Experts Warn of $15m Global BEC Campaign

Security experts have discovered a major new Business Email Compromise (BEC) campaign that has already stolen over $15 million from a possible 150 organizations.

Israeli incident response specialist Mitiga was first called in after a multimillion-dollar transaction went awry, according to head of research, Andrey Shomer.

It appears that a cyber-criminal was monitoring email communications between a corporate buyer and seller, and at the last minute, stepped in to impersonate the seller, sending over new wire payment instructions.

“Upon investigation, Mitiga’s incident response team identified rogue domains through which the threat actor’s emails were sent. These domains were similar to the buyer’s and seller’s own domains, but with minor changes which were difficult to notice. For example, if the original domain was ‘buyer.com,’ the rogue domain was ‘buyerr.com’,” Shomer explained.

“All the malicious domains utilized in this BEC attack were registered through a GoDaddy-owned domain registrar called Wild West Domains.”

The attackers linked Office 365 email accounts to these domains to add legitimacy to their communications and fly under the radar of email security filters.

They achieved an initial foothold into a victim organization by sending phishing emails to senior executives. Once an account was hijacked, they would set up a forwarding rule to automatically send any emails to their own accounts.

“This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided,” said Shomer.

“The threat actor then used filtering rules to di ..

Support the originator by clicking the read the rest link below.