Investigating a complex business email compromise attack

Overview

Investigating a sophisticated email business compromise attack on an insurance provider

Concerned about the impact of a business email compromise (BEC) attack, which resulted in an attempt to defraud one of its customers out of nearly £300k, a leading independent insurance broker approached Redscan to investigate the source and scope of the attack.

Industry

Finance

The Incident

Summary

High volumes of sensitive data
Compromised by cybercriminal
Victim of Business Email Compromise

As a specialist firm providing insurance advice for high value business mergers and acquisitions, Redscan’s client processes a wealth of sensitive data.

Despite maintaining a high level of security, the firm discovered that it had been compromised by a cybercriminal and used as a platform to launch a Business Email Compromise (BEC) attack designed to trick one of its clients into paying two open invoices, with a total value close to £300k, into an alternate bank account.

Fortunately, on this occasion, the attack was detected by the firm before any payment was made by the client – a vigilant member of staff from the client company had insisted on verbal verification of the financial details supplied, leading to an alarm being raised.

Nevertheless, the firm was keen to understand the extent of the compromise and how to safeguard against similar threats.

In need of support from an expert cyber security company to help shed light on events surrounding the attack, the firm turned to Redscan, a leading provider of threat detection and response services, to conduct a full forensic investigation.

The Investigation

Summary

Analysis of email logs
Identification of point of compromise
Discovery of client firm targeting
Tracing of attack source

The initial focus of Redscan’s assessment was analysis of email logs relating to the Office 365 accounts suspected as being used to instigate the fraud.

The team quickly identified that six weeks prior to the BEC attack, one of the Office accounts belonging to a senior-level employee had received a phishing email.

Purporting to be from Microsoft®, the email claimed that the user’s account may have been accessed and requested that the user sign in to review activity for security reasons.

Working on the basis that the phishing attempt had been successful, leading to the harvesting of the user’s Office credentials, Redscan set about reviewing audit logs relating to the account in question.

It soon became clear that an attacker had successfully accessed the account from an unidentified IP address.

Mailbox rules designed to scan all incoming emails for keywords, move them to the user’s RSS Subscriptions folder within Outlook®, and mark them as unread were promptly introduced. This course of action would help the attacker to quickly identify emails of interest and prevent the compromised user from viewing and responding to them.

Important client of firm targeted

One email thread to capture the attention of the attacker was related to the billing of two high value invoices, which had been raised by the insurance firm for one of its clients.

Redscan analysis of the firm’s email logs reveals that the attackers had used the information gathered in reconnaissance to create a chain of spoof email communications designed to imitate the compromised user and request payment of the outstanding invoices to a substitute bank account.

The source of the spoofed emails was a domain set up to closely resemble that of the insurance firm, so that the difference would not be easily discernible.

Additional attempts by the attacker to conceal the fraud were uncovered by later analysis, which showed that any incoming emails from the firm’s client to the compromised Office account were promptly deleted.

The creation of additional fake email accounts pertaining to colleagues of the compromised user and suggestion that one of these colleagues would call the client to provide verbal verification of the bank payment details supplied were also designed to increase the likelihood of the BEC succeeding.

Even at the point where the attack was close to being foiled, the attacker did not relent. Further analysis of event logs revealed that an email rule had been set within the compromised account to auto-forward all incoming and outgoing emails to an external Gmail address.

Over the course of a week following detection of the attack, the email forward had delivered over 280 emails to this fraudulent account, resulting in the continued disclosure of highly confidential client details and payment information to the attacker.

Having established the means of attack, Redscan’s CIRT team set about identifying how the compromise was able to occur. Analysis of audit logs reveals that, following the original phishing attack, which led to Office 365 credentials being harvested, hundreds of account login attempts were initiated from a range of malicious IP addresses.

Tracing the source of the attack

These attempts originated from IPs in Nigeria, China and later, UAE, from where a number of successful logins were eventually made.

While it’s possible that the failed authentication attempts may be unrelated to the BEC attack, this is unlikely to be a coincidence. One theory is that the compromised user may have, in falling foul of the phishing attempt, entered incorrect account credentials. This led to brute force attempts to identify the genuine password.

Upon detection of the BEC attack, the insurance firm’s IT staff made the decision to lock down the compromised account and enforce multi-factor authentication for all Office 365 users. While this course of action was effective at preventing subsequent malicious login attempts, it was not until the Redscan team identified and disabled email forwarding that the attack was safely contained.

Having concluded its investigation, the Redscan team produced a formal incident report outlining a full timeline of events. The document also included recommendations to help the firm prevent and detect future attacks.

Use of Office 365 Secure Score

This dedicated security tool helps organisations to review and securely configure Office 365 environments.

Full mailbox audit logging

The activation of full audit logging in Office 365 provides increased visibility of actions performed across all mailbox accounts.

Enable multi-factor authentication

Use of MFA provides an extra layer of authentication by requiring users to accept a phone call, text message, or a mobile application notification to log into Office.

Proactive network and endpoint monitoring

Use of the latest SIEM, Intrusion Detection and Behavioural Monitoring tools helps to identify attacks in their infancy by flagging threats and suspicious activity such as failed sign in attempts and policy violations.

Block malicious IPs

Blocking domains associated with known phishing attacks helps to reduce the risk of staff falling victim to BEC attacks.

Review staff training needs

Regular security training can help to instil best practice and improve awareness of the latest social engineering attacks.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_ok	session	The cookie is set by Olark live chat software and is used to store most recent Olark site for security purposes.
_okdetect	session	This cookie is set by Olark live chat software. The cookie is used for detecting when storage contexts have changed due to things like ssl or host transitions.
_oklv	session	The cookie is set by Olark live chat software. According to Olark documentation, the cookie is the Olark Loader version used for improved caching.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
hblid	1 year 1 month 4 days	The cookie is set by Olark live chat software and is used as a visitor identifier to remember a visitor between visits.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
_okbk	session	The cookie is set by Olark live chat software and is used to store extra state information of the chat box.
olfsk	1 year 1 month 4 days	This cookie is set by Olark live chat software. This cookies is a storage identifier used to maintain chat state across pages.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.
wcsid	session	This cookie is set by Olark live chat software. The cookie is a session identifier that is used to keep track of a single at session.

Cookie	Duration	Description
_ce.gtld	session	Crazyegg sets this cookie to identify the top-level domain.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
cebs	session	Crazyegg sets this cookie to trace the current user session internally.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
NID	6 months	Google sets the cookie for advertising purposes; to limit the number of times the user sees an ad, to unwanted mute ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

M&A Insurance Broker

Investigating a sophisticated email business compromise attack on an insurance provider

The Incident

Summary

The Investigation

Summary

Our Recommendations

Cookie	Duration	Description
_ce.cch	session	Description is currently not available.
_ce.clock_data	1 day	Description is currently not available.
_ce.clock_event	1 day	Description is currently not available.
_ce.irv	session	Description is currently not available.
_ce.s	1 year	Description is currently not available.
_CEFT	1 year	No description available.
_cfuvid	session	Description is currently not available.
_okck	less than a minute	Description is currently not available.
_okcs	session	Description is currently not available.
cebsp_	session	Description is currently not available.