Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Shane Shook
Shane Shook
Connect Directly
E-Mail vvv

BEC, Domain Jacking Help Criminals Disrupt Cash Transfers

The two hacking methods occur independently but are being used in concert to steal funds that are part of online payments and transactions.

Spoofed emails and bogus domains allowed bad actors to intercept a $1 million cash transfer between a Chinese venture capitalist and an Israeli startup, Vice recently reported. And rather than just a one-off, the scenario could easily recur anytime two parties exchange money… even experienced users who think they're protected. 

These attacks are done by tricking the paying party into sending the money to an account that appears to be the payee but is not. This should grab the attention of investors, who should always take precautions particularly during significant transactions. A few things to ask before completing a money transfer:

  • Do I really know who I'm sending money to?
  • How do I know?
  • What should I do to protect myself?

Know Your Customer
Business email compromise (BEC) and "domain jacking" are popular methods used by hackers to hijack unwary users. The two methods occur independently, but in recent years have been used in concert to achieve financial fraud in supply chain and vendor payments, customer refunds, foreign exchange currency accounts management, and investment transactions. When money changes hands between counterparties, it is important to know who they (all) are.

In recent years, BEC gangs have taken advantage of social trust engendered by frequent electronic interactions by focusing on related third-parties and using compromised services to interleave or wholly redirect communications between target counterparties of financial transactions. This has led to more than $26 billion in estimated losses from BEC fraud since 2016, according to FBI statistics.

When people think of BEC, they commonly mistake the cybercriminal’s interest as merely intending to cause information loss from the email target. However, determining who the target communicates with, and how often, (the "social graph") from BEC is more valuable to cybercriminals. The social graph is determined by analyzing the frequency in correspondence between victim companies and their customers, investors, services providers, suppliers, and even family and friends. The endgame: Compromise a victim's entire network.

BEC may include compromise of the victim's email services. More sophisticated cybercriminals avoid this tack since that only gives them limited control over the configuration of a system owned by a victim. Thus, they risk leaving evidence for investigators to discover who the criminals are. That's why they have also shifted away from domain-changing malware that changes the lookup for related Internet addresses on a computer (or mobile phone), and instead prefer attacks on the routing architecture that businesses and even home or mobile users rely upon.

More often though, sophisticated cybercriminals will use social graph analysis and engineering domain info to perform "brandjacking," or "typosquatting," simple modifications to the domain names used by common correspondents in business emails. Some are obvious, such as an extra letter or a different top-level domain – .co rather than .com or etc., for example. Some are less obvious – such as a modified character set that is not visibly different to a human but is processed differently by a computer.

Can you spot the differences in these addresses? Would you spot them every time?

Cybercriminals Are Anti-Social
The reason that domain jacking has been used in concert with social graph analysis from BEC is that today's cybercriminals have realized the power of identity. By following the interactions of correspondents, they can choose when and how to use man-in-the-middle (MITM) attacks with maximum effect by impersonating rather than merely intercepting messages. Cybercriminals can interdict common messaging between participants with social references that are familiar from past communications or from public information sources. Thus, by promoting focus on the message, they can obscure indicators that might otherwise tip off a message recipient to an impersonated email address.

Financial transactions are particularly vulnerable to social engineering through these concerted BEC and MITM activitism as they include traits like an established relationship of trust between two parties; regular or typical correspondence between the parties; and defined expectations (and intent) of time and actions by each.

Trust is developed between parties in financial transactions principally on the basis of identity and repetitive correspondence. However, our social nature leads to anti-social opportunities that, after all, are characteristic of cybercriminals.

When a payee account number change is requested by a supplier who has frequent email communication with the payor they are more likely to request verification (if at all) by email than otherwise. When significant transactions occur, such as investments, the transactions are negotiated over time and with social clues that the counterparties develop that can be mimicked by cybercriminals to take advantage of the transaction and redirect the funds.

Trust, But Verify
There are several precautions you can take to protect your information:

  • Keep your computer and phone software updated and run antivirus scans regularly.
  • Use email, domain, and CASB filtering and monitoring services.
  • Use multi-factor authentication with email, social, and financial services accounts.
  • Use encrypted messaging services such as Slack or Signal rather than email for social or developmental correspondence.
  • Don't use the same Internet browser for financial transactions that you do for other purposes. Use a single-session virtual instance or application isolation.
  • Monitor or periodically audit your social profile on the Internet to see who might be lurking in your "friends" as one-degree of separation from your actual friends.
  • Conduct physical audits during transactions and related negotiations.
  • Always verify all participants in conference calls or Web meeting rooms.
  • During transactions audit KYC details of the payee with their financial institution.
  • Remember that the details of your identity, particularly your history and your social graph, are what's most valuable to a hacker.

Hacking for BEC and MITM as well as other purposes will continue. Those activities are too easy to perform because too many (technical and social) vulnerabilities exist. Combating these activities essentially begins with accepting this truth. 

Given our reliance on technology, we need to manage technology as we would our other social situations and verify who we are talking with, when, where, and why. Email filters such as "Impersonation Protection," SPF, and DKIM are useful and even essential technologies – but are subject to these evolving BEC techniques. So just as we'd do when passing a secret (or cash) to a friend, verify that it's really person they claim to be.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Shane Shook, PhD. is a recognized veteran of information technology and security consulting. An author, trainer and expert witness in cybercrime investigations, Dr. Shook works with the team at Forgepoint Capital while also serving as an advisor to several companies in the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-12
Roundcube Webmail before 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document.
PUBLISHED: 2020-08-12
An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CS...
PUBLISHED: 2020-08-12
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
PUBLISHED: 2020-08-12
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
PUBLISHED: 2020-08-12
An information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Software Development Platform versions 6.4.0 to 6.6.0 could allow an attacker to potentially read arbitrary files and run arbitrary executables in the context of the web server.