Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/29/2018
09:00 AM
David Holmes
David Holmes
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

Deconstructing a Business Email Compromise Attack

How a tech-savvy New Jersey couple outwitted a German hacker group and saved their home and life savings.

Debbie Walkowski contributed to this article. 

When Tina Brown and Phil Demarco decided to sell their home in New Jersey and purchase a new home in Colorado last December the last thing they expected was to receive a phony email from their realtor instructing them how and where to wire-transfer the closing funds.

Brown and Demarco were lucky. Their suspicions raised, they called their realtor, who told them she had sent no such email. The couple immediately notified the title company of the fraud.  

In this case, timing and some healthy skepticism saved Brown and Demarco from what is commonly known as a business email compromise (BEC) attack. In their case, the attackers tried to pull off their scam a few days too early but the New Jersey sale hadn’t closed yet. Had it closed the day the couple forwarded the wiring instructions to the title company, they would have lost everything.

"The scary part is how convincing the email was because it consisted of a carefully crafted thread of emails back and forth between our loan officer, title company, and our realtor," said Brown. "And all of the names, addresses, phone numbers, and signature blocks were correct. Of course, as it turned out, the messages were all fake."

How Scammers Are Succeeding
To pull off this type of scam, scammers need information about a pending real estate sale. They often get it by breaking into the email account of one or more of the parties involved. When attackers can’t break into email accounts, they spoof email addresses instead. Being technically savvy consumers, Brown and Demarco did some digging and discovered the scammers had used one of many questionable online email services — in their case, one run by a group of hackers in Germany — to impersonate all parties involved and make the emails untraceable.

Scammers often make their emails more convincing by either phishing the intended victim first, or adding details gathered from syndicated real estate websites that include information about a property from the multiple listing services and social media sites. If scammers don’t know the exact closing date of a real estate deal, no problem. It’s typically 30-45 days after the buyer has accepted an offer, and that’s easy for scammers to determine if they’re monitoring a property.

How Widespread and Impactful Is It?
Despite many regional and national news outlets covering BEC attacks, it seems to be growing. Brown and Demarco’s realtor, Christine Miller, said, "We had heard about it but hadn’t experienced it. Now, suddenly it’s gotten really bad."

An attorney for the Colorado Association of Realtors agreed, explaining that the emails are more convincing now with their involved conversation threads and personalized details. They also have far fewer telltale grammar and spelling errors we have come to expect in email scams. Miller adds, "We’re informing all our clients of this scam and ensuring they understand that we never send wire instructions by email, nor does the title company."

This particular home-buying scam is just one variant of  BEC, which can include any scam targeting businesses that regularly perform wire transfer payments. The Internet Crime Complaint Center (IC3), a multi-agency task force that includes the FBI, has been tracking all types of BEC scams since 2013. In the US and internationally between October 2013 and December 2016, there were over 40,000 incidents that totaled $5.3 billion in "exposed dollar loss" — that is, dollars actually stolen and attempted stolen.

Steps to Defend Against BEC 
Real estate firms and title companies, at the very least, should warn their clients of the prevalence and sophistication of this scam and advise clients to be on the lookout for it. Additionally, they can help clients by ensuring they understand the exact closing process, the parties involved, the manner in which they will be contacted, etc. Clients who have any doubts should be encouraged to call the known, legitimate phone numbers of agents and other representatives, especially regarding settlement funds or wire transfers.

In general, all organizations should conduct security awareness training about all types of scams, including email fraud, phishing, social engineering techniques, and malware. Here are a few tips to pass on to users:

  • Scrutinize all email carefully, especially as scammers up their "grammar game" and use social engineering to customizing messages for specific victims.
  • Never click on embedded links.
  • Open attachments only when they are requested or expected.
  • Beware of email messages that include statements of urgency, content that seems out of character for the sender, or restrictive instructions such as "reply only to this email."
  • Never click "Reply" when in doubt about the legitimacy of an email. Instead, use "Forward" and type the recipient’s known, legitimate email address in the To: field.

Fortunately, this story had a happy ending for Brown and Demarco but for many others it does not. With this particular scam, timing is everything. Potential victims should immediately contact the financial institution handling the wire transfer. In addition, they should report the crime to the FBI, and file a complaint with the Internet Crime Complaint Center and the Federal Trade Commission.

Get the latest application threat intelligence from F5 Labs.

 

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...