Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/29/2018
09:00 AM
David Holmes
David Holmes
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Deconstructing a Business Email Compromise Attack

How a tech-savvy New Jersey couple outwitted a German hacker group and saved their home and life savings.

Debbie Walkowski contributed to this article. 

When Tina Brown and Phil Demarco decided to sell their home in New Jersey and purchase a new home in Colorado last December the last thing they expected was to receive a phony email from their realtor instructing them how and where to wire-transfer the closing funds.

Brown and Demarco were lucky. Their suspicions raised, they called their realtor, who told them she had sent no such email. The couple immediately notified the title company of the fraud.  

In this case, timing and some healthy skepticism saved Brown and Demarco from what is commonly known as a business email compromise (BEC) attack. In their case, the attackers tried to pull off their scam a few days too early but the New Jersey sale hadn’t closed yet. Had it closed the day the couple forwarded the wiring instructions to the title company, they would have lost everything.

"The scary part is how convincing the email was because it consisted of a carefully crafted thread of emails back and forth between our loan officer, title company, and our realtor," said Brown. "And all of the names, addresses, phone numbers, and signature blocks were correct. Of course, as it turned out, the messages were all fake."

How Scammers Are Succeeding
To pull off this type of scam, scammers need information about a pending real estate sale. They often get it by breaking into the email account of one or more of the parties involved. When attackers can’t break into email accounts, they spoof email addresses instead. Being technically savvy consumers, Brown and Demarco did some digging and discovered the scammers had used one of many questionable online email services — in their case, one run by a group of hackers in Germany — to impersonate all parties involved and make the emails untraceable.

Scammers often make their emails more convincing by either phishing the intended victim first, or adding details gathered from syndicated real estate websites that include information about a property from the multiple listing services and social media sites. If scammers don’t know the exact closing date of a real estate deal, no problem. It’s typically 30-45 days after the buyer has accepted an offer, and that’s easy for scammers to determine if they’re monitoring a property.

How Widespread and Impactful Is It?
Despite many regional and national news outlets covering BEC attacks, it seems to be growing. Brown and Demarco’s realtor, Christine Miller, said, "We had heard about it but hadn’t experienced it. Now, suddenly it’s gotten really bad."

An attorney for the Colorado Association of Realtors agreed, explaining that the emails are more convincing now with their involved conversation threads and personalized details. They also have far fewer telltale grammar and spelling errors we have come to expect in email scams. Miller adds, "We’re informing all our clients of this scam and ensuring they understand that we never send wire instructions by email, nor does the title company."

This particular home-buying scam is just one variant of  BEC, which can include any scam targeting businesses that regularly perform wire transfer payments. The Internet Crime Complaint Center (IC3), a multi-agency task force that includes the FBI, has been tracking all types of BEC scams since 2013. In the US and internationally between October 2013 and December 2016, there were over 40,000 incidents that totaled $5.3 billion in "exposed dollar loss" — that is, dollars actually stolen and attempted stolen.

Steps to Defend Against BEC 
Real estate firms and title companies, at the very least, should warn their clients of the prevalence and sophistication of this scam and advise clients to be on the lookout for it. Additionally, they can help clients by ensuring they understand the exact closing process, the parties involved, the manner in which they will be contacted, etc. Clients who have any doubts should be encouraged to call the known, legitimate phone numbers of agents and other representatives, especially regarding settlement funds or wire transfers.

In general, all organizations should conduct security awareness training about all types of scams, including email fraud, phishing, social engineering techniques, and malware. Here are a few tips to pass on to users:

  • Scrutinize all email carefully, especially as scammers up their "grammar game" and use social engineering to customizing messages for specific victims.
  • Never click on embedded links.
  • Open attachments only when they are requested or expected.
  • Beware of email messages that include statements of urgency, content that seems out of character for the sender, or restrictive instructions such as "reply only to this email."
  • Never click "Reply" when in doubt about the legitimacy of an email. Instead, use "Forward" and type the recipient’s known, legitimate email address in the To: field.

Fortunately, this story had a happy ending for Brown and Demarco but for many others it does not. With this particular scam, timing is everything. Potential victims should immediately contact the financial institution handling the wire transfer. In addition, they should report the crime to the FBI, and file a complaint with the Internet Crime Complaint Center and the Federal Trade Commission.

Get the latest application threat intelligence from F5 Labs.

 

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.