Cybercriminals have been using auto-forwarding rules in web-based email clients to increase the chances of success of their business email compromise (BEC) scams, according to a recently issued TLP: WHITE Joint Private Industry Notification from the Federal Bureau of Investigation (FBI).
Business email compromise scams involve gaining access to a corporate email account and using that account to send emails to other individuals in the organization to get them to take a specific action. That action is often making a fraudulent wire transfer to the attacker’s account. Variations include convincing an employee to make changes to payroll account information, or to get HR employees to send tax information (W-2 Forms) of employees for use in tax fraud.
The initial compromise is usually achieved through a spear phishing email using social engineering techniques to obtain the user’s email credentials, with the initial attack often targeting an executive or the CEO. Once access to that account is gained, reconnaissance is performed and the email account is scanned for information that can be used in the next phase of the attack.
The FBI explains that it has observed BEC attackers using auto-forwarding rules on compromised email accounts to decrease the likelihood of the fraudulent communications being detected.
IT security teams often monitor for changes to email forwarding rules and configure alerts to be generated when changes are made on their networks, but those alerts often miss updates on remote workstations using web-based email, since the web-based client’s forwarding rules do not typically sync with the desktop client. IT security teams therefore have limited visibility into changes to auto-forwarding rules in web-based email clients.
The forwarding rules sent certain emails to the attacker’s email account and may also delete them from the mailbox and recycling bin. This approach allows the attackers to impersonate vendors and other individuals, request fraudulent wire transfers to pay for services, and have the funds sent to bank accounts under their control, without being detected by the IT security team or the user of the compromised mailbox.
Even when a potential scam is suspected by a financial institution or a notification is received from law enforcement, a system audit may not identify any changes to auto-forwarding rules, unless the desktop client and the web-based client are both audited.
The FBI provided two examples of companies that fell victim to BEC attacks in August 2020 that both involved changes to auto-forwarding rules in web-based email clients. A US-based medical company had upgraded a web client which did not sync to the desktop application. The IT security team only monitored auto-forwarding rules on the desktop application and had also not enabled RSS on the desktop application, so the auto-forwarding rule changes went unnoticed.
The attackers impersonated a known international vendor, created a similar domain to that used by the company, and then communicated with the victim using a UK-based IP address to increase the chance of payment being made. The scam was not detected and the company lost $175,000.
The same threat group conducted another attack on a company in the manufacturing industry and used three forwarding rules in web-based email. One rule forwarded all emails containing the words bank, payment, invoice, wire, or check to the attacker’s account. The other two rules were based on the sender’s domain and forwarded those emails.
The FBI recommends ensuring desktop and web applications run the same version to allow synching and updates, to carefully check all emails for small changes and to be wary of any last-minute changes to established email account addresses. It is also recommended to enable multi-factor authentication, prohibit auto-forwarding to external email addresses, and to monitor email exchange servers for configuration changes and custom rules for specific accounts.
Also consider adding banners to external emails to alert recipients, flag emails where the sender and reply-to addresses are different, and ensure that changes to mailbox logins and settings are logged, retained, and monitored.