FBI: Business Email Compromise Attacks Abuse Email Auto-Forwarding

December 03, 2020 - The FBI recently released a joint Private Industry Notification, warning organizations that hackers are actively abusing email auto-forwarding on web-based email clients during business email compromise (BEC) attacks to hide successful system breaches from victims.

The use of web-based email clients rapidly expanded across all sectors in light of expanded telework amid the pandemic. In typical fashion, attackers have been targeting these platforms to take advantage of the increased traffic.

The sophisticated BEC scams target any organization that performs electronic payments. In its initial stages, the hacker will compromise an enterprise email account using social engineering or other network intrusion tactics.

Once access is gained, the threat actor then conducts reconnaissance on the victim’s email communications, using the gathered intel to impersonate an employee via email communications to redirect pending or future payments to fraudulent bank accounts.

Business email compromise attacks leverage typical criminal spoofing or mimicking of legitimate email addresses. The highly targeted nature of BEC scams have made the threat three times more successful than traditional phishing attacks, according to previous Barracuda data.

READ MORE: Hackers Targeting COVID-19 Vaccine Supply Chain Via Phishing Campaigns

In fact, despite making up just 7 percent of all spear-phishing attempts in 2019, BEC scams caused $1.7 billion in losses across the US in 2019 -- the costliest threat actor last year.

In these recent attacks, the FBI warned that after obtaining employee credentials through the new BEC scam, the hacker then updates auto-forwarding rules within the victim’s web-based email clients to conceal their activities from the victim.

“The web-based client’s forwarding rules often do not sync with the desktop client, limiting the rules’ visibility to cybersecurity administrators,” the alert explained. “While IT personnel traditionally implement auto-alerts through security monitoring appliances to alert when rule updates appear on their networks, such alerts can miss updates on remote workstations using web-based email.”

“If businesses do not configure their network to routinely sync their employees’ web-based emails to the internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email application,” it added. “Cybercriminals then capitalize on this reduced visibility to increase the likelihood of a successful BEC.”

This vulnerability may leave organizations more susceptible to BEC attacks. The FBI warned that the flaw also leaves employees and all connected networks vulnerable to hackers.

READ MORE: BEC Phishing Campaigns Bypass MFA, Target Office 365 Executive Accounts

What’s more, a system audit may not successfully find the updated email rules if both the workstation and web-based client aren’t audited, even after a financial institution or law enforcement notifies the victim organization of a potential BEC.

As a result, a hacker can still leverage the email forwarding and retain email access to perpetrate further BEC activity.

The FBI further warned hackers can also leverage email forwarding rules to delete records from the recycle bin for continued obfuscation.

The latest BEC campaign already claimed a US medical equipment vendor as a victim in August. Hackers established auto-forwarding email rules on the firm’s recently upgraded web client, which did not sync to the desktop application.

The intrusion went undetected by the victim, “which only observed auto-forwarding rules on the desktop client.”

READ MORE: COVID-19 Business Email Compromise Schemes, Ransomware Escalating

“RSS was also not enabled on the desktop application,” according to the alert. “After the BEC actors obtained access to the network, they impersonated a known international vendor. The actors created a domain with similar spelling to the victim and communicated with the vendor using a UK-based IP address to further increase the likelihood of payment.” 

In the end, the hackers obtained $175,000 from the victim.

To prevent falling victim to these attacks, the FBI urged administrators to ensure both the desktop and web-based applications are operating with the same versions to allow for appropriate syncing and system updates.

Users and administrators should be on alert for last minute changes in established email accounts, while email addresses should be examined for any slight changes that can mask fraudulent addresses and typically resemble legitimate client names.

Multi-factor authentication should be employed across all email accounts, and automatic forwarding to external addresses must also be prohibited. Administrators should frequently monitor for any configuration changes and custom rules made in the Email Exchange server.

Further, email communications should be flagged when the reply email addresses do not match the sender’s address. Administrators can also add an email banner to messages that originate from outside the organization to increase visibility, along with implementing security measures to block malicious emails.

“Consider the necessity of legacy email protocols, such as POP, IMAP, and SMTP, that can be used to circumvent MFA,” the alert explained. “Ensure changes to mailbox login and settings are logged and retained for at least 90 days.”

Healthcare organizations should ensure they’ve implemented best practice cybersecurity measures, which can prevent BEC scams from penetrating the network. These measures include employee training, dedicated leadership, and effective email security tools.