Elaborate Email Deception Scam Swindles $445,000 from Victim

Description

The town of Arlington, Massachusetts, discovered firsthand how well-organized cybercriminal organizations on the other side of the world can steal money from unsuspecting victims. On June 5, 2024, the Town Manager published a letter to the community outlining how the local municipality had fallen victim to a business email compromise (BEC) email scheme attack in which more than $445,000 was diverted to an account in control by the threat actors. The town was building a new high school for the area. In September of 2023, town employees began receiving legitimate emails from one of the vendors involved in the construction of the project to discuss issues with payment processing. Unfortunately, many of the town’s email accounts had already been compromised and the threat actors learned of the requested action. They then impersonated the vendor with an email coming from a domain that appeared genuine at first glance and requested a change in payment method from check to electronic funds.  A series of four monthly payments totaling $445,000 were made to the threat actors’ account before the vendor contacted the town about their non-payment status, revealing the successful BEC attack.

Identify Indicators of Compromise (IoC)

Upon being contacted by the vendor, town officials promptly launched an investigation, which revealed that threat actor activity had occurred in the town’s Microsoft environment between September 12, 2023, and January 30, 2024. The cybercriminals had managed to compromise multiple user accounts and began monitoring email activity. To aid the attack, they created inbox rules to control, hide, and even delete incoming messages of designated accounts, thereby manipulating the information accessible to these users. Forensic investigators also uncovered additional attempts by the threat actors to intercept wire payments, which totaled an estimated $5 million during that time. Fortunately, none of these attempts were successful.

Actions Taken

The town took immediate action after discovering the attack. They contacted law enforcement and their banking institution, brought in a forensics team, and retained the services of a breach coach. The IT department disconnected systems from the network, required a password change for all users, and enabled multi-factor authentication (MFA) for key personnel. To protect against future attacks, the town is expanding its MFA program to all users and mandating cybersecurity training for all staff, funded by a cybersecurity grant they applied for.

Prevention

Implementing multi-factor authentication from the start would have gone a long way in preventing the attack. Passwords alone are too easily compromised, aggregated, and shared within the dark web community. At the very least, MFA should be implemented for all privileged users working in departments such as finance, HR, IT, and others that handle sensitive information. While MFA using SMS messaging is highly popular, more secure solutions involve utilizing dedicated authorization apps.

It is crucial to have an email security solution in place that can detect spoofed domains, analyze sender reputation, and identify anomalies in email communication patterns. These advanced tools could have flagged the impersonation attempts by the attackers. Unfortunately, such tools are rarely included in basic cloud-based email subscriptions, necessitating additional licensing or the acquisition of a third-party solution.

Organizations should have established verification procedures for instances involving any changes to payment instructions or wire transfer requests, especially those backed by urgency or time-related matters. Requests should be validated by calling a pre-established phone number or conducting a remote conference meeting with video. There should also be a segregation of duties between individuals who initiate and approve wire transfers to prevent the compromise of a single account from authorizing fraudulent payments.

HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.