Category Archives: Uncategorized

Microsoft Exchange Server Cyber Attack

You installed the patch but there’s more. Organizations must diligently comb through their systems to identify damage AND to ensure the hacker has not installed backdoor access or other security compromises.  

Background   

Microsoft has reported experiencing a sophisticated data breach early March 2021.  Foreign hacking groups used holes in email software and claims to have infected at least 60,000 known victims globally.  Initially assumed to target high value targets but affecting mostly small and medium-sized (SMEs) business in a wide net, broad scale attack.  

The National Cyber Security Centre estimated 7,000 servers were affected by the Microsoft Exchange email flaw and only half had been secured. Globally, the total number of entities affected could be several hundred or thousands of servers.  Microsoft said the cloud-based email system were not affected.

Who was impacted by the breach?

The organizations experts have identified and warn are most at risk of this flaw have similar profiles to small and medium sized business such as :  

  • local governments & businesses
  • public and private US entities
  • schools, banks, hospitals, pharmacies

Who was the intended target?

According to Microsoft, “highly skilled and sophisticated” state-sponsored groups have been focused on American targets, to include universities, defense contracts, law firms, and infectious-disease researchers.  The mass exploitation the exchange servers by cyber hacking groups do not appear to be a targeted effort, instead intruders saw opportunity and attempted to gain access to all the data they could access before gaps were plugged.

When did the Microsoft Exchange Flaw Happen?  

Microsoft reported vulnerabilities public on March 2.  The intruders likely initiated the attacks in early January.  The Microsoft Exchange exploit has become the center of mass hacking schemes fueled by state sponsored cyber gangs around the world.    Experts have acknowledged this data breach was bigger than the December 2020 US Government hack and seem more alarmed by the magnitude of systems affected by this data breach because it was much more extensive and broader in scale.

The Microsoft hack comes as a major blow to US Companies, just months after the US Government data breach.  The December 2020 breach attacked software widely used by federal agencies and Fortune 500 companies worldwide with experienced teams and large budgets dedicated to cybersecurity. 

What makes the Microsoft Exchange Server hack most concerning?

  • Affected mostly small and medium sized organizations
  • The Microsoft patch is not affective if hackers left a backdoor attack
  • Difficult detection of web shells, see prevention and risk mitigation

The Microsoft breach impacted more small and medium sized organizations, already stretched by the pandemic.  The FBI reported a 300% increase in cyber crimes since COVID-19.  Organizations making concessions for remote work have been forced confront the compounding effects of increased cyber attacks. 

Note, the global median dwell time, the duration between the initiation of threat and detection was 56 days in 2020 according to FireEye.  Additionally, identification of an intruder on Day 1 equates to a 96% reduction of data exposure versus Day 60, which equates to full business impact.

If your organization suspects your Exchange email servers is infected with the vulnerable software, disconnect immediately, as the risk increases exponentially if servers are exposed to the internet.

Method of Attack Used?

 Hackers uploaded web shells often considered a “remote access trojan” and enabled remote access to control  U.S. based private servers.  These malicious web-based interfaces access victim’s networks and gain access to data through undiscovered vulnerabilities which are exploited.  Intruders likely disguised as verified user gained access and possibly planted backdoors known as “web shells” in systems and launched attacks against organizations. 

A backdoor attack is a malware that overrides normal authentication procedures to access a system. This results in remote access permissions to resources within an application such as databases and file servers.  This method of attack is unique in because it acts as a “command-line interface.”  After hackers have gained access to the web server, they can access the server’s file system to perform tasks remotely to issue commands, perform privilege escalation, ability to upload, delete, download, and execute files.

What are the bad actors after?

Everything. Sensitive data and credentials, data, intellectual property, personal & private information.  Bad actors are also missioned with installing malware, as a relay point to issue commands to hosts planted inside the network, and as command-and-control infrastructure.  The command-and control can be deployed as a bot in a botnet or “in support of compromises to additional external networks” according to the Alert (TA15-314A) on the Cybersecurity & Infrastructure Security Agency (CISA) website.

