Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/29/2018
09:00 AM
David Holmes
David Holmes
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Deconstructing a Business Email Compromise Attack

How a tech-savvy New Jersey couple outwitted a German hacker group and saved their home and life savings.

Debbie Walkowski contributed to this article. 

When Tina Brown and Phil Demarco decided to sell their home in New Jersey and purchase a new home in Colorado last December the last thing they expected was to receive a phony email from their realtor instructing them how and where to wire-transfer the closing funds.

Brown and Demarco were lucky. Their suspicions raised, they called their realtor, who told them she had sent no such email. The couple immediately notified the title company of the fraud.  

In this case, timing and some healthy skepticism saved Brown and Demarco from what is commonly known as a business email compromise (BEC) attack. In their case, the attackers tried to pull off their scam a few days too early but the New Jersey sale hadn’t closed yet. Had it closed the day the couple forwarded the wiring instructions to the title company, they would have lost everything.

"The scary part is how convincing the email was because it consisted of a carefully crafted thread of emails back and forth between our loan officer, title company, and our realtor," said Brown. "And all of the names, addresses, phone numbers, and signature blocks were correct. Of course, as it turned out, the messages were all fake."

How Scammers Are Succeeding
To pull off this type of scam, scammers need information about a pending real estate sale. They often get it by breaking into the email account of one or more of the parties involved. When attackers can’t break into email accounts, they spoof email addresses instead. Being technically savvy consumers, Brown and Demarco did some digging and discovered the scammers had used one of many questionable online email services — in their case, one run by a group of hackers in Germany — to impersonate all parties involved and make the emails untraceable.

Scammers often make their emails more convincing by either phishing the intended victim first, or adding details gathered from syndicated real estate websites that include information about a property from the multiple listing services and social media sites. If scammers don’t know the exact closing date of a real estate deal, no problem. It’s typically 30-45 days after the buyer has accepted an offer, and that’s easy for scammers to determine if they’re monitoring a property.

How Widespread and Impactful Is It?
Despite many regional and national news outlets covering BEC attacks, it seems to be growing. Brown and Demarco’s realtor, Christine Miller, said, "We had heard about it but hadn’t experienced it. Now, suddenly it’s gotten really bad."

An attorney for the Colorado Association of Realtors agreed, explaining that the emails are more convincing now with their involved conversation threads and personalized details. They also have far fewer telltale grammar and spelling errors we have come to expect in email scams. Miller adds, "We’re informing all our clients of this scam and ensuring they understand that we never send wire instructions by email, nor does the title company."

This particular home-buying scam is just one variant of  BEC, which can include any scam targeting businesses that regularly perform wire transfer payments. The Internet Crime Complaint Center (IC3), a multi-agency task force that includes the FBI, has been tracking all types of BEC scams since 2013. In the US and internationally between October 2013 and December 2016, there were over 40,000 incidents that totaled $5.3 billion in "exposed dollar loss" — that is, dollars actually stolen and attempted stolen.

Steps to Defend Against BEC 
Real estate firms and title companies, at the very least, should warn their clients of the prevalence and sophistication of this scam and advise clients to be on the lookout for it. Additionally, they can help clients by ensuring they understand the exact closing process, the parties involved, the manner in which they will be contacted, etc. Clients who have any doubts should be encouraged to call the known, legitimate phone numbers of agents and other representatives, especially regarding settlement funds or wire transfers.

In general, all organizations should conduct security awareness training about all types of scams, including email fraud, phishing, social engineering techniques, and malware. Here are a few tips to pass on to users:

  • Scrutinize all email carefully, especially as scammers up their "grammar game" and use social engineering to customizing messages for specific victims.
  • Never click on embedded links.
  • Open attachments only when they are requested or expected.
  • Beware of email messages that include statements of urgency, content that seems out of character for the sender, or restrictive instructions such as "reply only to this email."
  • Never click "Reply" when in doubt about the legitimacy of an email. Instead, use "Forward" and type the recipient’s known, legitimate email address in the To: field.

Fortunately, this story had a happy ending for Brown and Demarco but for many others it does not. With this particular scam, timing is everything. Potential victims should immediately contact the financial institution handling the wire transfer. In addition, they should report the crime to the FBI, and file a complaint with the Internet Crime Complaint Center and the Federal Trade Commission.

Get the latest application threat intelligence from F5 Labs.

 

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.