Business Email Compromise

Juan Vera del Campo - juanvvc@gmail.com

Contents

  1. Business Email Compromise (BEC)
  2. Types of Business Email Compromise (BEC)
  3. Investigating a BEC
  4. Prevention
  5. References

Business Email Compromise (BEC)

  • You work for the finance department of a big company (100MM EUR)
  • Your job involves transferring large amounts of money
  • One day, you receive a phone call from an attorney
  • You can google her name, she is involved in very important international operations
  • She knows what she is talking about
  • "Your company is in the middle of an urgent and confidential operation. We need your help. Your CEO will contact you, please check the email"

Dear employeer,

We are in the middle of a very important finantial operation to acquire one of our competitors. It is of the upmost importance that this operation remains confidential until it can be safely announced.

I will be busy with the details. Please, get in touch with important-lawyer (in copy of this email). Keep me in the email loop.

I hope you undestand the confidentiality and urgency of this operation.

Your boss

  • The important lawyer sends you a document, which includes a transfer order for 4M€
  • The order is signed by your boss
  • You transfer the money
  • ...
  • A couple of days later, your boss calls you about a unauthorized money transfer you made to some unregistered location

Do you believe you would never fall for this?

Most of them are covered up by the companies and never hit the news

center

https://abnormalsecurity.com/blog/bec-vec-attacks

center

If you work for a large company, you are receiving BEC attacks

https://abnormalsecurity.com/blog/bec-vec-attacks

center

https://fr.wikipedia.org/wiki/Gilbert_Chikli
https://www.dw.com/en/france-fraudsters-sentenced-over-bizarre-impersonation-scam/a-52729296
https://mashable.com/article/gilbert-chikli-scam

Types of Business Email Compromise (BEC)

  • The Bogus Invoice Scheme: attackers pretend to be suppliers requesting payments to an account owned by fraudsters
  • CEO Fraud: Attackers pose as the company CEO or any executive, requesting them to "urgent and silently" transfer money to the account they control
  • Account Compromise: An executive or employee's email account is hacked and used to request invoice payments to vendors listed in their email contacts
  • Attorney Impersonation: Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters
  • Pay-roll fraud: Attackers pretend to be an employee that just changed the bank account, and request the next payroll payment to be done in the new bank account

https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)

BEC process

  • The attacker impersonates a party sending a series of spoofed emails
    • Usually implies previous compromise to gain intelligence
  • The first email may be from a legit email address
    • ... but not necessarily a legit email server
  • Reply-to is changed
  • Addresses similar to real ones to distinguish themselves:
    • worker@bigconnpany.com instead of worker@bigcompany.com
    • worker@bigcompany.us instead of worker@bigcompany.com
    • goodworker@bigcompany.com instead of good.worker@bigcompany.com

Mail in the middle

center

center

CEO Fraud

center

The CEO needs something from me!

  • "I need help, fast and in confidence"
  • "You’ll be contacted by an attorney/an important partner"
  • "I can’t be contacted ATM"

Some acting is usually involved. Someone might call you!

Other examples: https://www.tessian.com/blog/covid-19-real-life-examples-of-opportunistic-phishing-emails-2/

Sextorsion

center

  • These fake extortions may include personal information collected from public sources!
  • The sender could be your own account to "prove" it was hacked

Investigating a BEC

Something happened!

  • The investigation usually starts with little knowledge: "I suspect we have been victim of fraud! The money just disappeared!"
  • You identify a probable BEC by running questions. Then, you review logs

center

Objectives of the investigation

  • Are we compromised, or was it the other side of the communications?
  • When did the intrusion begin?
  • For how long did the threat actor maintain access?
  • What did the threat actor learned?
  • Is the actor still inside?
  • Is someone internal involved?
  • How to prevent future attacks?
  • Insurance: who is at fault?

These are only an introduction for this presentation. Check: https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/PwC-Business_Email_Compromise-Guide.pdf

Opportunistic attacks

The attackers know exactly when to attack. They know...

  • which person they have to contact
  • When the CEO is away the office and cannot be reached
  • The precise moment they have to change bank accounts
  • All the partied involved

How did the attacker send the first email?

How did the attacker know it was the right moment?

A BEC attack usually begins as a phishing attack, and inboxes are controlled since long before the detection

Entry points for attackers:

  • Phishing emails to get credentials
  • 2FA attacks / social engineering
  • Old protocols that do not support 2FA
  • InfoStealers (virus)
  • Direct modification of emails!
  • Internal help!