Detection, Prevention and Risk Mitigation

Detection of web shells are not easy to detect and antivirus software are often unable to detect.  CISA listed indicators that should be further inspected:

  • Abnormal periods of high site usage
  • Files with unusual timestamp
  • Suspicious files in internet-accessible locations (web-root);
  • Files with suspicious keywords such as cmd.exe or eval;
  • Any evidence of suspicious shell commands, such as directory traversal, by web server process.

A web shell exploits vulnerabilities in the server’s software and it is critical to avoid the potential of a compromised web server.   Here are some security measures for prevention and mitigation of the installation of web shell:

  • Practice regularly updating applications and host operating system
  • Implement a least-privileges policy on web server
  • Ensure secure configuaration of web servers
  • Utilize a reverse proxy or alternative service
  • Establish and backup offline server and regular change management policy
  • Conduct regular system and application vulnerability scans to establish areas of risk

Microsoft’s response to the Exchange Security Flaw 

Microsoft reported vulnerabilities public on March 2.  Patches were released for multiple versions of Exchange to include security patches for out-of-date versions of the Exchange Server. Microsoft has been working urgently with the Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies to mange the situation.  They have advised users, “best protection is to apply updates as soon as possible across all impacted systems” and also stated they will “continue to help customers by providing additional investigation and mitigation guidance. “  

What we’ve learned

The digital landscape is evolving quickly and we must find new innovative solutions to prepare and remaining diligent to protect data and customers from a cyber attacks. The prevalence of hacking groups has grown, they are weaponizing advanced technologies and they have a range of targets.  

Emerging technologies such as machine learning, artificial intelligence, and 5G, are being integrated into the toolbox of criminal organizations as we speak. Both the Microsoft attack and the US Government breach gave us clear case studies to this point. 

For organizations with outdated infrastructure and for IT professionals with limited time and resources,  it may be more difficult to manage more complex cyber attacks.  The dwell time, the time between an attack penetrating a network’s defenses and being identified, has been known to exceed 200+ days. Medium provided a breakdown of how important controlling the dwell time is to protect business. Here are the facts:

  • Day 1  Dwell Time – 96% likelihood of reducing business impact
  • Day 7  Dwell Time – 77% Reduction
  • Day 21 Dwell Time – 40% Reduction
  • Day 60 Dwell Time – Full Business Impact

To further stress the importance of the Microsoft breach, CISA stated that the Microsoft breach “poses an unacceptable risk to Federal civilian Executive Branch agencies,” and an emergency directive  was released on March 2, to immediately implement patch or if infected to disconnect from Exchange Server.  

In the event intruders planted a backdoor attack in your system, simply applying the Microsoft patch will not remove the attackers from your network and you may be susceptible to further exploitation. 

“The White House and National Security Council advise companies to have a review of affected systems and carefully comb through their systems for signs of the intruders.”  

Develop strong cyber safety habits and be prepared with these steps:

Intrusion prevention systems (IPS): As a proactive network security, the IPS detects incorrect, inappropriate and malicious activity that could disrupt availability and integrity of network and prevent identified threats. These actions include blocking network traffic, dropping malicious data packets and resetting connections. A cost effective approach to apply IPS is off-the-shelf cybersecurity solutions that offers full-fledged IPS functionality.  

User and entity behaviour analytics software (UEBA): UEBA solutions monitor user’s actions, location, behaviour and privileges to detect threats in time and in case of network misuse or strange behaviours, the software alerts security personnel. UEBA is useful to detect insider threat, create behaviours profiles, detect brute force attacks, detect compromised accounts and in some ways predict some future threats.

Virtual dispersive networks (VDN): Cryptography was considered useful in protecting information within computers and when information sent over the internet. However, Man-in-the-Middle (MIM) has changed the scenario through cracking encryption of messages. VDN uses military radio technology and applies it to cybersecurity by breaking the message into many regions using different protocols on independent paths thus ensuring each part is encrypted individually. The three key features of VDN are unprecedented security, network resilience and performance of network.

Multi-factor authentication (MFA): As an identity and access management technology, MFA requires the user to provide two or more verification factors to access the digital resource. Along with ID and password, MFA requires additional verification such as ‘something you know’, ‘something you are’ and ‘something you have’ which decreases the likelihood of cybercrime. In the U.S, the National Institute of Standards and Technology (NIST) recommends the use of MFA to protect sensitive data like financial records, email, user databases and health records.

