Man
Professional
- Messages
- 2,963
- Reaction score
- 486
- Points
- 83
The FBI has urged organizations to be on high alert for business email compromise (BEC) attempts, after revealing that the cybercrime category has amassed tens of billions of dollars for threat actors over the past decade.
BEC is a form of pretexting – a type of social engineering where individuals are usually tricked into making large money transfers to a fraudster posing as a legitimate entity such as a supplier. On other occasions, the scammer impersonates a CEO or CFO and uses their authority to demand a finance team member make a wire transfer.
The threat actor often compromises email accounts and monitors messages from legitimate entities in order to make their requests sound more realistic.
It said that, over this 10-year period, there have been 158,436 US victims and 6545 victims from outside the country.
Part 1
Business Email Compromise (BEC) is a payment forwarding to where you need it, using access to the corporation's emails.
Basic concepts
There are two types of payments in corporations:
If we want to forward AR, we will need a bank account for the same (this is important) company name, but in a different bank. To find out this data, we need a document - either an Invoice or Wire Instructions. They are usually easy to find.
But if we forward AP, we will need a new account for the counterparty to whom the money will go.
Hierarchy in corporations
Chief Financial Officer (CFO) - CFO, the main boss for payments, in large corporations he usually does not deal directly with payments. In small companies, where the finance department has up to 5 people, he can send payments himself.
Controller - subordinate to the CFO, usually in medium and large companies. In medium-sized companies, he sends payments himself, in large ones he usually does not.
Account payable - a lower-level clerk who deals with outgoing payments
Account receivable - a lower-level clerk who deals with incoming payments
Intelligence algorithm
We find employees who deal with payments.
Methods:
Next, we look for AR and AP debts. Often they are walking around in the form of Excel tables, if this is not available, look at payment orders and / or invoices.
In some companies, large amounts are in AR, in others in AP, and in some both.
We choose which direction (AP or AR) we will change and who it will be (the corp itself or the counterparty).
Now it's time to study how the process of changing the details is carried out.
In small companies, this can be just a letter, or a letter with a call.
Sometimes this can be done by giving instructions from a senior to a junior employee. There are many options, it is impossible to describe them all.
Option 1: if we realized that Account Payable is doing this, then we make a fake letter from the counterparty's CFO to our CFO, and he gives instructions to Account Payable in the form of a letter with a forward. Here we must be careful so that Account Payable does not write to the counterparty directly.
Part 2
Option 2: we make an email of the counterparty and write from it. We can do this from the counterparty's domain (spoof), or with a domain similar to the counterparty.
Now it's time to work with filters. If we have admin access, we can make a filter for outgoing emails so that counterparties do not receive letters from the corporation. If there is no such access, we hope for luck.
It is also necessary to make an incoming filter so that letters from the counterparty do not come to the inbox but to another folder. At this time, we are already monitoring the target email all day long, manually checking letters from the counterparty, if there is nothing like that, we manually drag it to the inbox.
After all, all emails are active, one extra movement and all the work goes down the drain.
You can pin emails. This is not a hacker pinning with cobalt strike, it works like this - find trusted emails with whom a person corresponds, and make a similar email. It is better if this dialog contains some files. Next, you wedge into the dialog and save the info. If you lose access to the mailbox, you can initiate the dialog again - for example, say "is this table the correct option?" and make access to the table via a link so that the person enters the mailbox data and as a result this table is there.
Conclusions
Redirecting payments does not always work. It is very important to be patient and wait for a good moment. For example, when a company for some reason wants to change its bank account to another. On the other hand, if you just wait, you will not redirect anything. There you already need to look at the situation, and this will only come with experience. Experience is hundreds of thousands that you will lose due to mistakes. But with each mistake, the skill will grow. A good BEC allows you to send payments for weeks, or receive a dozen payments from one substitution.
In some corporations, BEC is impossible due to the algorithm for changing the details, but what kind of algorithm this is is beyond the scope of this post.
Bonus track
You found an email where a company changed the bank account details a week or two ago. Missed the chance? Nope. There is such a procedure, recalling a letter. Ask to recall the letter with the data as incorrect and write a correct one with your data. Be prepared to make a call or accept a call, maybe even several. If you do everything correctly, the payments will go where you need them.
