implement two-factor authentication (2FA) for account logins.
- Create banners that identify emails coming from external email addresses.
- Bock the ability to auto-forward emails outside of the organization.
- Implement strict international wire transfer policies.
- Verify the vendor.
Although BEC scams are not new, companies should be extra vigilant to implement these safeguards. More details are revealed in the IBM X-Force report to include cyber attack summary, social engineering tactics, recommendations, indicators of compromise and more.