How Your Company Will Wire Money to Hackers
About Business Email Compromise
Hackers are at the forefront of my mind these days. I’m not talking about the Hollywood portrayal of a stereotypical, hoody-sporting eccentric computer genius who spends countless hours hacking through “firewalls” and “antivirus” systems. No, I’m afraid reality is a bit more drab. The real hackers I come across likely sit in front of boring text terminals and type archaic commands that will likely never win any academy awards. Yet these attackers are winning in different area: obtaining corporate data and financial funds at an alarming rate.
Their attack has many names. Business email compromise (BEC), phishing / spear-phishing, and whaling to name a few. Yet all these terms essentially refer to the same thing: compromising email for nefarious purposes. Such carnage includes looting of intellectual property, leveraging email to gain access to other systems, or just good old-fashioned financial fraud.
The interesting thing about email compromise is that the barrier to entry is relatively low. So low in fact, that email doesn’t necessarily need to be “compromised” in the traditional sense. While viruses, trojans, and other malware may be in play, the most simplistic form of email compromise is executed by simply creating a look-alike email account which tricks a human target into believe they’re corresponding with a legitimate entity.
Let’s say an attacker wants to gain control of a vendor mailbox in order to trick an accounts payable (AP) administrator at your company into wiring funds towards a bank account that is under the control of the attacker.
The business process commences with a vendor emailing your corporate AP department’s email address (AP@your-company.com) with an invoice; usually as a PDF attachment. The AP administrator opens the benign email and examines the invoice to enumerate the vendor in question, a total amount, and so on. Assuming the internal buyer has an open purchase order with adequate funds, the invoice is sent to one or more approvers. Once fully approved, the vendor is paid by check, credit card, or wire transfer. This is conveyed in the figure below:
Now our hacker enters the picture. The beauty of this attack is that the hacker only has to compromise one of two innocent victims. This is because the buyer trusts the vendor and vice-versa. Thus compromising one party equates to gaining the trust of the other.
Let’s imagine the attacker chooses to target your vendor instead of attacking your AP department directly. Once the vendor’s mailbox is compromised (or impersonated), the AP administrator will receive a seemingly legitimate invoice with all the proper branding of the vendor in question, yet with one small tweak: a different wiring destination:
Honestly, we can’t blame the AP administrator here. Out of dozens or hundreds of vendors, there’s no way an overworked staffer is going to notice that a unmemorable wire account number has suddenly changed.
Typically, the way this type of fraud is detected is when the “real” vendor calls AP, stating they haven’t received payment. By the time the finance team figures out what happened, the money is long-gone into the hacker’s bank account.
Email Compromise Tactics
For brevity, I’ll cover four attack scenarios. But keep in mind, three out of the four attacks don’t require execution of any malicious code whatsoever. They’re entirely rooted in social engineering, and thus tend to fly under the radar of many email security systems.
Let’s assume a hacker intends to impersonate a vendor your company uses in order to wire your company funds to his account. We’ll pretend the vendor is named “Wendy Liu” from company “Really-Good-Vendor.com.” Here are just a few ways her mailbox can be compromised; listed in order of increasing covertness:
The Lazy Spoof
The “friendly” part of email “from” address references victim, Wendy. Yet the actual SMTP address is the mailbox of the attacker. Example:
FROM: “Wendy Liu <firstname.lastname@example.org>”
This is about as simple as it gets, with the friendly name mimicking the victim, but the SMTP address (which average users don’t examine) being the give-away something is (ph)fishy.
The Reply-To Attack
Here, the “from address” is actually that of the victim. It’s not a look-alike; it’s the real thing. So, how would a reply from the real corporate AP team get back to the hacker? By way of an SMTP feature known as a reply-to address. Here’s an example:
MAIL FROM: “Wendy Liu <email@example.com>”
RCPT TO: “AP <firstname.lastname@example.org>”
SUBJECT: “Urgent – Your Payment is Overdue!”
FROM: “Wendy Liu <email@example.com>”
REPLY-TO: “Wendy Liu <firstname.lastname@example.org>”
As you can see, SMTP has all types of interesting “auxiliary” fields that hackers mix-and-match to fool end-users. Scrutinizing an email is tough when one SMTP field can override another within the mail client user interface; particularly when the UI is a mobile app with limited screen real estate that that don’t show headers or other verbose addressing details by default.
The Typosquatter Domain
Another weapon in the hacker’s repertoire is to buy a domain that looks very similar to the victim’s domain. There are numerous heuristics to play with, such as replacing characters– ‘i’ becomes lower-case ‘L’, the letter ‘o’ becomes the number 0 and so on. Here’s an example where the letter ‘o’ has been replaced with zeros in the word “GOOD”:
MAIL FROM: “Wendy Liu <email@example.com>”
RCPT TO: “AP <firstname.lastname@example.org>”
SUBJECT: “Urgent – Your Payment is Overdue!”
Such a minuscule change is unlikely to be noticed by the busy AP administrator. Moreover, there’s technically nothing wrong with this email. It has no malware nor does it try to compromise credentials. In the eyes of Internet email systems, it’s just another email domain sending a properly-formatted email message.
Completely Compromised Mailbox
Of course, there are time when the hacker does in fact compromise (that is, take full control of) the victim’s mailbox. This can be achieve any number of ways, but two popular approaches are malware and credential theft.
The malware approach is fairly straight-forward in that the user is tricked into downloading (by way of email link or attachment) a malicious file that infects the end-user device and allows the hacker to penetrate the mailbox, and possibly other corporate assets. The advantage of malicious code is that it truly enables the hacker to do whatever he or she wants on the target. The downside, is that malicious code leaves a digital footprint that antivirus and other security systems can sniff out and eliminate.
The credential theft approach is more stealthy as it doesn’t require any malicious code. A common way to steal email credentials is to send someone an email with either a link or an attachment that requires “authentication” to open. Something like the following:
Notice that both URLs are fraudulent, with one being more obvious than the other.
Decades ago, email was not originally designed with security in mind. The consequence we see today is that email attacks are subtle, yet incredibly damaging. Fortunately, we can improve the situation with bolstering business processes and bolting-on additional layers of security tooling to existing email infrastructure. Check out other threads at Centermast.com for details on defending against email attacks.
You may unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our privacy notice. Note that we use Mailchimp as our email service provider. By clicking subscribe, you acknowledge that your information will be transferred to Mailchimp for processing.
About David Torre
David Torre is a business technology veteran with years of experience coupled with degrees in both information systems and business intelligence. This combination of skills has enabled David to provide enterprise solutions to well-known companies who face some of the toughest challenges in the business world today.
David currently resides in the San Francisco Bay Area where he runs Center Mast, LLC.