BEC – Where it’s at

We have talked about the dangers of Business Email Compromise (BEC) a few times in the past.

Back in 2017 we said:

Business Email Compromise (BEC) schemes are the scams where the nasty bad people send emails to staff, usually accounts/bills payable staff, purporting to be from the CEO/Chairman/Grand Fromage, requesting payment to be made to a third party which although it sounds credible, is in fact, you guessed it, the villains themselves. Mwahahaha.

What is becoming increasingly clever in these attacks is the huge amount of groundwork (reconnaissance), followed by sophisticated social engineering to get these scams over the line.

Well, jump forward a couple of years and one of our crack team was approached by a friend of his (shall we call him Dave?) at 0900 on Sunday morning and asked to have a ‘quick look’ at some unusual activity on his business systems.

Completely aware that he was walking onto a poorly disguised heffalump trap complete with sharp sticks at the bottom and the thinnest covering of leaves and twigs, our ever-helpful associate stepped forward.

Seventeen hours later and with a little help from some of the crew, the circumstances emerged and make for an interesting insight into the M-O of this particular type of cyber villain (Mwahaha).

Dave’s business is run ‘in the cloud’. Last week when the company accounts person was out of the office on sick leave, Dave was contacted by a client who owed him about £100k and was due to pay, to confirm that Dave’s accountant’s request to change the payment bank account details were genuine.

As the alarm bells started to go off, attention immediately focussed on the ‘unwell’ accountant, an unlikely villain as it happens. Suspecting this may be hax0r related, Dave contacted us and this is what we found:

Hackers had obtained the credentials of Dave’s accounts person. They had been sitting looking at outstanding invoices for sometime. When a nice juicy one came up for paying they did the following:

  • Set up a rule on the accountant’s email to automatically delete all mail to and from the client about to transfer the money.
  • Created a document using company letterhead and a signature (from messages prior), which requested the bank account details to be changed.
  • Sent this to the customer.

If it hadn’t of been for the eagle eyes of the customer’s accounts payable department, this would have worked. The two companies are relatively small and £100k is a lot of monies. In bigger outfits, who knows?

Having failed with the money scheme the hacker moved onto plan B pretty much straight away. They used the hacked email account to register two domains with Both of these were very close to the names of large real organisations.

They paid for the domain registration with bitcoin, so are now untraceable.

They then set up an email account for each of the domains using the details of a real person who works there and then, on one of the accounts (mimicking a very large utility company) sent a lot of emails to real customers of the provider, which if opened would deposit malware onto their poor unsuspecting machines, the Tinba banking trojan included, and as we know Tinba is very nasty indeed.

Of course, we reported the abuse to and made no fewer than three attempts to contact the utility company, including contacting its service desk and responding with requested details by email, then subsequently contacting two of the firm’s security team directly.

Five days later we are yet to receive a reply. Ho Hum. Probably a Lost Cause.

The lessons everyone can learn about this, and if an outfit this organised may be lurking on your systems waiting to pounce on a £100k payment, you should probably take notice, are:

  • Always, always use two-factor authentication for access to cloud hosted services. No excuses (yes, yes, Dave wasn’t doing this, naughty Dave).
  • Regularly, if not constantly review the configuration of your cloud service accounts for things like permission issues or sneaky rules to forward (BCC) or delete messages (we have ways of doing this automatically).
  • Keep training your staff about the perils of Phishing, support this with repeated Phishing testing and make sure you are improving.
  • Make sure that you have logging and auditing turned on in The Cloud, on many systems it is either off or very basic out of the box.

You will be pleased to know that Dave is now sleeping easier (on holiday in Greece actually).

If you would like some help with anything in this Blog or want to give your cyber environment a once over, be like Dave and get in touch at: [email protected] or call 020 7517 3900. Not on a Sunday morning unless it is urgent though, if you can possibly help it.