Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/29/2018
09:00 AM
David Holmes
David Holmes
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Deconstructing a Business Email Compromise Attack

How a tech-savvy New Jersey couple outwitted a German hacker group and saved their home and life savings.

Debbie Walkowski contributed to this article. 

When Tina Brown and Phil Demarco decided to sell their home in New Jersey and purchase a new home in Colorado last December the last thing they expected was to receive a phony email from their realtor instructing them how and where to wire-transfer the closing funds.

Brown and Demarco were lucky. Their suspicions raised, they called their realtor, who told them she had sent no such email. The couple immediately notified the title company of the fraud.  

In this case, timing and some healthy skepticism saved Brown and Demarco from what is commonly known as a business email compromise (BEC) attack. In their case, the attackers tried to pull off their scam a few days too early but the New Jersey sale hadn’t closed yet. Had it closed the day the couple forwarded the wiring instructions to the title company, they would have lost everything.

"The scary part is how convincing the email was because it consisted of a carefully crafted thread of emails back and forth between our loan officer, title company, and our realtor," said Brown. "And all of the names, addresses, phone numbers, and signature blocks were correct. Of course, as it turned out, the messages were all fake."

How Scammers Are Succeeding
To pull off this type of scam, scammers need information about a pending real estate sale. They often get it by breaking into the email account of one or more of the parties involved. When attackers can’t break into email accounts, they spoof email addresses instead. Being technically savvy consumers, Brown and Demarco did some digging and discovered the scammers had used one of many questionable online email services — in their case, one run by a group of hackers in Germany — to impersonate all parties involved and make the emails untraceable.

Scammers often make their emails more convincing by either phishing the intended victim first, or adding details gathered from syndicated real estate websites that include information about a property from the multiple listing services and social media sites. If scammers don’t know the exact closing date of a real estate deal, no problem. It’s typically 30-45 days after the buyer has accepted an offer, and that’s easy for scammers to determine if they’re monitoring a property.

How Widespread and Impactful Is It?
Despite many regional and national news outlets covering BEC attacks, it seems to be growing. Brown and Demarco’s realtor, Christine Miller, said, "We had heard about it but hadn’t experienced it. Now, suddenly it’s gotten really bad."

An attorney for the Colorado Association of Realtors agreed, explaining that the emails are more convincing now with their involved conversation threads and personalized details. They also have far fewer telltale grammar and spelling errors we have come to expect in email scams. Miller adds, "We’re informing all our clients of this scam and ensuring they understand that we never send wire instructions by email, nor does the title company."

This particular home-buying scam is just one variant of  BEC, which can include any scam targeting businesses that regularly perform wire transfer payments. The Internet Crime Complaint Center (IC3), a multi-agency task force that includes the FBI, has been tracking all types of BEC scams since 2013. In the US and internationally between October 2013 and December 2016, there were over 40,000 incidents that totaled $5.3 billion in "exposed dollar loss" — that is, dollars actually stolen and attempted stolen.

Steps to Defend Against BEC 
Real estate firms and title companies, at the very least, should warn their clients of the prevalence and sophistication of this scam and advise clients to be on the lookout for it. Additionally, they can help clients by ensuring they understand the exact closing process, the parties involved, the manner in which they will be contacted, etc. Clients who have any doubts should be encouraged to call the known, legitimate phone numbers of agents and other representatives, especially regarding settlement funds or wire transfers.

In general, all organizations should conduct security awareness training about all types of scams, including email fraud, phishing, social engineering techniques, and malware. Here are a few tips to pass on to users:

  • Scrutinize all email carefully, especially as scammers up their "grammar game" and use social engineering to customizing messages for specific victims.
  • Never click on embedded links.
  • Open attachments only when they are requested or expected.
  • Beware of email messages that include statements of urgency, content that seems out of character for the sender, or restrictive instructions such as "reply only to this email."
  • Never click "Reply" when in doubt about the legitimacy of an email. Instead, use "Forward" and type the recipient’s known, legitimate email address in the To: field.

Fortunately, this story had a happy ending for Brown and Demarco but for many others it does not. With this particular scam, timing is everything. Potential victims should immediately contact the financial institution handling the wire transfer. In addition, they should report the crime to the FBI, and file a complaint with the Internet Crime Complaint Center and the Federal Trade Commission.

Get the latest application threat intelligence from F5 Labs.

 

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12253
PUBLISHED: 2019-05-21
my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&delete_posting.
CVE-2019-12250
PUBLISHED: 2019-05-21
IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log.
CVE-2019-12251
PUBLISHED: 2019-05-21
sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter.
CVE-2019-10319
PUBLISHED: 2019-05-21
A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.
CVE-2019-10320
PUBLISHED: 2019-05-21
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.