Identifying inbox compromise

  • Check for unexpected rules:
    • Rules to forward emails to another account
    • Rules to move emails out of the inbox
    • Rules to delete emails
  • Identifying suspicious login activity
  • Permission changes on existing or newly created accounts
  • Assessing which emails or data has been accessed and/or ex-filtrated is critical for determining the impact on an organization
  • Threat intelligence is an important part of the investigative process

Control of the inbox

Email Collection : https://attack.mitre.org/techniques/T1114/

  1. Identify accounts that could have been under the control of the attackers
  2. Identify time period of the compromise
  3. Any automatic rules: forward, move...
  4. Authentication from unusual places
  5. Is 2FA activated? Even with 2FA: is legacy authentication activated?
  6. Was the device (not the account) compromised?

Where are the logs?

  • On-premises: Exchange, dovecot...
  • "In the cloud": Google Workspace, Microsoft 365... they usually have audit logs and litigation modes. Warning: they cost extra and they must be activated BEFORE the incident

https://answers.microsoft.com/en-us/msoffice/forum/all/office-365-admin-portal-logs/70ca8227-0c69-408f-a2c3-e2c8a8cadfb5

Fake documents

Attackers may use fake documents to "prove" their claims

  • Old invoices, modified with fake data
  • "Digitally/Hand signed documents", that are actually not signed
  • Fake "Bank certificates"

Prevention

Best prevention: awareness!

  • Train your users to identify BEC attacks, specially HR and finance
  • Set up a process to validate changes of bank account for suppliers/clients/employees
    • Request (and check!) official documents
    • Validate a request with a trusted contact
  • Tell your bank to check the identity of international money transfers

External confirmation

You can check the reputation of a domain in several sites:

Warning: the response from these services is just a suggestion!

Threat intelligence

https://en.wikipedia.org/wiki/Cyber_threat_intelligence

  • Learn about attacks before they happen
  • Identify the registration of domains similar to your name: McDonals, ChinaExpor...
  • Identify leaked passwords

center

Signing / encrypting emails: PGP

Your contacts send their public keys to you manually. All communications from a contact must be signed using one of the accepted keys.

The perfect solution: sender signs the email, the receiver only accept emails from trusted parties

Bad news: PGP is rarely used in real life!

https://docs.deistercloud.com/mediaContent/Axional development libraries.20/Server side javascript.50/AX Library.10/crypt/media/PGP.png

center

Tools: Mailvelope, Flowcrypt, KPGP...

Protecting the channel, not the emails

Protecting emails end-to-end is not going to happen in the near future

Current solution: protecting emails in the middle

center

SPF

Sender: the DNS includes the list of IP addresses of email servers allowed to send emails "from" the domain

Receiver: check if the IP of the server that sent an email is authorized

Short Primer on SPF, DKIM, and DMARC
SPF Records For ClickDimensions

> dig universidadviu.TXT
...
universidadviu.com. TXT "v=spf1 mx ip4:5.57.227.88 include:spf.planeta.es include:_spf.explore-blue.com ~all"
...
  • Emails from universidadviu.com can be send from IP 5.57.227.88 and whatever is configured in spf.planeta.es or _spf.explore-blue.com
  • If you receive an email NOT from these IPs:
    • ~all means soft fail and -all means hard fail. Your email client might show warnings for soft fail and classify the email as spam for hard fails.
    • +all means allow all mail to pass and ?all means neutral. Not recommended, equivalent to not having SPF

Notice SPF tells receivers what to do. SPF won't protect you, but your receivers

Email protection: DomainKeys Identified Mail (DKIM)

The receiving server checks the digital signature of the sending server

Your server (not you!) authenticates the content received from the sending server, not the sending user!

i.e.: your email provider authenticates than an email sent from someone@gmail.com was not modified since it left gmail.com

Fuente: https://dmarcian.es/what-is-dkim/
RFC 6376: DomainKeys Identified Mail (DKIM) Signatures September 2011

Received mails have an additional header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blackboard.com;
 s=sep2018; t=1670602715; bh=cS05YrQmiEH2S8VAGWK3wheZ287IPz+hfGXR1TsDY70=;
  h=Date:From:Subject:Reply-To; 
  b=gGHlf9eKK51Zw09JP98lOUgODgF61ZF7juJKDLjWLBxDDndvM8QMe4122XUO2wKgC
    4SkqQkabmXk66gUsKIge9Z2pjnabs9klfTgZcCT13wxAUsIQur4SIJ+8f3a1sBnGTT
    (...)
    6miGagayTXZANUbsdmtYtoPmxxdAuoOHiClnoXrdxhBFED8VrnhH8dMjd3ADZ1LaOA
    LVRFXW1djkSrg==
  • d: domain: blackboard.com
  • s: selector sep2018
  • h: headers fields: Date:From:Subject:Reply-To;
  • bh: body hash
  • b: Base64(E_{RSA}(hash(Date:From:Subject:Reply-To:bh), DKIM_{key}))

