Read more about our BEC Case Study
In the realm of cybersecurity, one of the most pressing issues is Business Email Compromise (BEC). This blog delves into a specific case study of BEC, highlighting the methods used by cybercriminals and the steps taken to mitigate such attacks.
The Attack and Initial Compromise
The case began with a targeted phishing email, which led to the compromise of a business email account. The attackers didn’t immediately exploit their access but instead engaged in reconnaissance. They monitored the compromised account to understand its operations, particularly focusing on financial transactions.
The Reconnaissance Phase
During this phase, the attackers observed incoming and outgoing payments. They aimed to identify large transactions or those with less stringent security measures. By understanding the timing and nature of these transactions, the attackers positioned themselves to intercept significant amounts of money.
The Execution of the Attack
After weeks of monitoring, the attackers acted. They manipulated the email account to send payment instructions to a customer, redirecting funds to their own account. This action took place over a five-day window, during which the compromised account was actively used by the attackers without detection.
Detection and Response
Upon realizing the compromise, the business immediately contacted their IT department. A systematic procedure was followed to assess and confirm the compromise. The compromised account was disabled, active sessions were revoked, and multi-factor authentication (MFA) settings were reset.
The Role of Multi-Factor Authentication
While MFA is a crucial security measure, it is not infallible. Attackers can exploit MFA tokens if users are not vigilant. For instance, tokens stored in browsers can be stolen if users fall for phishing attacks. Continuous MFA prompts can also lead to accidental approvals, especially if users are fatigued or distracted.
Legal and Forensic Considerations
When an account is compromised, it’s vital to involve legal and forensic experts. Reporting the incident to authorities and ensuring evidence is collected properly is crucial. In Canada, the Canadian Anti-Fraud Center serves as a central hub for reporting such crimes, streamlining the process compared to previous methods of reporting to local RCMP detachments.
Lessons Learned
- Be Vigilant: Always be cautious about where you enter your login credentials. If you are asked to log in multiple times a day, it’s likely something is wrong.
- Immediate Action: Upon detecting a compromise, immediately disable the compromised account and revoke all active sessions.
- Use MFA Wisely: While MFA adds a layer of security, it is not foolproof. Be aware of potential vulnerabilities and educate users on how to handle MFA prompts.
- Legal Reporting: Report compromises to appropriate authorities to ensure proper investigation and support.
Conclusion
Business Email Compromise is a significant threat, but with vigilance and proper procedures, its impact can be mitigated. In this case, the affected business was fortunate to recover the stolen funds, highlighting the importance of swift and effective response measures.
Understanding and discussing these incidents helps in raising awareness and strengthening defenses against future attacks. Stay informed, stay prepared, and always prioritize cybersecurity.