Business Email Compromise

Juan Vera del Campo - juan.vera@professor.universidadviu.com

Contents

  1. Business Email Compromise (BEC)
  2. Types of Business Email Compromise (BEC)
  3. Investigating a BEC
  4. Prevention
  5. References

Business Email Compromise (BEC)

  • You work for the finance department of a big company (100MM EUR)
  • Your work involves transferring large amounts of money
  • One day, you receive a phone call from a lawyer

Note: background stock images from pexels: https://www.pexels.com/

  • You can google her name, she is involved in HUGE international operations
  • She knows what she is talking about
  • "Your company is in the middle of an important and confidential operation. We need your help. The CEO will contact you, please check the email"

Dear employeer,

We are in the middle of a very important finantial operation to acquire one of our competitors. It is of the upmost importance that this operation remains confidential until it can be safely announced.

I will be busy with the details. Please, get in touch with the important lawyer (in copy of this email). Keep me in the email chain.

I hope you undestand the confidentiality and urgency of this operation.

Your boss

  • The important lawyer sends you a document, which includes a transfer order for 4M€
  • The order is signed by your boss
  • You transfer the money
  • ...
  • A couple of days later, your boss calls you about a unplanned money transfer you made to some unregistered location

Do you believe you would never fall for this?

center

https://fr.wikipedia.org/wiki/Gilbert_Chikli
https://www.dw.com/en/france-fraudsters-sentenced-over-bizarre-impersonation-scam/a-52729296
https://mashable.com/article/gilbert-chikli-scam

Types of Business Email Compromise (BEC)

  • The Bogus Invoice Scheme: attackers pretend to be suppliers requesting fund transfers for payments to an account owned by fraudsters
  • CEO Fraud: Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control
  • Account Compromise: An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts
  • Attorney Impersonation: Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters
  • Data Theft: Employees in HR and book-keeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks

https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)

Mail in the middle

center

BEC process

  • The attacker impersonates a party sending a series of spoofed emails
    • Usually implies previous compromise to gain intelligence
  • The first email may be from a legitimate address
    • ... but not necessarily a legitimate server (check your email client warnings!)
  • Reply-to is changed
  • Addresses similar to real ones to distinguish themselves:
    • worker@bigconnpany.com instead of worker@bigcompany.com
    • worker@bigcompany.us instead of worker@bigcompany.com
    • goodworker@bigcompany.com instead of good.worker@bigcompany.com

center

CEO Fraud

center

center

Some RED flags

The CEO needs something from me!

  • "I need help, fast and in confidence"
  • "You’ll be contacted by an attorney/an important partner"
  • "I can’t be contacted ATM"

Some acting is usually involved. Someone might call you!

Other examples: https://www.tessian.com/blog/covid-19-real-life-examples-of-opportunistic-phishing-emails-2/

Sextorsion

center

Beware: these fake extortions MAY include personal information collected from public sources!

Investigating a BEC

Something happened!

  • The investigation usually starts with little knowledge: "I suspect we have been victim of fraud! The money just disappeared!"
  • You identify a probable BEC by running questions. Then, you review logs

center

Objectives of the investigation

  • When did the intrusion begin?
  • How long did the threat actor maintain access? Is the actor still inside?
  • Is there someone internal involved?
  • How to prevent future attacks?
  • Insurance: did someone do something wrong?

These are only an introduction for this presentation. Check: https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/PwC-Business_Email_Compromise-Guide.pdf

Opportunistic attacks

The attackers know exactly when to attack. They know...

  • which person they have to contact
  • When the CEO is away the office and cannot be reached
  • The precise moment they have to change bank accounts
  • All the partied involved

How did the attacker send the first email?

How did the attacker know it was the right moment?

A BEC attack usually begins as a phishing attack, and inboxes are controlled since long before the detection

Control of the inbox

Email Collection : https://attack.mitre.org/techniques/T1114/

  1. Identify accounts that could have been under the control of the attackers
  2. Identify dates
  3. Any automatic rules: forward, move...
  4. Authentication from strange places
  5. Is 2FA activated? Even with 2FA: is legacy authentication activated?