Verification process

  • Get the body content, run canocalization algorithm c, calculate the hash value (bh). Check.
  • Concatenate the headers in h and the dkim header (removing b but not bh)
  • Download the server's public key from DNS using d and s (next slide)
  • Validate the digital signature

Digital signature:

> dig blackboard.com TXT
...
blackboard.com.		28800	IN	TXT	"v=spf1 include:
_netblocks.blackboard.com ...

> dig spf.blackboardconnect.com TXT
...
spf.blackboardconnect.com. 1800	IN	TXT	"v=spf1
ip4:34.215.79.96
ip4:34.213.216.156
...
DNS Record - sep2018._domainkey.blackboard.com
Selector - sep2018
Domain - blackboard.com 

20210112.estudiantat-upc-edu.20210112.gappssmtp.com. 3600 IN TXT
v=DKIM1;k=rsa;g=*;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvs5qVO9zW6c
82vTZNGUA9YYZKfoxtSXGdG/+QEHe0Kg9D0wIuHobngn/+NmvYSmZ2KtdnQssTF93MhXBlQ8jX3
mjndj0tIaW6Snsm0+q68sJdzA7NtJBr4ljcEQRjq3jI6RQUrhs9gJ1DaKtws3SXMR8M72pQIbku
c5vkMxPCU5GPTj6TW9QweD/dZclLZ3o2AlcgONifoQY/7x2fV5GE9r55+xGB2m8yXKGeOybEkOA
G9goPDp4/XQVPHfX6+Icv/OflXQ+mAuzutgyeWAe0NvYaO6NiN0I2MkcgXACsuOVwCnLs9lPkWb
G9grZUEVz4wsJquAXgNQkse3eCpadIQIDAQAB

https://www.dmarcanalyzer.com/dkim/dkim-checker/
https://www.metaspike.com/leveraging-dkim-email-forensics/

X-Google-DKIM: DomainKeys Identified Mail

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=s7gErmNKwESPKSP6VW9kvRoEY/oQ8b6V1OFgRMqAjtU=;
        b=lB+wgPGej/d1HNLxj7oP1L9Mi56hwji5GA3hLrVYCRKohiAs3L7uI6fEq7sp7wBXKm
         9mOGnbIrSXMeOfOa/YnAnJgsmall/4x6U5gvVtoisigFMR/bGxoPQRO6LUqvunBhR3il6f+OX
         ZRJIsZsvigsesD1vZcarlVr5D0QL2Cw2l1o1T6zVNH3Z8cmZNTCpfzmD3YmVCm+Cgdz9
         RQgX/iL12TxzzOmx+8yInGYnL9ZyaNY6Wsbi7LOBp7kRNLWrMKVtUlwuS2WSzQ5Jvwkm
         0SZ90S524hBquiF8WAzsmallJI95AD/L5fr69sjaN/wM6pk8l6fTapm8+K6TsMPYrEhHtRFZ2
         vLYQ==

Google uses another DKIM signature that uses other headers. This is probably a signature to be used only inside Google. Still, it is a valid DKIM signature.

https://mailarchive.ietf.org/arch/msg/apps-discuss/_blROpC5GpEPk96nBqKoNUaO5rg/

Domain-based Message Authentication, Reporting & Conformance

center

  • An email authentication, policy, and reporting protocol
  • It builds on the widely deployed SPF and DKIM protocols
  • With DMARC you can tell the world how to handle the unauthorized use of your email domains by instituting a policy in your DNS
    • p=none: monitors your email traffic. No further actions are taken.
    • p=quarantine: sends unauthorized emails to the spam folder.
    • p=reject: unauthorized email doesn’t get delivered at all.

https://dmarc.org/

center

https://www.agari.com/blog/pros-cons-dmarc-reject-vs-quarantine

Email authentication: summary

Technology Use If not configured...
SPF Check if the IP is authorized to send an email from the domain Anyone in the Internet can send an email "from" mycompany.com
DKIM Digital signature of emails sent from a domain Anyone in the middle could change emails sent from mycompany.com
DMARC Inform receivers about the recommended actions Receivers "don't know what to do" if a email from mycompany.com doesn't pass SPF or DKIM
- - Emails from mydomain.com are going to be classified as "spam" or "suspicious" automatically

List of authorized IPs, public key and policies are announced in the domain's DNS entry

The bad news...

