A company in the US lost $15 million in a two-month-long business email compromise scam, BleepingComputer reports. Researchers at Mitiga who investigated the attack told BleepingComputer that cybercriminals spent two weeks trying to gain access to email accounts at the targeted company. Once they succeeded in hacking into an employee’s Office 365 account, they spent another week lurking in the account undetected while gathering information, and eventually identified a transaction they could hijack.
Over the next four weeks, the attackers were able to compromise email accounts belonging to senior executives at the company, and they set up email forwarding rules so they could still receive emails even if they were locked out of the accounts. They also set up domains spoofing this company and one of its commercial partners so they could intercept both sides of their conversations and modify financial details when the transaction actually took place.
After the money had been stolen, the criminals were able to keep both parties to the commercial transaction in the dark about what had happened until it was too late.
“Banks can lock a transaction when money goes to the wrong account, and the error is flagged in time,” BleepingComputer writes. “The threat actor was well aware of this detail and had prepared for this phase. To conceal the theft until they moved the money to foreign banks and make it lost forever, the attacker used inbox filtering rules to move messages from specific email addresses to a hidden folder. It was a move that kept the legitimate inbox owner unaware of communication about the money transfer. It lasted for about two weeks, Mitiga says, sufficient for the actor to make the $15 million disappear.”
Mitiga believes this group is going after many other organizations as well, and the researchers identified more than 150 spoofed domains set up by the group.
“Although researchers investigated events at a single victim, they found clues indicating that dozens of businesses in construction, retail, finance, and legal sectors are on their list of targets,” BleepingComputer says.
Notably, the criminals in this case didn’t use any malware. The entire attack relied on social engineering and misuse of legitimate features. New-school security awareness training can help your employees defend themselves against sophisticated social engineering attacks.