When compared to severity of cyber threats and their impact on business, the cybersecurity solutions are not expensive. An investment in cybersecurity technologies is best bet to increase customer trust, reduce exposure to cyber incident cost and regulatory reviews, and protect valuable assets of the business. An investment in cybersecurity technologies is forward thinking for businesses to monetized and realize sales, loyalty, opportunities, business agility and stakeholders’ relationships.

Thanks to Photo by Tadas Sar for the image!

What The Breach? US Government 2020 HACK

 Breakdown

In December 2020, public reports emerged detailing one of the most expansive and damaging cyberattacks the US government has ever experienced.  Federal officials stated this attack was “a grave risk to the federal government”.  This (eight to nine month) chain of cyberattacks permeated thousands of global organizations to successfully breach its target. Ten of fifteen U.S. federal executive agencies reported experiencing data breaches to include:

  1. Defense,
  2. Labor,
  3. Energy,
  4. State,
  5. National Institutes of Health (under HHS ),
  6. Commerce,
  7. Homeland Security,
  8. Treasury,
  9. Agriculture, and
  10. Justice. 

Most notably of the federal agencies compromised, the Department of Energy, home of the National Nuclear Security Administration.  Also noted, in addition to the executive branch agencies, several sources reported he US Federal Courts systems, part of the judicial branch, were breached.

An overwhelming majority of the organizations impacted in this web of connected attacks were US-based but Canada, Mexico, Belgium, Spain, UK, Israel, the UAE, and others were also identified as victims of this extensive effort.  Before the year 2020 concluded, this series of cyberattacks had become the most damaging cyber-espionage incident in history.  The investigations are ongoing and experts acknowledge information about the breach will continue to unfold for years to come.  

How could a data breach of this magnitude happen? 

These types of compromises require meticulous planning, unlimited resources, and manual interaction by highly experienced hackers. The technique involved a series of supply chain attacks on software widely used by federal agencies and Fortune 500 companies worldwide.  Malware was used in the supply chain attacks to exploit necessary resources through connected networks and systems to perform interconnected authentication across victim resources through single sign-on infrastructure.  

Supply chain attacks are cyberattacks used to target and exploit less-secure parts in the supply chain with the intent to damage an organization.  Industry agnostic, these attacks typically occur in the manufacturing process of a product by installing a rootkit or hardware-based spying components. Notable examples: Target security breach, Eastern European ATM malware, Stuxnex

What are some of the challenges associated with the large corporations and cybersecurity?   

Del Alfred, CISSP cited major challenges for large organizations to tackle with lagging cybersecurity infrastructure include: complexity, communication, and economics.

In addition to the complexity of the systems, Del explained, “cybersecurity is a costly long-term investment for massive organizations and require a great deal of coordination and management.” With more and more cyber-attacks increasing across all industries, companies are strongly urged to invest in mitigation strategies to offset the adverse costs associated with data loss, financial & IP theft, the disruption operations, or possibly insolvency.  

Complexity. The government, for example, has extremely complex types of systems and on top of that the breadth of systems creates an Achille’s heel.  More complexity means more difficulty to understand and protect those systems. 

Communication. Challenges in general with cyber in large organizations are due to the very structural and inconsistent nature that occurs during cycles of transition.  On average large organizations experience a shift in leadership every five years.  Along with new leadership comes new approaches to the organizations’ existing cyber strategy. 

Change. Constant shifts in leadership may lead to varying degrees of miscommunication, confusion, and siloes if not effectively managed.  Team dynamics are stretched when contrarian opinions disrupt the current direction of security programs.  Value-realization rooted in mutual trust and effective communication flow between people, information, and technology is key.  Additionally, a clearly defined portfolio value management process must be established to ensure new ideas are aligned with the long-term strategic value of the organization’s existing investments. 

