A new investigation by Check Point’s Incident Response Team (CPIRT) demonstrates how brazen cybercriminals are and the lengths they will go to in order to see their scam succeed.
Cybercriminals were able to divert well over $1 million in funds from a PE firm back in December, according to a newly released CPIRT report. This CEO fraud attack involved the targeting of specific firms, a ton of intel gathering, the use of malicious mailbox rules, lookalike domains, impersonation, and either intercepting or starting new wire transfers.
Here’s how the scam works:
- Target the CEO or CFO of a PE firm with malware designed to take over their machine
- Watch the email conversations, looking for opportunities to misdirect wire transfers
- Divert inbound emails related to pending wire transfer transactions to an attacker-used mailbox folder
- Setup a lookalike domain impersonating the PE firm
- Send emails using the lookalike domain impersonating those involved with the wire transfer to the PE firm, taking over the email thread without the PE firm realizing (think cut and paste, including those in the other firm, and using the new domain as the from address. All replies will now no longer involve the other PE firm).
- Continue to reroute inbound emails from the other firm, isolating any legitimate communications from the other firm
- Commit wire fraud by providing new banking details to an existing (but pending) wire transfer
Additionally, the scammers also looked through countless emails between the compromised mailbox and their bank, identifying contacts at the bank to whom they sent new wire requests.
In all, the PE firm was scammed out of $1.2 million, with only about half of the money being recovered.
So, what can organizations learn from this kind of scam?
There are a few best practices to put into place that could have prevented this scam:
- Use Security Awareness Training to teach users how to spot malicious emails, impersonated logon pages, and suspicious content. This attack started with a simple email impersonating Microsoft 365, requiring the PE firm employee to provide their credentials online to a spoofed website. Training would also teach users to identify when they are being socially engineered by an attacker impersonating a company with which you do business.
- Use two-factor authentication with Microsoft 365 (formerly Office 365) to ensure only the mailbox owner has access. While we have seen Microsoft’s two factor authentication broken by some sophisticated attackers, gaining initial access doesn’t provide ongoing access with two-factor authentication enabled.
- Put policy in place that requires verification of email-based wire requests via another medium. Phone is a good choice, providing the call is made immediately and to a number establish well before the request (as scammers have begun to use deepfake audio). This goes for both changes to inbound wires and any outbound wire requests.