Fri, Feb 1, 2019
Kroll identified 25 business email compromise (BEC) incidents via its cyber intake process during the month of January 2019. Among the BEC incidents that Kroll reviewed, representative attacks led to unauthorized changes to direct deposit information, unauthorized mail forwarding and fraudulent wire transfers of up to $5 million.
BEC incidents most commonly involved an actor compromising an Office 365 Outlook account. For example, Kroll reviewed an incident where a human resources employee complained to her payroll department that her banking information had been changed. Payroll investigated and found an email record from the employee requesting the change. Upon further investigation, the company discovered unauthorized logins to the employee’s Office 365 account from an external IP address. A malicious actor had likely obtained her Office 365 credentials and was able to use her email account to request a change in banking information.
Corporate executives are under particular assault by BEC attackers. Managing Director Jonathan Fairtlough explains, “Criminals are focusing their efforts on executives not only because of their access to high-value data, but also their reach throughout the entire enterprise. Companies should back up executive training with technology that provides early detection of problems to reduce the opportunity for lateral movement once a hacker breaches their systems.”
Jonathan continues: “While senior executive accounts are commonly targeted, it is important to note that any employee routinely accessing customer account data or treasury functions is at risk.”
BEC attacks also continue to be highly lucrative for cybercriminals in the form of wire transfer fraud. According to the FBI, in 2018 nearly 21,000 victims lost close to $1.3 billion. “Wire fraud highlights a persistent security weakness — our human nature. In the cases we’ve seen, when employees receive requests from senior executives, the motivation to assist the person higher in rank outweighs the need to stop and validate that the request is legitimate” says Peter McFarlane, Managing Director and Toronto Office Head.
According to Peter, tone from the top is critical for combating this crime: “A company’s most senior managers need to make it absolutely clear to everyone involved in approving wire transfers that no one, no matter their rank, can override policies or proper procedures.”
The growing adoption of Microsoft Office 365 requires specialist skills in securing and/or investigating the environment in the event of BEC and insider threats. Check out these Kroll resources for insights to help you better meet the challenges ahead:
A Planned Methodology for Forensically Sound IR in Office 365. First presented at SANS DFIR Summit 2018, this talk by Managing Director Devon Ackerman discusses numerous forensic, incident response and evidentiary aspects of Office 365. Based on two years of forensics and incident response data collection in Microsoft’s Office 365 and Azure environment, it also encompasses more than a hundred Office 365 investigations, primarily BEC and rel="noopener noreferrer" insider threat cases. View now.
Penetration Testing for Active Directory Forests: Exploring Trust Relationships. Active Directory (AD) is a critical software for most organizations in that it serves as the single centralized point for handling authentication and authorization control access to all critical resources within an organization. As Kroll’s security penetration testing lead Carlos Garcia discusses in this article, compromise of just one domain admin account in the AD forest could give an attacker unrestricted access to all resources managed by all domains, users, servers, workstations and data. Read more and download slides here.
As these recent Kroll cases demonstrate, BEC incidents are not going away and warrant ongoing vigilance.
Following are some insights from Kroll experts on how to prevent or mitigate the harms from business email compromise.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.
Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.