Economics. Larger companies with more complex systems struggle with economics due to their bureaucratic nature.  These rigid organizational structures equate to time sensitive decisions being delayed due to the large cost and time commitments.    IT professionals compelled to persuade business leaders of the urgency, risk, and value of investing in security face are increasingly frustrated when immediate concerns are undervalued and postponed.    Organizations must prioritize security as a tenant of their success and cultivate a common goal that delivers long-term value.

Conclusion. Cybersecurity is a long-term investment. In order to realize value, high- performing organizations must have effective communication flow, mutual trust, a defined IT management process, a strive for a common goal. Successful organizations with complex systems have implemented an IT management process which monitors and effectively manages KPIs tied to accountability.   These efforts if managed effectively, drives value on long- term investments.  Lastly, mutual trust between the business units and IT staff encourages communication flow which in turn drives organizational transformation and strategy aligned with the organizations common goal. 

Cybersecurity technologies to consider:

Intrusion prevention systems (IPS): As a proactive network security, the IPS detects incorrect, inappropriate and malicious activity that could disrupt availability and integrity of network and prevent identified threats. These actions include blocking network traffic, dropping malicious data packets and resetting connections. A cost effective approach to apply IPS is off-the-shelf cybersecurity solutions that offers full-fledged IPS functionality.  

User and entity behaviour analytics software (UEBA): UEBA solutions monitor user’s actions, location, behaviour and privileges to detect threats in time and in case of network misuse or strange behaviours, the software alerts security personnel. UEBA is useful to detect insider threat, create behaviours profiles, detect brute force attacks, detect compromised accounts and in some ways predict some future threats.

Virtual dispersive networks (VDN): Cryptography was considered useful in protecting information within computers and when information sent over the internet. However, Man-in-the-Middle (MIM) has changed the scenario through cracking encryption of messages. VDN uses military radio technology and applies it to cybersecurity by breaking the message into many regions using different protocols on independent paths thus ensuring each part is encrypted individually. The three key features of VDN are unprecedented security, network resilience and performance of network.

Multi-factor authentication (MFA): As an identity and access management technology, MFA requires the user to provide two or more verification factors to access the digital resource. Along with ID and password, MFA requires additional verification such as ‘something you know’, ‘something you are’ and ‘something you have’ which decreases the likelihood of cybercrime. In the U.S, the National Institute of Standards and Technology (NIST) recommends the use of MFA to protect sensitive data like financial records, email, user databases and health records.

When compared to severity of cyber threats and their impact on business, the cybersecurity solutions are not expensive. An investment in cybersecurity technologies is best bet to increase customer trust, reduce exposure to cyber incident cost and regulatory reviews, and protect valuable assets of the business. An investment in cybersecurity technologies is forward thinking for businesses to value and realize sales, loyalty, opportunities, business agility and stakeholders’ relationships.

How can I protect my data?

3 Step Data Breach Preparedness

The year of 2020 has seen an uptick in headlines regarding the dreaded data breach.  For quite some time cyber experts issued warnings to the business community about the importance of implementing minimal controls and investing in cybersecurity. Experts have also made a concerted effort to shift the paradigm away from if firms will experience a data breach to when a data breach will occur. If you haven’t already, it is imperative for the C-Suite to initiate candid conversations about prioritizing data privacy and practicing preparedness.  We will explore definitions, what’s at stake and immediate steps toward protecting your assets.

What is a data breach?

Over the course of one year, the exposure of sensitive data increased from 197.61 million records to 471.23 million records, according to Statista.   The main parties involved in data breaches are the organization experiencing the cyber-attack and the individuals with personally identifiable information (PII) stored on the organization’s database.  Third-party vendors have increasingly become involved in data breaches such as the case with Target and Delta. 

  • Data owner, organization experiencing the security breach via error, intent or negligence
  • Data user, end user of product or service providing confidential and sensitive information
  • Data holder, third-party vendor with access to or storing data. (Cloud services, law firms, bank, etc.)

Data breach by definition

The U.S. Department of Health and Human Services Administration for Children and Families defines a data breach as: a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

Individuals, organized criminal enterprises, and national governments are commonly associated with a data breach.  Organizations are responsible for protecting data integrity on behalf of the consumer.  In the instance a buyer has a vendor, security agreements are executed.  Vendors failing to comply with security agreements, such as the case Delta and their chatbot vendor, find themselves in a messy lawsuit.  The vendor relationship may have added a layer of complexities in determining responsibility for a data breach, but it does not indemnify the data owner from consequences.   