Where are the logs?

  • On-premises: Exchange, dovecot...
  • "In the cloud": Google Workspace, Microsoft 365... they usually have audit logs and litigation modes. Warning: they cost extra and they must be activated BEFORE the incident

https://answers.microsoft.com/en-us/msoffice/forum/all/office-365-admin-portal-logs/70ca8227-0c69-408f-a2c3-e2c8a8cadfb5

Prevention

Identifying inbox compromise

  • Forwarding rules are one of the most common tactics observed in BEC investigations.
  • Identifying suspicious login activity is useful for assessing initial access and lateral movement.
  • Permission changes on existing or newly created accounts often indicate the threat actor established persistence, and could indicate the scope of an investigation is wider than initially assessed.
  • Abusing OAuth applications or other vulnerabilities.
  • Assessing which emails or data has been accessed and/or ex-filtrated is critical for determining the impact on an organization, including but not limited to financial losses, privacy implications and reputational damages.
  • Threat intelligence is an important part of the investigative process-
  • BEC intrusions are typically opportunistic and attribution is difficult.

External confirmation

You can check the reputation of a domain in several sites:

Warning: the response from these services is just a suggestion!

Threat intelligence

https://en.wikipedia.org/wiki/Cyber_threat_intelligence

  • Learn about attacks before they happen
  • Identify the registration of domains similar to your name: McDonals, ChinaExpor...
  • Identify leaked passwords

center

Signing / encypting emails: PGP

Your contacts send their public keys to you manually. All communications from a contact must be signed using one of the accepted keys.

The perfect solution: sender signs the email, the receiver only accept emails from trusted parties

Bad news: PGP is rarely used in real life!

https://docs.deistercloud.com/mediaContent/Axional development libraries.20/Server side javascript.50/AX Library.10/crypt/media/PGP.png

Protecting the channel, not the emails

Protecting emails end-to-end is not going to happen in the near future

Current solution: protecting emails in the middle

center

Email protection: SPF

Companies publish is their DNS the list of IP addresses of the servers allowed to send emails "from" the company

Receiver: check if the IP of the server that sent an email is authorized

i.e.: you authenticate the email someone@gmail.com was sent from a server authorized by GMail

https://medium.com/@pendraggon87/short-primer-on-spf-dkim-and-dmarc-9827eb2f359d

Email protection: DomainKeys Identified Mail (DKIM)

The receiving server checks the digital signature of the sending server

Your server (not you!) authenticates the content received from the sending server, not the sending user!

i.e.: your email provider authenticates than an email sent from someone@gmail.com was not modified since it left gmail.com

Fuente: https://dmarcian.es/what-is-dkim/
RFC 6376: DomainKeys Identified Mail (DKIM) Signatures September 2011

Received mails have an additional header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blackboard.com;
 s=sep2018; t=1670602715; bh=cS05YrQmiEH2S8VAGWK3wheZ287IPz+hfGXR1TsDY70=;
  h=Date:From:Subject:Reply-To; 
  b=gGHlf9eKK51Zw09JP98lOUgODgF61ZF7juJKDLjWLBxDDndvM8QMe4122XUO2wKgC
	 4SkqQkabmXk66gUsKIge9Z2pjnabs9klfTgZcCT13wxAUsIQur4SIJ+8f3a1sBnGTT
	 qSlMlB7ss5+0jIXVszWFtzkoHGPQ/UjVk9L24KGPwxRGyfGMI2JSgNHVWuP/61squO
	 rpG03vHZxsGyegGuXYt4/AADov8yNL3KVGq42bGAb7XKgt8MrtZGWA8GR9iWYIm3V1
	 6miGagayTXZANUbsdmtYtoPmxxdAuoOHiClnoXrdxhBFED8VrnhH8dMjd3ADZ1LaOA
	 LVRFXW1djkSrg==
  • d: domain: blackboard.com
  • s: selector sep2018
  • h: headers fields: Date:From:Subject:Reply-To;.
  • bh: body hash
  • b: signature of headers and body

Verification process

  • Get the body content, run canocalization algorithm c, calculate the hash value (bh). Check.
  • Concatenate the headers in h and the dkim header (removing b but not bh)
  • Download the server's public key from DNS using d and s
  • Check the signature

Of course, there are libraries for this

Digital signature:

> dig backboard.com TXT
...
blackboard.com.		28800	IN	TXT	"v=spf1 include:
_netblocks.blackboard.com ...

