It has been reported that a Dubai-based exhibitions firm has lost $53,000 (Dh194,700) in an elaborate phishing attack. Binu Manaf, CEO and managing director of Cheers Exhibition, said a cybercriminal hacked his firm’s email and then used a spoofed email to trick its client to wire the funds into an overseas bank.The CEO said he didn’t realise the company’s email account had been hacked until one of his clients enquired if he had sent out emails seeking payments into an overseas account instead of a local bank in Dubai.
In this attack the bad actor had the time to trawl through previous company emails to gain an understanding of the targets business. The more time hackers are allowed unhindered access to email systems the more creative they can become with their targeted emails.
There are a number of simple protections such as either frequent password changes or even deploying MFA for authentication into critical systems (email being one of those), ensuring a modern Antivirus system is used and kept up-to date to name but two. In addition closely monitoring user behaviour with a UEBA system will highlight anomalous behaviour such as users accessing abnormal resources, from unusual locations or at unusual times which would help to identify compromised account quickly and hopefully stop the attack before the bad actor can gain the information they need. It is good practise to have clear processes with your customers, suppliers and other partners where payments are involved. This is especially important as this type of attack is becoming much more prevalent and lucrative.
In addition to user awareness training via regular phishing simulations and education, organisations can create detection and response mechanisms to identify and thwart these attempts before they make it to a user’s inbox. Setting up automation to identify emails that seem \’phishy\’ and blocking them for review by the security team can take a little extra work but should be able to help reduce risk. Beyond implementing tools, consistent behaviours can help thwart phishing and, in this case, whaling attacks. When CEOs sit in an ivory tower or are known to make rash and unplanned requests, they can also be impersonated more easily, even to those employees that know them well. On the other hand, the actions of a CEO that is approachable and interactive are better known to their clients and colleagues, so an unexpected money transfer request is more likely to be identified and flagged as suspicious.
We continue to see such attacks against businesses whereby emails are sent to trick recipients into sending money or other details. This is a prevalent form of Business Email Compromise and these threats are highly targeted and rely on social engineering rather than malware, meaning that such “Imposter Emails” often evade security solutions that look only for malicious content or behavior.
Technology alone cannot offer effective protection. One of the key measures is raising security awareness across the users on how to spot spoofed emails and phishing attempts should be part of EVERY company’s security program. In addition to investing in an advanced email filtering system, organizations should also bolster the process steps.
Use Two-Step Verification:
Two-way verification helps companies to solve the problem of this type of financial fraud by implementing a company-wide policy of approving transactions before the funds’ transfer. Also, companies should have a two-person check process in place so that one person can\’t make a new payment without a colleague verifying the authenticity of the payment.
Although email infrastructure is critical to any organization and security controls should be implemented to protect it, more important the company should also security assess their business processes to reduce the risk affecting confidentiality, Integrity, and Availability of the information processed by these processes. In addition to vulnerable email infrastructure in this incident, we also have seen that how easy is it to trick the employee to send the money to overseas account by sending a crafted email. We all know that human is the weakest link in the chain, the company should devise a strategy to increase the employee awareness to detect the suspicious activities and should have the proper system in place to report the findings to the security department for investigation.
The fact the email was hacked in the first place, points less towards a sophisticated attack and one of opportunity and persistence.. The initial weakness being the lack of two factor authentication or a flaw in the email service that could be exploited.
Email is a critical business tool that needs to be protected as such, continuously identifying flaws that could be exploited to ensure only permitted users can gain access.
Whenever dealing with transfers of large sums, any change to the norm should be questioned and validated by multiple communication methods and educating everyone that handles payment to fraudulent approaches.