There are several strategies attackers use to gain access to private information.  Security breaches include ransomware, malware, impersonation of an organization, and denial of service attacks (DDoS).   Malicious software such as viruses or spyware are occasionally exploited through email or downloads to gain access to protected networks.  

What’s at stake?

These instances may reveal data such as personally identifiable information (PII), personal non-public personal information (NPI), trade secrets, intellectual property, and more.  Since federal legislation has not successful passed, state legislation provides color for PII and NPI. 

3 Steps to Protecting Your Data

Integrating assessment reports into your current security routine is a simple solution to understanding your company’s current security controls and what to do next.  How your organization handles regulatory compliance and data privacy can have dire effects your company’s growth trajectory.  The ability to have a plan, respond quickly and restore data integrity are competitive advantages in an everchanging and fast-paced digital world.  Implementing necessary safeguards, continuous monitoring, and ensuring your vendors are compliant are all key solutions to protecting data from attackers. Here are some steps you can take now:

Step 1: Build your Understanding & Act with Urgency

The first step to protecting your data is building an understanding about the expansiveness of the changing digital landscape and acting with urgency.  Advancements such as artificial intelligence and 5G networks are not exclusive for the greater good. Using healthcare as an example, these advancements contribute to rapid and lifesaving improvements. The unintended consequences occur when criminals integrate these advancements into their toolbox.

Step 2: Implementing Assessments into Cyber Routine

Businesses and organizations are urged to find practical solutions to develop or expand their data management practices in order to reduce the impacts of new digital threats. Assessments are tools used to actively manage security programs.   Organizations should weight their options to determine if self-assessments or independent assessments work best for their needs.   Performing assessments is a starting point and should be performed routinely.  Assessments are valuable because they:

  • Providing an overview of your firm’s current security program,
  • Provide clear guidelines and prioritize actions by urgency to aid in improving security controls
  • Establish and demonstrate a history of implementing corrective measures after an incident
  • Effective document management required in some industries during audits and/or legal matters

Step 3: Perform assessments routinely

It is important to stress that simply performing one assessment is not enough. Please note, assessments are point-in-time. Cyber criminals are constantly renewing their efforts to increase their success rate to breach organizations who are slow to plug known gaps and vulnerabilities.  Management must be proactive and practice diligence in order to  protect the integrity of their data.  Routine risk management assessments are recommended annually in order to build and maintain defenses against cyber threats but may need to be executed more frequently depending on your situation.

After an assessment is performed, a report is generated.  The reports act as a guide, assigning high, medium, and low priority to each item deemed vulnerable to exploitation. Organizations using a well-developed independent assessment tool to examine and enhance existing procedures, policies and controls will find they are prepared to act immediately when an incident occurs. The ability to identify and neutralize the threat quickly results in less access to data and less damage to your bottom line. 

Assessments: How do they work and for whom?

Assessments are usually composed of systematic set of methodologies used to analyze, gather and evaluate an organization’s security frameworks.  To accurately diagnose a situation, an assessment tool should incorporate the roles of the people, processes, technologies and vendors.  Each role must be considered in order to provide a wholistic overview and make informed decisions.

How to know if your organization is ready to incorporate assessments into your security plan:    

Assessments provide an overview into security controls and security maturity.   The report also includes a comprehensive set of initiatives to follow and execute to obtain your organization’s predetermined goal.  Organizations seeking alignment with best practices stand to gain substantial value from an assessment.

Startups

Assessments can be deployed at each phase of the business cycle.  Startups are expected to implement a security program to protect their intellectual property, trademarks, and endpoints as early possible. Your ability to build and maintain consumer trust weighs heavily on brand awareness.  Today, more consumers perform diligence and seek assurances their data will be protected.  If customers find your company has experienced a data breach it could harm your reputational brand, sales could suffer, or worse.