BEC is a form of pretexting – a type of social engineering where individuals are usually tricked into making large money transfers to a fraudster posing as a legitimate entity such as a supplier. On other occasions, the scammer impersonates a CEO or CFO and uses their authority to demand a finance team member make a wire transfer.
The threat actor often compromises email accounts and monitors messages from legitimate entities in order to make their requests sound more realistic.
It said that, over this 10-year period, there have been 158,436 US victims and 6545 victims from outside the country.
Part 1
Business Email Compromise (BEC) is a payment forwarding to where you need it, using access to the corporation's emails.
Basic concepts
There are two types of payments in corporations:
- Outgoing, they are called Account Payable (AP)
- Incoming, they are called Account Receivable (AR).
If we want to forward AR, we will need a bank account for the same (this is important) company name, but in a different bank. To find out this data, we need a document - either an Invoice or Wire Instructions. They are usually easy to find.
But if we forward AP, we will need a new account for the counterparty to whom the money will go.
Hierarchy in corporations
Chief Financial Officer (CFO) - CFO, the main boss for payments, in large corporations he usually does not deal directly with payments. In small companies, where the finance department has up to 5 people, he can send payments himself.
Controller - subordinate to the CFO, usually in medium and large companies. In medium-sized companies, he sends payments himself, in large ones he usually does not.
Account payable - a lower-level clerk who deals with outgoing payments
Account receivable - a lower-level clerk who deals with incoming payments
Intelligence algorithm
We find employees who deal with payments.
Methods:
- We look for mail groups AP, AR, Payments and there will be emails of employees
- We search on the website of the corporation, through Google, Zoominfo, Rocketrich
Next, we look for AR and AP debts. Often they are walking around in the form of Excel tables, if this is not available, look at payment orders and / or invoices.
In some companies, large amounts are in AR, in others in AP, and in some both.
We choose which direction (AP or AR) we will change and who it will be (the corp itself or the counterparty).
Now it's time to study how the process of changing the details is carried out.
In small companies, this can be just a letter, or a letter with a call.
Sometimes this can be done by giving instructions from a senior to a junior employee. There are many options, it is impossible to describe them all.
Option 1: if we realized that Account Payable is doing this, then we make a fake letter from the counterparty's CFO to our CFO, and he gives instructions to Account Payable in the form of a letter with a forward. Here we must be careful so that Account Payable does not write to the counterparty directly.
Part 2
Option 2: we make an email of the counterparty and write from it. We can do this from the counterparty's domain (spoof), or with a domain similar to the counterparty.
Now it's time to work with filters. If we have admin access, we can make a filter for outgoing emails so that counterparties do not receive letters from the corporation. If there is no such access, we hope for luck.
It is also necessary to make an incoming filter so that letters from the counterparty do not come to the inbox but to another folder. At this time, we are already monitoring the target email all day long, manually checking letters from the counterparty, if there is nothing like that, we manually drag it to the inbox.
After all, all emails are active, one extra movement and all the work goes down the drain.
You can pin emails. This is not a hacker pinning with cobalt strike, it works like this - find trusted emails with whom a person corresponds, and make a similar email. It is better if this dialog contains some files. Next, you wedge into the dialog and save the info. If you lose access to the mailbox, you can initiate the dialog again - for example, say "is this table the correct option?" and make access to the table via a link so that the person enters the mailbox data and as a result this table is there.
Conclusions
Redirecting payments does not always work. It is very important to be patient and wait for a good moment. For example, when a company for some reason wants to change its bank account to another. On the other hand, if you just wait, you will not redirect anything. There you already need to look at the situation, and this will only come with experience. Experience is hundreds of thousands that you will lose due to mistakes. But with each mistake, the skill will grow. A good BEC allows you to send payments for weeks, or receive a dozen payments from one substitution.
In some corporations, BEC is impossible due to the algorithm for changing the details, but what kind of algorithm this is is beyond the scope of this post.
Bonus track
You found an email where a company changed the bank account details a week or two ago. Missed the chance? Nope. There is such a procedure, recalling a letter. Ask to recall the letter with the data as incorrect and write a correct one with your data. Be prepared to make a call or accept a call, maybe even several. If you do everything correctly, the payments will go where you need them.
