A silent cyber crime blitzkrieg as Aussie businesses robbed of millions
Posted on May 22, 2018
5 min read
Business email compromise devastates Australia, but a few simple steps can foil attacks.
It was a mundane email sent to a delinquent client: “Payment of your invoice is overdue”. Nothing about it alluded to the deep financial and personal pain the owners of the small Melbourne construction business were set to endure at the hands of online criminals who had just fleeced them of more than $100,000.
But perpetrators of business email compromise (BEC), a form of cyber-crime described by seasoned security experts as “out of control” and operating on a “phenomenal” scale costing businesses billions of dollars a year, rarely offer victims clues of their crimes until it is too late.
The scams, experts agree, are on an epidemic scale with businesses in each Australian state and territory losing thousands of dollars every day. Criminal investigators say Australian businesses regularly lose “often more than $100,000 per incident”.
Yet public reports of these attacks have been minimal.
These attacks are a world apart in their technical complexity from the type of advanced state-sponsored hacking that captures headlines; BEC is mostly textbook swindling with an occasional click of automated hacking platforms.
It take different forms, all of which criminals deploy to devastating effect. Criminals, in an example known as whaling, will impersonate a company director in an email to a subordinate financial controller ordering them to pay money to their bank account.
In another, known as doctored invoicing, scammers will use automated tools to break into a business’ email inbox and alter the payable bank accounts on client invoices.
A brazen online criminal apparatus means criminals need not even hack email accounts and can simply buy that access from other criminals.
Chain of events
This is what happened to the Melbourne-based Buildr (we are concealing the victim’s true identity).
Buildr staff discovered they had been robbed only after their client informed them the invoice was paid two months earlier.
This chain of events made little sense to Buildr. Emails showed their project manager had sent the invoice to the client, along with a thank you note and glib wishes for the weekend.
There was no reply and the exchange fell silent for the next three months.
Follow up phone calls revealed the invoice the client received contained a bank account number that did not match that sent by Buildr.
- Confirm account numbers with a phone call or text message prior to transferring money.
- Turn on two-factor authentication wherever and whenever it is offered. This is often your best defence against most online threats.
- Implement SPF, DKIM, and DMARC to help combat BEC email spoofing attacks.
- Password hygiene:
- Set unique, non-cliché, atypical passwords for email, business, and other important accounts.
- These can be pronounceable multi-phrased sentences with a few numbers or special characters.
- Strongly consider a password manager such as LastPass.
A Buildr IT technician suspected foul play and appealed to trusted information security contacts, finding Kayne Naughton – a Melbourne-based threat intelligence expert at Cosive, with a much-exercised history in computer forensics and combatting financially-driven cyber-crime.
“This isn’t even my day job, it’s barely my side job, and I’ve handled about $2 million in losses across Australian businesses in the last few years,” Naughton says.
“It’s out of control”.
The same attacker who targeted Buildr is thought to have stolen hundreds of thousands of dollars from more than a dozen Australian businesses using the same BEC techniques.
Business email compromise is exploding in growth and financial impact across the world. The FBI in October last year estimated BEC had cost businesses in all countries some US$5.3 billion.
The Australian Federal Government says businesses here have lost more than $20 million to BEC between 2016 and 2017, up from $8.6 million the previous year. It had in the three years to December received more than 2000 reports of BEC.
Government numbers on BEC attacks have steadily increased but remain it says “only a small percentage of total activity” thanks to “misreporting and underreporting”.
Losses from BEC are high. Multiple Australian organisations in the last three years have each lost millions of dollars in single unreported BEC attacks, security responders with first-hand knowledge of the incidents tell us.
Typical losses incurred by businesses vary between experts. Some find BEC victims lose about $10,000 an incident, while others handle cases between $25,000 and $50,000 each. Well-placed crime investigators say losses of $100,000 per incident in Australia are common.
Many of these losses are likely absent from government registers. Security experts working in private and public sectors agree that total of all cyber-crime losses reported to government is significantly less than the true costs because many victims, especially businesses, are reluctant to report incidents for fear of public exposure.
Security incident responders contracted to assist hacking and BEC victims are often made to sign non-disclosure agreements that can prevent them from supplying even anonymised crime data to the Federal Government. Many well-intentioned contractors try and fail to convince their clients to lift the reporting ban.
- March 2018: A New York man pleads guilty to stealing more than US$1.1 million in successful BEC attacks against an unnamed trade association.
- March 2018: French police arrest two BEC suspect operators and five money mules in connection with BEC attacks alleged to have inflicted €4.6 million in losses across 24 organisations.
- March 2017: Lithuanian police arrest a Lithuanian national accused of stealing US$100 million in BEC attacks against Google and Facebook.
- August 2016: Nigeria authorities arrest a Nigerian national then accused along with a network of peers of stealing more than $60 million from US businesses. One victim lost US$15 million in a single attack.
Ghost in the wires
The average BEC scam leans on employing social engineering skills more than hacking prowess. The same was true for the criminal who defrauded Buildr. A combination of automated password guessing, simple email forwarding rules, and a pair of custom email addresses was sufficient to pull off the six-figure crime.
Not all business email compromise attacks run the same way, but most see criminals targeting weak webmail passwords to gain their initial foothold.
Passwords are guessed with the use of online rapid-fire automated tools that test millions of simple words, clichés, and known hacked passwords, against an email login. Buildr’s password, however, was strong and it remains unknown how the credentials were compromised.