If your organization is B2B, enterprise customers expect your company to understand compliance, data privacy, and industry best practices.  Show customers and stakeholders your commitment to generate value and limit liabilities with exceptionally managed assessments.  Invest in a scalable cybersecurity program that will understand your needs and support your initiatives.

Private Equity

During mergers and acquisitions, organizations perform due diligence prior to the integration process of a new company.  Working to implement a security protocol early and systematically throughout the organization ensures business/IT continuity.

Established Companies

Established companies and their data officers understand the value of an extensive security program.  Most have experienced several waves and shifts in technology.  Data managers are also aware digital threats will continue to grow in sophistication and volume.   The shift to an all remote staff created an ideal situation for cyber criminals taking advantage of the pandemic.  There have been dozens of reports citing a surge in cyber hacking activity. 

Several federal and cybersecurity experts have sounded the alarm in an attempt to warn organizations to take these new digital threats seriously. Assessment tools enhance a team’s arsenal with advanced capabilities to monitor, react, and respond to an incident quickly.  

Audits.  Some companies depend on annual audits or have been audited after an incident.  They are expected to remediate and report back to industry regulators within a specific timeframe. Unfortunately, an audit does not continuously monitor nor does it provide the same depth and detail within an assessment report.    An assessment provides, a full scope analysis, a roadmap to remediation, and central location for document management. 

New technological advancements, coupled with a national pandemic have sharply increased of the number of remote users, new devices, and an increased volume of data.  While compliance officers are working diligently to ensure their company is operating within the industry standards, the vastness and complexity of all of these variables created a perfect storm.  Cyber criminals are taking advantage of the opportunity.  Having one location to manage internal operating standards, new and rapidly evolving consumer protections, and succession planning enables organizations to run optimally. 

If your organization is on the hunt for custom enterprise risk management tools or is in the processes of enhancing your security programs, the value add of a well-developed cybersecurity assessment tool may be apparent.  CISO LABS understands the needs of entrepreneurs, management teams, and organizations ready to take next steps.

At CISO LABS, our tools and custom enterprise risk management solutions are supporting our client’s critical needs.   If your team is seeking to establish or enhance your security programs and strengthen your compliance and privacy strategies, we strongly recommend implementing the steps listed above. 

Highly regulated industries with complex compliance and privacy policies pending understand the importance of preparedness around guidelines, self-audits, remediation plans, and training. Although it can be an exhaustive process as data privacy, regulatory policies and the use 3rd party vendors expand and gain more public visibility, having one central location for document management prepares firms for national disasters, pandemics, or biological warfare, ect.

In closing, organizations enhancing security programs and preparing contingency plans must remain diligent in the efforts to protect their best interest – CISO LABS is a trusted partner poised to provide high touch service and a range of solutions to meet your needs.

What is Business Email Compromise?

Overview of Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes – by FinCEN Advisory

Advisory for Attention of CEOs, COOs, CROs, Chief Compliance/BSA Officers, BSA/AML Analysts/Investigators, Information Technology staff, Cybersecurity Units, Fraud Prevention Units, Legal Departments.

In its 12-page review, the FinCEN Advisory breaks down the current rising trends in email compromise fraud.  By definition, Email Compromise Fraud includes criminal use of victim’s email accounts: (1) to send false payment instructions to financial institutions or business associates with the intent to steal funds or value; or second, (2) use criminal use of emails to assist in fraudulent transmission of data to commit financial fraud.  Updated modifications of email compromise include

  • Business Email Compromise (BEC), targets financial institutions or customer accounts that are operational entities, including commercial, non-profit, non-governmental, or government entities
  • Email Account Compromise (EAC), individually targets personal email accounts[1]

The “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Process” was issued to discuss how over $9 billion in possible losses resulted from business email compromise schemes since 2016. 

In the original document, the BEC Advisory was disseminated to alert financial institutions to predominate trends in reported business email compromise fraud.  The key sectors, entities, and vulnerable business processes targeted were listed and the update info includes advisory on:

  • updated operational definitions for email compromise fraud
  • targeting of non-business entities and data by BEC schemes
  • general trends targeting sectors and jurisdictions
  • alerts financial institutions to risk associated with vulnerable business processes

The U.S. government and industry have engaged heavily to curtail the email compromise fraud but reported incidents have continued to rise.  The FBI reported over $12 billion in potential losses domestically and internationally from email compromise fraud. [2] 

Since that time the BEC Advisory has tracked almost $9 billion in attempted theft from fraud schemes affecting U.S. financial institutions and their customers.  These fraud schemes exemplify a “significant economic impact on the businesses, individuals, and even governments that are targeted. 

