The U.S. Federal Bureau of Investigation has issued a warning about cybercriminals exploiting email rules vulnerability to increase the likelihood of successful business email compromise.
The warning, published November 25 as a private industry notification, but made public only now, warns that the bureau has seen an increase in cybercriminals implementing automatic forwarding rules on victims’ webmail clients to conceal their activities. Webmail is specifically targeted because it often does not sync with the desktop client, which limits visibility of the rules to cybersecurity administrators.
As the emails are forwarded, cybercriminals can then use the emails they have received to increase the likelihood of a future business email compromise attack. A typical BEC scam involves victims receiving emails they believe are from a company they normally do business with, often with requests for funds to be sent to a new account. With forwarded emails, crooks have more details which they can use to trick users in this way.
The FBI gave the example of a US-based medical equipment company that was targeted in August. In this case, the cybercriminals created automatic email forwarding rules on a recently upgraded web client used by the company, which observed automatic forwarding rules only on desktop clients.
Using the gathered information, the cybercriminals posed as a known international provider, created a domain name with a similar spelling, and communicated with the provider using a UK-based IP address to increase the likelihood of payment. They managed to get $175,000 from the company before the scam was detected.
The FBI advises businesses to take mitigating measures, including ensuring that desktop and web applications allow for proper syncing and updates, to be wary of last-minute changes to established email account addresses , check email addresses carefully for changes, and enable multi-factor authentication for all email accounts.
Additionally, companies are advised to disallow auto-forwarding of emails to external addresses, arguably the simplest mitigation of all, as well as to frequently monitor the email exchange server. to detect configuration changes and custom rules.
“Using automatic forwarding rules is standard operating procedure for BEC-focused cybercriminals,” said Matthew Gardiner, senior security strategist at a cloud cybersecurity firm. Mimecast Services Ltd., told SiliconANGLE. “With automatic forwarding configured to forward emails to the attacker, the attacker can literally quietly read the target’s email for an extended period of time and decide when to launch the next stage of the attack.”
Wade Woolwine, principal security researcher at cybersecurity and compliance solutions provider Rapid7 inc.said this type of behavior is typical of attacks targeting intellectual property or other types of competitive information, such as in the legal and manufacturing industries.
“It’s becoming an increasingly attractive technique for attackers who find it easy to phish credentials, connect to SaaS email providers, and implement automatic forwarding rules,” Woolwine explained. “In many cases, administrators can set configurations to limit or completely disable automatic forwarding rules. In cases where this functionality is required to conduct activities, administrators can configure alerts for the creation of new automatic forwarding rules. »