The Anatomy of a Large-Scale Email Scam: Insights and Implications from the Business Email Compromise Ecosystem

Cybercrime Researchers Unpack Massive Email Scam Targeting Dozens of Companies

Israeli cybersecurity firm Sygnia recently uncovered a massive business email compromise (BEC) campaign that potentially impacted dozens of organizations from around the world. The report published by Sygnia reveals that hackers gained persistent access to the email accounts of an employee of a given company upon compromising the account. They then used that account to go after other targets, thus making the phishing mails spread in a worm-like fashion from one targeted company to others and within each targeted company’s employees. All analyzed emails contain the same structure, only differing in their title, senders’ account and company, and attached link.

The Anatomy of the Email Scam and Insights Gained from the Investigation

The scam worked by sending emails to the target company claiming to be a shared document, leading to a file-sharing website with a previously compromised legitimate company name in the URL. Trying to view the document brought up a page showing that the contents were protected by Cloudflare, a tactic likely designed to prevent proactive analysis of the site showing where it would lead. Getting past the Cloudflare wall led to a fraudulent Microsoft authentication site generated by a phishing kit, which was being hosted on a domain with varying IP addresses. It was discovered that the investigation revealed over 170 domains and subdomains connected to the attacker’s infrastructure, with further analysis revealing nearly 100 malicious files communicating back to the infrastructure, some of which were related to the FormBook infostealer malware family.

The BEC campaign unearthed by Sygnia is one of many such scams that is costing victims billions of dollars annually. A recent FBI public service announcement revealed that BEC compromises were linked to more than $50 billion in actual and attempted losses across over 275,000 attacks between 2013 and 2022. The FBI estimate also indicated that between December 2021 and December 2022, identified actual and attempted losses worldwide increased by 17%. This BEC campaign follows a similar pattern in which cybercriminals target companies and their employees to unleash malware and fraudulent activities that cause significant financial damages to the parties involved.

Editorial and Implications

The BEC campaign unearthed by Sygnia is yet another reminder of how cybercriminals continue to innovate, making it increasingly difficult for victims to detect their scams. Companies need to be more proactive in their cybersecurity measures, incorporating advanced technologies such as artificial intelligence and machine learning to detect and fend off these cyber attacks. To prevent BEC attacks and other cyber scams, companies should educate their workforce on cybersecurity awareness and ensure that they follow strict email security protocols, such as monitoring email usage patterns, implementing two-factor authentication and creating password policies that require multi-factor authentication protocols.

Conclusion and Advice

Companies, both large and small should make it a priority to implement comprehensive security controls to prevent cyber attackers from stealing sensitive information or compromising their infrastructure. Such controls must not only cover the perimeter defenses that protect against outside threats but also incorporate endpoint security, privileged access management, and, most importantly, employee training and awareness. It is also recommended that companies partner with reputable security vendors who can help in identifying and mitigating cyber risks and provide timely advice on the appropriate security measures to safeguard their overall system.