FBI warns of BEC scammers using email auto-forwarding in attacks

by chebbi abir

The FBI is warning US companies about scammers actively abusing auto-forwarding rules on web-based email clients to increase the likelihood of successful Business Email Compromise (BEC) attacks.

This warning was issued through a joint Private Industry Notification (PIN) sent on November 25 and coordinated with DHS-CISA.

BEC scammers are known for using social engineering, phishing, or hacking to compromise business email account with the end goal of redirecting future or pending payments to bank accounts under their control.

The FBI’s Internet Crime Complaint Center (IC3) also issued a Public Service Announcement (PSA) in September 2019 warning that BEC scams are continuing to grow every year, with victim complaints totaling over $26 billion in exposed dollar loss between June 2016 and July 2019, and a 100% rise in the identified global exposed losses between May 2018 and July 2019.

IC3 also revealed in the 2019 Internet Crime Report BEC was the cybercrime type with the highest reported total victim losses in 2019, as it reached around $1.8 billion in individual and business losses during the last year alone.

Medical and manufacturing organizations targeted

The PIN, labeled “TLP: WHITE,” provides details on how fraudsters successfully compromised business in BEC scams and about how auto-forwarding email rules are being used to collect information and limit the victims’ capability to detect the fraudulent activity.

BEC scammers used email rules added to the target’ web-based email clients to hide their activity while impersonating employees or business partners.

“According to recent FBI reporting, cybercriminals are implementing auto-forwarding rules on victims’ web-based email clients to conceal their activities,” the FBI said.

“The web-based client’s forwarding rules often do not sync with the desktop client, limiting the rules’ visibility to cybersecurity administrators.”


The FBI also provides information on two attacks from August 2020 where BEC scammers made use of web-based email forwarding rules to target US-based manufacturing and medical equipment companies.

In both cases, the attackers were able to successfully hide their activity from the companies’ security teams by automatically forwarding all incriminating emails to the attackers’ mail accounts.

This allowed them to impersonate other vendors and request that payments for services rendered to be sent to bank accounts under their control.

  • In August 2020, cybercriminals created auto-forwarding email rules on the recently upgraded web client of a US-based medical equipment company. The webmail did not sync to the desktop application and went unnoticed by the victim company, which only observed auto-forwarding rules on the desktop client. RSS was also not enabled on the desktop application. After the BEC actors obtained access to the network, they impersonated a known international vendor. The actors created a domain with similar spelling to the victim and communicated with the vendor using a UK-based IP address to further increase the likelihood of payment. The actors obtained $175,000 from the victim.
  • During another incident in August 2020, the same actor created three forwarding rules within the web-based email used by a company in the manufacturing industry. The first rule auto-forwarded any emails with the search terms “bank,” “payment,” “invoice,” “wire,” or “check” to the cyber criminal’s email address. The other two rules were based on the sender’s domain and again forwarded to the same email address.

Cloud-based email abuse in BEC attacks

The FBI also warned private industry partners of threat actors abusing both Microsoft Office 365 and Google G Suite in BEC attacks in two separate notifications [1, 2].

“The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds,” the FBI said in a PIN sent on March 3.

The victims are redirected via large-scale phishing campaigns to phishing kits capable of identifying the “service associated with each set of compromised credentials” and displaying the correct user interface.

Using information harvested from compromised cloud email accounts, the scammers impersonate employees of the compromised businesses to insert themselves in communications with other vendors to redirect payments to bank accounts they control.

They also collect and exfiltrate contacts from infiltrated email accounts, later to be used in other phishing attacks and compromise more businesses, thus making it a lot easier to pivot to other targets within the same or related industry sectors.

Even though both Google G Suite and Microsoft Office 365 come with security features that can help block BEC scam attempts, many of them have to be manually configured and toggled on by an organization’s IT administrators or security teams.

Because of this, “small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams,” according to the FBI.

The FBI advises IT admins to take the following measures that could block BEC attacks:

  • Prohibit automatic forwarding of email to external addresses.
  • Add an email banner to messages coming from outside your organization.
  • Prohibit legacy email protocols such as POP, IMAP, and SMTP that can be used to circumvent multi-factor authentication.
  • Ensure mailbox logon and settings changes are logged and retained for at least 90 days.
  • Enable alerts for suspicious activity such as foreign logins.
  • Enable security features that block malicious email such as anti-phishing and anti-spoofing policies.
  • Configure Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and to validate email.
  • Disable legacy account authentication.

Users can also follow these recommendations to defend against BEC scammers:

  • Enable multi-factor authentication for all email accounts.
  • Verify all payment changes and transactions in-person or via a known telephone number.
  • Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.

To read the original article:  https://www.bleepingcomputer.com/news/security/fbi-warns-of-bec-scammers-using-email-auto-forwarding-in-attacks/



Interdit de copier  ce contenu