  • PGP is rarely used in real life
  • Not all companies implement SPF or DKIM, but this is changing fast
  • These mechanisms do not protect against an email sent from macdonalds.com: the attackers can configure SPF and DKIM too!
  • SPF and DKIM only authenticate from the sending server to the receiving server! These technologies do not detect if a legit account is compromised

Recommendations

  1. Admins
    • Enable 2FA, disable legacy login
    • Enable mailbox auditing
    • Regularly, check automatic rules
    • Train your users
  2. Users
    • Check the address of the other participant in the communication
    • Be careful if the address changes
    • Be careful if the language of the other participants change
    • Many email clients do alert when an address changes
    • Many email clients do alert if an Internet header is spoofed

References

Thanks!

background:

Gilbert Chickli is an international cyberattacker specialized in this kind of scam. He has a huge team and he was able to steal millions of euros. His method is still in use today. There is movie about his life: Je Compte sur Vous

- BEC attackers rely heavily on social engineering tactics: attackers carefully research and closely monitor their potential target victims and their organizations - Often, they impersonate CEO or any executive authorized to do wire transfers - Some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others

Question: this only work in a very precise moment: near the end of the service, when billing is about to be exchanged and trust is already built between the two parties. How does the attacker now about the perfect moment? - Infiltration - Luck - Assistance from an insider - Patience If the attacker infiltrates the infrastructure, most probably, all real emails between the two parties are going to "disappear". Check for automatic mail rules!. Beware: the compromised infrastructure maybe the victim's infrastructure or the other end of the communication!

Impersonation example: man-in-the-middle The attacker sends an email to both ends with similar addresses but not quite the same. The text is "send further communications to..." or the "reply-to address is changed. i.e Corporate or publicly available email accounts of employees related to finance are either spoofed or compromised Objective: get an "email thread" where the other party is not involved Beware: The attacker may impersonate several people: several accounts in CC, from several people...

Most communications are transparently passed from one channel to the other: you won't find anything strange in the communication apart from the fake address The attacker intervenes when billing information is exchanged: in this moment, he/she presents her/his bank account

This is another type of this fraud. In this case, all mails are fake. There is no need to compromise the infrastructure. Acting skills are required.

backpground: https://www.pexels.com/photo/question-marks-on-paper-crafts-5428832/ Leeloo the first, free to use

When an attacker access an account, he forwards emails to his own account. He is not interested only in past emails, also in future emails: when a deal is going to be closed, is there any additional email thread I must be aware... Most of the times, they even hide this emails. His objective is that the victim won't receive any email from the other side, he is going to control all emails.

Notice: you MUST check digital signatures, is not not enough to see them: they can be a drawing!

BlueLiv is a company from Barcelona specialized in Threat Intelligence. If I'm not mistaken, they have open positions for students

This is an example of mailvelope, a commertial solution for Gmail

Ideally, we should be able to protect emails from one side to the other. Since PGP is not well implemented out of companies, the current solution is protecting an email when they travel between servers, and trust in the authentication methods used by the servers to protect the final link to the users Process to send an email: 1. a user sends the email to the mail server controlled by his company 2. the sender email sender sends the email to the receiver server. Here, it is possible to have several "jumps" between different servers due to aliases, groups or forwards. 3. The receiver server sends the email to the final recipients Three tecnologies protect the communications between servers: SPF, DKIM and DMARC Image source: > https://statics.esputnik.com/photos/shares/Blog/images/AMP/image4.png

Tool in the screen: mxtoolbox Command line: dig universidadviu.com TXT

"b" is the digital signature

Warning: since emails without SPF/DKIM are going to be classified as spam or suspicious, the sender could request whitelisting them in your email system Do not whitelist emails "from mycompany.com" if mycompany.com has not configured SPF!!. No SPF means anyone can send emails "from mycompany.com" and you cannot distinguish good from bad emails

- Los malos pueden configurar también sus servidores - estos mecanismos no te protegerán contra direcciones "parecidas" - SPF y DKIM solo autentican desde el servidor. ¿Quién estaba realmente escribiendo el mensaje? - Si el atacante ha conseguido crear cuentas: b0ss@company.com también pasará el DKIM de company.com - Si el atacante ha conseguido las credenciales de boss@company.com pasará el DKIM de company.com