The West Africa -based attacker who compromised Buildr’s inbox remained inside for months, searching email exchanges for signs of a business deal, and intercepting and manipulating messages between the company and its client.
Buildr’s attacker registered two domains and email addresses to resemble the real addresses of Buildr and its client (for example creating email@example.com to mimic firstname.lastname@example.org).
The criminal emailed Buildr’s project manager posing as the client and emailed the client posing as the project manager. This allowed them to sit in the middle of the conversation copying and pasting and, at times, editing exchanges between Buildr and its client.
The invoice Buildr intended to send to its client was instead sent to the attacker who modified it such that the bank account for payment matched their own. The client’s email of confirmation of payment never made it to Buildr, buying time for the attacker to secure the stolen funds.
But Buildr’s criminal could have used other means. Many BEC attackers will set up mail forwarding rules within the compromised inbox to divert inbound and outbound emails. These rules may redirect emails between a business and its client to a folder within the compromised inbox that the attacker creates, or could be redirected to the attacker’s external email account.
In the latter case, mail spoofing is often successful at masking the attacker’s interception such that the email exchange between business and client appears normal.
Other BEC criminals, in a subset of attacks called whaling, will use compromised corporate inboxes or mail spoofing techniques to send emails to finance staff requesting payments be made to their accounts.
Other attackers will target human resources in often successful bids to have employee payslip bank accounts altered.
Crime as a service
Business email compromise like many forms of online crime is offered as turnkey services that reduce the technical skills barriers to entry.
Here, criminals will break into large numbers of email accounts and sell in darkweb and public sites access to the usernames and passwords of the respective compromised inboxes.
It is then up to criminal buyers to pull off the BEC attack, swindling businesses and their clients. “Dollar for effort, BEC offers a better return on investment than any other cyber-crime,” says Alex Tilley, a former cyber-crime veteran of the Australian Federal Police and now an ecrime intelligence expert with Secureworks Counter Threat Unit.
“The amount of cash here is phenomenally large; it represents a very big bucket in cyber-crime.”
Other criminals sell diversion attacks as a managed offering. Denial of Service attacks, where large quantities of junk traffic overwhelm a target, are used against victims by some online criminals in a bid to divert the attention of security teams.
It appears to work. We have heard of instances of BEC victims in Australia who were distracted by Denial of Service attacks while BEC criminals were breaking into corporate inboxes.
Any sector where workers wire without secondary validation, like a phone call, significant sums of money to bank accounts etched into emailed invoices are at risk of BEC.
Attacks have hit businesses from manufacturers of children’s toys to global technology behemoths, and scores of industries in between.
But the entry of business email compromise criminals into the Australian real estate sector is setting Tilley on edge.
And it takes a significant crime to rattle Tilley, an operator battle hardened to the worst forms of cyber-crime. This is because he sees the vast amounts of cash moving daily from buyers, agents, and lawyers within Australia’s booming real estate industry at speed as a recipe ripe for BEC attacks.
His experience late last year in buying a house in Queensland spiked his concern when his agent declined his offer to confirm over the phone bank account details they had sent him over email to which large payments were to be made.
Any losses may not be protected. Unlike victims of traditional credit card fraud, real estate buyers who lose money to BEC attacks are not guaranteed to be reimbursed by banks or agents.
This could mean a loss of life savings for some victims; High-value transactions including deposits are vulnerable to BEC targeting as money is transferred without any verification into bank account numbers that are provided over email.
Australia’s old manual settlement and chequebook processes serve to protect the largest residential real estate money transfers, Tilley says. But these manual processes may be open to BEC criminals as they are streamlined in the future.
Meanwhile, the smaller rental market notably around bond payments remains open to BEC targeting. The latest 2016 Census reveals 30.9 percent of Australians rent homes, a year-on-year increase.
Heritage of the crime can be traced back 60 years to scammers who sent fake lottery winnings through the post.
Perpetrators of BEC are, like those postage fraudsters, based often out of African nations including Ghana, Nigeria, Mali, and Somalia, especially around university towns, or are commonly expatriates from those areas. Experts in law enforcement and private security companies know this because the perpetrators make little effort to conceal their real identities from them. Exchange has seen photos of some individuals experts say are behind serious BEC attacks.
“These are the same guys doing 419 scams and Spanish lotteries,” Tilley says. “When I started this 20 years ago they were pulling smaller cons; These are dudes who have been doing con tricks their whole lives, and now they are digitally enabled.”
The vast sums of money from BEC is laundered through a network of offshore bank accounts and flows in many directions. The laundering networks in Australia are extensive and fast-paced, experts say, with bank accounts “on tap”.
Some networks are known to break the digital money trail and skirt money-laundering checks, by turning stolen funds into Rolex watches that are then carried out of Australia on the wrists of money mules. Many mules, however, are also victims who are unaware that their activities are part of cyber crime operations.
Within West Africa the profits are thought to have bankrolled everything from traditional organised crime to armed conflicts, along with boosting the bank balances of BEC criminals.
One family based Johannesburg linked to BEC was using the proceeds of that crime to buy and sell BMWs on major online trading sites, and were broadcasting their lavish life and huge property investments on social media, posing in photos with popular local rappers and celebrities.
Others operate out of internet cafes where the main users are online scammers. “We’re not talking any of this darkweb marketplace stuff – we’re talking bank notes exchanged for email lists scrawled on grubby bits of paper,” Naughton says. “These cafes are a safe environment for the criminals to learn.”