> dig spf.blackboardconnect.com TXT
...
spf.blackboardconnect.com. 1800	IN	TXT	"v=spf1
ip4:34.215.79.96
ip4:34.213.216.156
...
DNS Record - sep2018._domainkey.blackboard.com
Selector - sep2018
Domain - blackboard.com 

20210112.estudiantat-upc-edu.20210112.gappssmtp.com. 3600 IN TXT
v=DKIM1;k=rsa;g=*;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvs5qVO9zW6c
82vTZNGUA9YYZKfoxtSXGdG/+QEHe0Kg9D0wIuHobngn/+NmvYSmZ2KtdnQssTF93MhXBlQ8jX3
mjndj0tIaW6Snsm0+q68sJdzA7NtJBr4ljcEQRjq3jI6RQUrhs9gJ1DaKtws3SXMR8M72pQIbku
c5vkMxPCU5GPTj6TW9QweD/dZclLZ3o2AlcgONifoQY/7x2fV5GE9r55+xGB2m8yXKGeOybEkOA
G9goPDp4/XQVPHfX6+Icv/OflXQ+mAuzutgyeWAe0NvYaO6NiN0I2MkcgXACsuOVwCnLs9lPkWb
G9grZUEVz4wsJquAXgNQkse3eCpadIQIDAQAB

https://www.dmarcanalyzer.com/dkim/dkim-checker/
https://www.metaspike.com/leveraging-dkim-email-forensics/

X-Google-DKIM: DomainKeys Identified Mail

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=s7gErmNKwESPKSP6VW9kvRoEY/oQ8b6V1OFgRMqAjtU=;
        b=lB+wgPGej/d1HNLxj7oP1L9Mi56hwji5GA3hLrVYCRKohiAs3L7uI6fEq7sp7wBXKm
         9mOGnbIrSXMeOfOa/YnAnJg/4x6U5gvVtoisigFMR/bGxoPQRO6LUqvunBhR3il6f+OX
         ZRJIsZsvigsesD1vZcarlVr5D0QL2Cw2l1o1T6zVNH3Z8cmZNTCpfzmD3YmVCm+Cgdz9
         RQgX/iL12TxzzOmx+8yInGYnL9ZyaNY6Wsbi7LOBp7kRNLWrMKVtUlwuS2WSzQ5Jvwkm
         0SZ90S524hBquiF8WAzJI95AD/L5fr69sjaN/wM6pk8l6fTapm8+K6TsMPYrEhHtRFZ2
         vLYQ==

Google uses another DKIM signature that uses other headers. This is probably a signature to be used only inside Google. Still, it is a valid DKIM signature.

https://mailarchive.ietf.org/arch/msg/apps-discuss/_blROpC5GpEPk96nBqKoNUaO5rg/

Domain-based Message Authentication, Reporting & Conformance

center

  • An email authentication, policy, and reporting protocol
  • It builds on the widely deployed SPF and DKIM protocols
  • With DMARC you can tell the world how to handle the unauthorized use of your email domains by instituting a policy in your DNS
    • p=none: monitors your email traffic. No further actions are taken.
    • p=quarantine: sends unauthorized emails to the spam folder.
    • p=reject: unauthorized email doesn’t get delivered at all.

https://dmarc.org/

center

https://www.agari.com/blog/pros-cons-dmarc-reject-vs-quarantine

Email authentication: summary

Technology Use If not configured...
SPF Check if the IP is authorized to send an email from the domain Anyone in the Internet can send an email "from" mycompany.com
DKIM Digital signature of emails sent from a domain Anyone in the middle could change emails sent from mycompany.com
DMARC Inform receivers about the recommended actions Receivers "don't know what to do" if a email from mycompany.com doesn't pass SPF or DKIM
- - Emails from mydomain.com are going to be classified as "spam" or "suspicious" automatically

List of authorized IPs, public key and policies are announced in the domain's DNS entry

The bad news...