Financial institutions have collectively catalogued the nature and victims of email compromise schemes and provided info to FinCEN, which will be highlighted later.  Financial institutions play an important role in identifying, preventing, and reporting fraud schemes and by communication and collaboration with other institutions within the industry.

Updated Operational Definitions for Email compromise Fraud

Definitions of email compromise fraud were broadened to clarify that such fraud targets a variety of types of entities and may be used to misdirect any kind of payment of transmittal of other things of value.  Examples extend from wire transfers to now include “fraudulently inducing funds or value transfers through other methods of payment,” such as, “virtual currency payments, automated clearing house transfers and purchases of gift cards.”[3]  The following definitions should be added to refine AML/CFT frameworks to better detect and report suspected illegitimate finance activity, to include instances of email compromise fraud involving transactions. 

BEC Fraud & High Net Worth Individuals

The list of victims of BEC was extended include increasing attacks against individuals with high net worth, and entities that “routinely use email to make or arrange payments between partners, customers, or suppliers. 

BEC Fraud in Government

Growing numbers of government organizations have experienced cyber attacks on accounts used for pension funds, payroll accounts, and contracted services, losses impacting operations of government, government employees, citizens, and vendors.  Vendor impersonation is often used to present familiar-looking messages from a trusted party in a leadership position requesting the authorized counterparty to initiate or process a transaction.

BEC Fraud & Educational Institutions

Higher Educational institutions have the highest concentration of high yield of BEC fraud.  Transactions to include tuitions, endowments, grants, renovation, and construction costs are high-dollar exchanges targeted by BEC criminals. 

Compromised or spoofed emails are used to exploit business relationships between the academic institution and contracted service providers using falsified but authentic looking payment requests.  Large construction and renovation projects have repeatedly been the source of high-dollar thefts.

BEC Fraud in Financial Institutions

Spoofing bank domains and sending impersonated messages to mirror official communications between bank employees at what appears to be a legit institution (e.g., Society for Worldwide Interbank Financial Telecommunication department) SWIFT to the financial institution with payment instructions and reference numbers.

Top Sectors Targeted in BEC

BEC schemes commonly target (1) manufacturing and construction (25% reported cases), (2) commercial services (18%), and (3) real estate (16%). It appears BEC criminals are using more sophisticated methods to target these industries to increase the likelihood of success. 

Falsified “vendor and client invoices are generally affiliated with larger BEC transactions amounts”, even bigger than CEO fraud schemes, possibly because of the higher expected and previously recurrent transaction amounts to pay for goods and services.

It is particularly interesting that “vendor impersonation scams often involve foreign intermediary beneficiaries receiving the initial flow of illicit funds. BEC criminals are likely exploiting the common use of foreign vendors and attempting to reduce the likelihood of financial institutions and customers recognizing the suspicious nature of the transaction. “

BEC-related transactions that originate outside of the US has been designated by the FBI as China, Hong Kong, the UK, Mexico, and Turkey as prominent destinations of BEC-derived funds.

Vulnerable Business Processes Compromised

BEC criminals continue to increase sophistication of their methodologies to ensure increasingly higher yields to success.  Processes vulnerable to compromise through openly available information about targets or through cyber-enabled reconnaissance such as spear phishing or malware, allow criminals to insert themselves into an exchange as a key player within business relationships or the transactions thereof. 

