Recently we have seen a rise in the quantity and complexity of email impersonation attacks. This article will review the Business Email Compromise (BEC) attack and the steps you can take to protect your business.<\/p>\r\n\r\n\r\n\r\n
A business email compromise is when a hacker or a malicious actor gains access to an email that belongs to an employee. After the email is compromised, the hacker can monitor all email communications, send emails, and delete emails (in many cases without the victim’s knowledge).<\/p>\r\n\r\n\r\n\r\n
Business email compromise can occur for a variety of reasons. Here are the most common.<\/p>\r\n\r\n\r\n\r\n
Your company has been doing business with a vendor you trust. Vendor name is Companyllc.com<\/strong>. You just purchased a large order, and it’s time to pay the bill. Your finance department receives an email from Companylc.com<\/span><\/strong> (notice the missing letter<\/strong>) letting them know that billing information has changed. The email looks identical to your recent communications. Billing information is updated.<\/p>\r\n\r\n\r\n\r\n A few days later, you receive an email from Companyllc.com asking for payment. They are claiming the payment was never received, and they never changed any billing information.<\/p>\r\n\r\n\r\n\r\n You and your vendor have just been the victim of BEC – Cousin domain attack.<\/p>\r\n\r\n\r\n\r\n At some point in time, hackers obtain access to an email account that belongs to you, your vendor, or any 3rd party that may be CC’d on the invoice. The hacker logs in to the compromised email, monitors all communications and quietly waits.<\/p>\r\n\r\n\r\n\r\n When a potential large invoice is due, the hacker registers a very similar domain to the one that is expecting the payment. With the new domain, the hacker proceeds to impersonate the vendor and request a payment method change. Because the name of the hacker’s domain is very similar to your vendor, the change can be challenging to notice.<\/p>\r\n\r\n\r\n\r\n Important:<\/strong> <\/strong>With a cousin domain attack, your business may not be the one that is compromised, but you can still be the victim because a vendor or a 3rd<\/sup> party is compromised.<\/p>\r\n\r\n\r\n\r\n The typical intention of the attacker is tricking their victims into:<\/p>\r\n\r\n\r\n\r\n After the hacker has access to employee email, they can see all the information, details, and communication style for everyone with who the victim corresponds. The hacker can craft an email that matches the style, design, and information of someone who the victim respects or sees as an authority. With authority and trust, the hacker can trick the victim into installing remote access and ransomware on the network.<\/p>\r\n\r\n\r\n\r\n Depending on the type of email system the business uses will determine what logs are available for post-compromise investigation. For example. If the victim company uses Office 365 for email, there are detailed logs that are kept on user logins, what emails were sent\/received, and from where.<\/p>\r\n\r\n\r\n\r\nHow the BEC cousin domain exploit occurs:<\/strong><\/h2>\r\n\r\n\r\n\r\n
Why hackers compromise business email:<\/strong><\/h2>\r\n\r\n\r\n\r\n
\r\n
How does business email compromise lead to ransomware<\/h2>\r\n\r\n\r\n\r\n
Can a business email compromise be detected after the fact?<\/h2>\r\n\r\n\r\n\r\n
Steps you can take to protect your business<\/strong><\/h2>\r\n\r\n\r\n\r\n
\r\n
\r\n