  • PGP is rarely used in real life... unfortunately
  • Not all companies implement SPF or DKIM, but this is changing very fast
  • These mechanisms do not protect against an email sent from macdonalds.com: the attackers can configure SPF and DKIM too!
  • These mechanisms only authenticate from the sending server to the receiving server!

Recommendations

  1. Admins:
    • Activate 2FA, disable legacy login
    • Activate mailbox auditing
    • Regularly, check rules
    • Train your users
  2. Users:
    • Check the address of the other participant in the communication
    • Be careful if the address changes
    • Be careful if the language of the other participants change
    • Many email clients do alert when an address changes
    • Many email clients do alert if an Internet header is spoofed

References

Continúa en: Anonimato

¡Gracias!

Las transparencias de hoy están en inglés

Gilbert Chickli is an international cyberattacker specialized in this kind of scam. He has a huge team and he was able to steal millions of euros. His method is still in use today. There is movie about his life: Je Compte sur Vous

- BEC attackers rely heavily on social engineering tactics: attackers carefully research and closely monitor their potential target victims and their organizations - Often, they impersonate CEO or any executive authorized to do wire transfers - Some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others

Impersonation example: man-in-the-middle The attacker sends an email to both ends with similar addresses but not quite the same. The text is "send further communications to..." or the "reply-to address is changed. i.e Corporate or publicly available email accounts of employees related to finance are either spoofed or compromised Objective: get an "email thread" where the other party is not involved Beware: The attacker may impersonate several people: several accounts in CC, from several people...

Question: this only work in a very precise moment: near the end of the service, when billing is about to be exchanged and trust is already built between the two parties. How does the attacker now about the perfect moment? - Infiltration - Luck - Assistance from an insider - Patience If the attacker infiltrates the infrastructure, most probably, all real emails between the two parties are going to "disappear". Check for automatic mail rules!. Beware: the compromised infrastructure maybe the victim's infrastructure or the other end of the communication!

Most communications are transparently passed fro on channel to the other: you won't find anything strange in the communication apart from the fake address The attacker intervenes when billing information is exchanged: in this moment, he/she presents her/his bank account

This is another type of this fraud. In this case, all mails are fake. There is no need to compromise the infrastructure. Acting skills are required.

When an attacker access an account, he forwards emails to his own account. He is not interested only in past emails, also in future emails: when a deal is going to be closed, is there any additional email thread I must be aware... Most of the times, they even hide this emails. His objective is that the victim won't receive any email from the other side, he is going to control all emails.

BlueLiv is a company from Barcelona specialized in Threat Intelligence. If I'm not mistaken, they have open positions for students

Ideally, we should be able to protect emails from one side to the other. Since PGP is not well implemented out of companies, the current solution is protecting an email when they travel between servers, and trust in the authentication methods used by the servers to protect the final link to the users Process to send an email: 1. a user sends the email to the mail server controlled by his company 2. the sender email sender sends the email to the receiver server. Here, it is possible to have several "jumps" between different servers due to aliases, groups or forwards. 3. The receiver server sends the email to the final recipients Three tecnologies protect the communications between servers: SPF, DKIM and DMARC Image source: > https://statics.esputnik.com/photos/shares/Blog/images/AMP/image4.png

Warning: since emails without SPF/DKIM are going to be classified as spam or suspicious, the sender could request whitelisting them in your email system Do not whitelist emails "from mycompany.com" if mycompany.com has not configured SPF!!. No SPF means anyone can send emails "from mycompany.com" and you cannot distinguish good from bad emails

- Los malos pueden configurar también sus servidores - estos mecanismos no te protegerán contra direcciones "parecidas" - SPF y DKIM solo autentican desde el servidor. ¿Quién estaba realmente escribiendo el mensaje? - Si el atacante ha conseguido crear cuentas: b0ss@company.com también pasará el DKIM de company.com - Si el atacante ha conseguido las credenciales de boss@company.com pasará el DKIM de company.com