Criminals become familiar with the victim’s habits and business processes, paired with weaknesses in the victim’s authorization and authentication protocols.[4]  These methods have proven “extremely effective” in developing falsified information used to send wires to accounts controlled by a BEC criminal.  Developing an awareness campaign to “understand the nature of these social engineering schemes and assessing and mitigating their business process vulnerabilities to compromise, financial institutions and their customers can reduce their susceptibility to BEC fraud.”[5]

BEC schemes and beneficiaries thereof, play roles in larger criminal networks and laundering efforts.  Under the USA Patriot Act 314 (b) safe harbor protections[6] financial organizations may share information regarding BEC fraud for identification, and when necessary reporting suspicious activities that may involve terrorist or money laundering activity.[7] 

Over 6,000 instances and over $2.6 billion in attempted and successful related with suspected money laundering activity through BEC schemes have been identified since November 2016.  Financial institutions have been encouraged to share valuable information about BEC beneficiaries and perpetrators to help protect other targeted institutions and their customers from facing similar devastating losses and to identify and curtail the financial crimes and trafficking of funds through broader criminal money laundering networks.


[1] Definitions of BEC and EAC from the 2016 BEC Advisory

[2] See FBI Alert I-071218-PSA, “Business E-mail Compromise the 12 Billion Dollar Scam,” July 12, 2018.

[3] 2016 BEC Advisory definition extended from wire transfers to virtual currency payments, automated clearing house transfers and the purchases of gift cards. 

[4] BEC perpetrators may leverage cyber-enabled reconnaissance efforts such as skillful social engineering or computer intrusions to gain sufficient knowledge of the organizations’ business processes.

[5] FIN-2019-A005, 2019 July 16. Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes.

[6] See Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”) Publ. L. No. 107-56, §314(b); and 31 CFR § 103.110(b)(5).

[7] For FinCEN’s guidance clarifying that 314(b) participants may share information related to transactions, as well as the underlying specified unlawful activities, under the protection of the 314(b) safe harbor if the participant suspects that transactions may involve the proceeds of specified unlawful activities under money laundering statutes, see FinCEN Guidance FIN-2009-G002 “Guidance on the Scope of Permissible Information Sharing Covered by Section 314(b) Safe Harbor of the USA PATRIOT Act,” June 16, 2009.

What is Data Privacy?

Citizens have a right to know how their personal information collected and used. Information privacy, data privacy, or data protection pertains to the relationship between:

  • an entity collecting and disseminating data
  • the technology used
  • expectations of privacy
  • and the legal and political concerns  

Strategies used to Gain Access to Networks

There are several strategies attackers use to gain access to private information to include security breaches, ransomware, malware, impersonation of an organization, and denial of service attacks (DDoS).   Malicious software such as viruses or spyware are occasionally exploited through email or downloads to gain access to protected networks. 

What’s at stake? 

These cyber attacks may reveal data such as personally identifiable information (PII), personal non-public personal information (NPI), trade secrets, and intellectual property.  Since federal legislation has not successful passed, state legislation provides color for PII and NPI.   

Personally Identifiable Information

The California Consumer Privacy Act of 2018 (AB 375) (or CCPA) defines personally identifiable information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of PII include identifies such as but not limited to:

  • Real name or alias
  • Email address
  • Internet Protocol address and/or network activity
  • Social Security Number
  • Driver’s License or Passport Number
  • Biometric information

All 50 states, the District of Columbia, Puerto Rico, and the US Virgin Islands have passed legislation protecting personal identifiable information (PII).  If you’re interested, click here to view The California Consumer Privacy Act of 2018.

Non-public Personal Information

The Gramm-Leach-Bailey Act (GLBA) or the Financial Modernization Act of 1999 defines non-public personal information to include data “a consumer provides to a financial institution to obtain a financial product or service from the institution; results from a transaction between the consumer and the institution involving a financial product or services; or a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.” Read the full document here. here. Examples of NPI as referenced by GLBA include but are not limited to:

  • Information provided on an application such as: Name, address, income, SSN
  • Transactional information such as linking the individual as a customer or consumer, account numbers, payment history, loan or deposit balances and credit or debit card purchases
  • Information obtained in conjunction with providing a financial product or service such as non- public court records or consumer reports.

Protecting Data

To alleviate the risk of costly incidents, businesses must have critically important discussions around how to protect data.  In addition to applying “reasonable security” procedures, business should also consider implementing minimal levels of controls such as:

  • continuous vulnerability management,
  • inventory of software and hardware,
  • security training, and
  • penetration testing