The US Federal Bureau of Investigation (FBI) has warned business to be particularly wary of phishing campaigns targeting Microsoft 365 and Google G Suite as a prelude to a Business Email Compromise (BEC) attempt.
In a BEC attack, the threat actor applies social engineering methods over email, often pretending to be a senior figure in the organisation, to manipulate an officer into transferring funds to the criminal’s account.
While such attacks are nothing particularly new, the FBI’s warning reflects a change in tack by cybercriminals as more organisations take advantage of the productivity benefits that cloud-based applications like Office 365 can bring. The sums involved are also quite substantial, as mentioned by the FBI in its March Private Industry Notification (PIN):
“The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds. Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1bn in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.”
Cybercriminals are aiming to compromise email accounts that can then be used to facilitate a BEC attack. This may increase the chances of success because the actual email account of the imitated person is being used for communications. The cybercriminal also has access to previous emails, which may yield clues about procedures in the organisation and give an idea about how to effectively imitate the victim’s writing style, as noted by the FBI:
“Upon compromising victim email accounts, cybercriminals analyze the content to look for evidence of financial transactions. Using the information gathered from compromised accounts, cybercriminals impersonate email communications between compromised businesses and third parties, such as vendors or customers.”
At this point, the cybercriminal will seek to manipulate a financial officer within the organisation—or perhaps a third party, such as a customer—into transferring a sum of money to an account owned by the threat actor. Before losing access to the email account, however, the cybercriminal may also harvest any intelligence about the victim’s contacts elsewhere in the supply chain, such as suppliers and customers. This can be exploited in another attack elsewhere in the sector, such as through a highly personalised spear-phishing attack.
The FBI notes that organisations with limited capabilities, such as small and medium-sized enterprises, may be more at risk from these scams. To defend against these attacks, the FBI recommends a series of technical measures admins can take, as well as practices that potential victims can employ.
Social engineering continues to be major tool for cybercriminals, so at Pro-Networks, we know it’s important to counter it through a multi-faceted approach. When using our managed cloud services, we can help you secure them through technologies like multi-factor authorisation while also training your staff in practices that will help to detect and diffuse potential attacks like BEC.