Skip links

Phishing Phriday Episode #22 – Business Email Compromise: A Case Study

Read more about our BEC Case Study

In the realm of cybersecurity, one of the most pressing issues is Business Email Compromise (BEC). This blog delves into a specific case study of BEC, highlighting the methods used by cybercriminals and the steps taken to mitigate such attacks.

The Attack and Initial Compromise

The case began with a targeted phishing email, which led to the compromise of a business email account. The attackers didn’t immediately exploit their access but instead engaged in reconnaissance. They monitored the compromised account to understand its operations, particularly focusing on financial transactions.

The Reconnaissance Phase

During this phase, the attackers observed incoming and outgoing payments. They aimed to identify large transactions or those with less stringent security measures. By understanding the timing and nature of these transactions, the attackers positioned themselves to intercept significant amounts of money.

The Execution of the Attack

After weeks of monitoring, the attackers acted. They manipulated the email account to send payment instructions to a customer, redirecting funds to their own account. This action took place over a five-day window, during which the compromised account was actively used by the attackers without detection.

Detection and Response

Upon realizing the compromise, the business immediately contacted their IT department. A systematic procedure was followed to assess and confirm the compromise. The compromised account was disabled, active sessions were revoked, and multi-factor authentication (MFA) settings were reset.

The Role of Multi-Factor Authentication

While MFA is a crucial security measure, it is not infallible. Attackers can exploit MFA tokens if users are not vigilant. For instance, tokens stored in browsers can be stolen if users fall for phishing attacks. Continuous MFA prompts can also lead to accidental approvals, especially if users are fatigued or distracted.

Legal and Forensic Considerations

When an account is compromised, it’s vital to involve legal and forensic experts. Reporting the incident to authorities and ensuring evidence is collected properly is crucial. In Canada, the Canadian Anti-Fraud Center serves as a central hub for reporting such crimes, streamlining the process compared to previous methods of reporting to local RCMP detachments.

Lessons Learned

  1. Be Vigilant: Always be cautious about where you enter your login credentials. If you are asked to log in multiple times a day, it’s likely something is wrong.
  2. Immediate Action: Upon detecting a compromise, immediately disable the compromised account and revoke all active sessions.
  3. Use MFA Wisely: While MFA adds a layer of security, it is not foolproof. Be aware of potential vulnerabilities and educate users on how to handle MFA prompts.
  4. Legal Reporting: Report compromises to appropriate authorities to ensure proper investigation and support.

Conclusion

Business Email Compromise is a significant threat, but with vigilance and proper procedures, its impact can be mitigated. In this case, the affected business was fortunate to recover the stolen funds, highlighting the importance of swift and effective response measures.

Understanding and discussing these incidents helps in raising awareness and strengthening defenses against future attacks. Stay informed, stay prepared, and always prioritize cybersecurity.

Watch our most recent Phishing Phriday videos here

president tier 818x1024 1

Hi, I'm Jesse and I look forward to speaking with you.

An IT Support partner that you can trust.

I’m proud of the team we’ve assembled and the service they provide to our clients.  It’s because of them that we’re able to make a positive impact in our clients’ businesses and the communities we serve.

Our clients run businesses that depend on technology to operate but don’t have the expertise in-house to manage all the aspects of their Information Technology.  Our unique service delivery model is focused on a business first approach whereby we seek to understand what you’re trying to achieve, and how technology can help you move closer to those goals.  I’d love to connect with you to talk about how we might be able to help you improve the Stability, Security, Strategy, and Supportability of your network.