Page 122 - Cyber Defense eMagazine September 2023
P. 122
works for. It isn’t difficult for a cybercriminal to obtain and use the data gathered against the victim and
his/her colleagues, since many employees openly publish information about themselves in blogs and on
social networks; for instance, they reveal, where do they work and what is their position in the company,
where are they going on a vacation, etc. However, data on organization’s executives, such as email
addresses and business trip dates is even more preferable for intruders. Malicious actors are also
extremely interested in details on company’s payments and accounts. If intruders have access to such
data, it’s much easier for them to deceive, for example, a chief accountant and persuade the employee
to transfer money to a fake account.
In order to implement an attack an intruder can hack an organization or its contractor’s email. After
reading the correspondence - simulate the continuation of the correspondence, using the information
obtained for their own malicious purposes. But cybercriminals do not always send emails via hacked
email, they can register a phishing domain that looks like the original one and continue correspondence
via this email. For instance, they can create a mailbox with the @serchincom.com domain instead of
@searchincom.com domain. This method of spoofing is called typesquatting, when malicious actors use
the company's domain name with an erroneous spelling.
In 2019, with the help of this technique malicious actors managed to steal $1 mln from the Chinese
venture fund, which planned investments into the Israeli start-up. Cybercriminals intercepted the
correspondence between two companies and sent messages to the fund representatives on behalf of
start-up employees and vice versa. In order to implement the attack, intruders used fake domains, which
differed from the original ones only by one letter, which was added to the end of the domain name.
Popularity of this type of attacks may be explained with the simplicity and quickness of its implementation.
According to the recent survey by Microsoft Security Intelligence, the whole process, starting from the
first log to the deleting of the sent message can be performed within 2 hours. It should be mentioned,
that intruders manage to gain significant financial benefits or achieve other aims, for instance, obtain
access to the infrastructure or confidential data.
Recently, intruders started to implement BEC-attacks in order to steal physical assets (for instance,
goods). A sugar supplier was nearly affected by such an attack. The intruder asked in correspondence
to send a truck on the certain address on credit. However, the employee of the sugar supplier company
notices that a mistake: an extra letter was added to the sender’s email address. The employee got in
touch with the representative of the company, on behalf of which the letter was sent, to make sure that
the email sender really was the staff member of the company. However, the reply was negative. Thanks
to the employee’s attentiveness, the cyber criminal didn’t manage to steal the product.
It’s crucial to attentively check the sender’s email address. What’s more, forged emails often contain few
mistakes. In case an email is a suspicious one, it’s useful to get in touch with a representative of a
company, on behalf of which the email was sent and make sure, that their employee really sent the email.
But make sure to connect with the representative via legitimate and verified channel, not by replying to
the suspicious email. For instance, you can make a call to the head office and find out, whether the email
sender really works for the company and if he/she sent the letter.
Cyber Defense eMagazine – September 2023 Edition 122
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.