{"id":43397,"date":"2021-10-14T00:00:00","date_gmt":"2021-10-14T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/analyzing-email-services-abused-for-business-email-compromise.html"},"modified":"2021-10-14T00:00:00","modified_gmt":"2021-10-14T00:00:00","slug":"analyzing-email-services-abused-for-business-email-compromise-threats-analyst-threat-researcher-threats-analyst-sr-threat-researcher","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/analyzing-email-services-abused-for-business-email-compromise-threats-analyst-threat-researcher-threats-analyst-sr-threat-researcher\/","title":{"rendered":"Analyzing Email Services Abused for Business Email Compromise Threats Analyst Threat Researcher Threats Analyst Sr. Threat Researcher"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

The gradual increase throughout the year prompted us to pay attention to the campaigns being deployed, but the sudden increase in August caught our interest. Compared to campaigns from previous years in which BEC actors mostly impersonated executives or ranking management personnel, we observed a specific BEC campaign type spoofing general employees\u2019 display names. We noticed a sudden upshot of dangerous emails impersonating and targeting ordinary employees for money transfers, bank payroll account changes, or various company-related information. We launched the \u201cBEC Display Name Spoofing<\/a>\u201d detection solution for Trend Micro\u2122 Cloud App Security in Q1 to address this issue. Following this, we also observed the highest volume of BEC detections in the Americas.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

BEC is an online scheme dependent on leveraging email and its features of convenience for legitimate users, and we noted five major types of email channels that BEC actors use. As we continue monitoring BEC operations, we also learned that BEC actors can use the same channels and techniques for a longer period than for just one deployment campaign, tracking complaints from different spoofed and scammed victims online. We also took note of the patterns in keywords and domain names that they use to appear legitimate to their potential victims, and what BEC email recipients can watch for when encountering these scams.<\/p>\n

Types of email services used for BEC<\/span>We analyzed the email services abused and the techniques that BEC actors have adopted in their campaigns.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n
    \n
  1. Free email services<\/b><\/li>\n<\/ol>\n

    We observed BEC groups favoring the abuse of known free email services for the low-cost entry. There is also the trusted marketing quality and service promise of confidentiality in terms of protecting legitimate users, while bulk account creation tools can be used to facilitate numerous accounts. We observed services offered by Gmail, Hotmail, and Outlook as the top choices for BEC campaigns.<\/p>\n

    These services allow BEC actors to spoof enterprise employees\u2019 names or personal emails to use. In a typical case of this type of abuse, malicious actors spoof an employee email address and request changes to payroll deposit bank accounts.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

    \n
    \n

    We observed a part of the BEC chief executive officer (CEO) email fraud scheme includes having a common account naming convention, such as \u201coffice\u201d, \u201cpresident\u201d, \u201cchief\u201d, and \u201cdirector\u201d, among company leadership positions. Among all these free email services, Gmail appears to be the most commonly abused service for BEC during our investigation timeframe. We identified 10 commonly used examples:<\/p>\n

      \n
    1. chiefexecutiveoffice <BLOCKED> [@]gmail.com<\/li>\n
    2. chiefexecutiveofficer <BLOCKED> [@]gmail.com<\/li>\n
    3. directorexecutiveofficer <BLOCKED> [@]gmail.com<\/li>\n
    4. officepresident <BLOCKED> [@]gmail.com<\/li>\n
    5. officepro <BLOCKED> [@]gmail.com<\/li>\n
    6. officeproject <BLOCKED> [@]gmail.com<\/li>\n
    7. officework <BLOCKED> [@]gmail.com<\/li>\n
    8. offshoreoffice <BLOCKED> [@]gmail.com<\/li>\n
    9. presidentoffice <BLOCKED> [@]gmail.com<\/li>\n
    10. rev.office <BLOCKED> [@]gmail.com<\/li>\n<\/ol>\n

      More often, BEC email content usually includes direct financial requests or transfers from the intended victim. However, there are also indirect approaches wherein they first ask for specific favors from the recipient. If the recipient replies, it indicates that the potential victim believes that the sender is legitimate.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

      \n
      \n

      We also observed some of these BEC email addresses being active from just a couple of days to years. For example, email account cexecutive9<BLOCKED>[@]gmail.com has been active for more than three years. We detected the address sending BEC emails in 1H 2018, and continued to see the same email account actively sending BEC more than three years later. We also noticed some users in social media complaining about an email scam received from the same address.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

      \n
      \n

      2. Local email services<\/b><\/p>\n

      Some services provide local email services for end users. BEC actors also frequently use these services (using either compromised credentials or making new ones) to launch BEC attacks. We observed more than 15 countries\u2019 local email services with BEC email footprints, such as the United States, United Kingdom, Germany, the Czech Republic, Poland, New Zealand, South Korea, Ukraine, Russia, Portugal, Australia, Norway, Italy, France, and Canada. Table 1 lists five of the email services and the BEC email sender account that we detected:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

      \n
      \n\n\n\n\n\n\n\n\n
      \n

      Country<\/b><\/p>\n<\/td>\n

      		\n

      Email service<\/b><\/p>\n<\/td>\n

      		\n

      BEC email address<\/b><\/p>\n<\/td>\n<\/tr>\n

      \n

      United Kingdom<\/p>\n<\/td>\n

      		\n

      virginmedia.com<\/p>\n<\/td>\n

      		\n

      officelink <BLOCKED> [@]virginmedia.com<\/p>\n<\/td>\n<\/tr>\n

      \n

      United States<\/p>\n<\/td>\n

      		\n

      optimum.net<\/p>\n<\/td>\n

      		\n

      ceo <BLOCKED> [@]optimum.net<\/p>\n<\/td>\n<\/tr>\n

      \n

      Czech Republic<\/p>\n<\/td>\n

      		\n

      seznam.cz<\/p>\n<\/td>\n

      		\n

      officeport <BLOCKED> [@]seznam.cz<\/p>\n<\/td>\n<\/tr>\n

      \n

      Germany<\/p>\n<\/td>\n

      		\n

      mail.com<\/p>\n<\/td>\n

      		\n

      officeonlyme <BLOCKED> [@]mail.com<\/p>\n<\/td>\n<\/tr>\n

      \n

      South Korea<\/p>\n<\/td>\n

      		\n

      naver.com<\/p>\n<\/td>\n

      		\n

      mail_ceoofficial <BLOCKED> [@]naver.com<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Table 1. Sample free email services and BEC email addresses used for campaigns<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

      \n
      \n

      We observed BEC email actors also being interested in victim’s contact information or data from companies such as aging reports<\/a>. They also try to get information from their victims for other attacks that use social engineering.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

      \n
      \n

      3. Encrypted email services<\/b><\/p>\n

      Like other cybercriminals, BEC actors also want to hide their footprints and prevent systems from tracking them. Encrypted email services provide users with a higher level of privacy and confidentiality (that is, the inclusion of other security features compared to other email services). We observed BEC actors using some encrypted email services and list some examples below:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

      \n
      \n\n\n\n\n\n\n
      \n

      Encrypted email service<\/b><\/p>\n<\/td>\n

      		\n

      Sample BEC email address<\/b><\/p>\n<\/td>\n<\/tr>\n

      \n

      Protonmail<\/p>\n<\/td>\n

      		\n

      officeiccon <BLOCKED> [@]protonmail.com<\/p>\n<\/td>\n<\/tr>\n

      \n

      Tutanota<\/p>\n<\/td>\n

      		\n

      eye.adimn <BLOCKED> [@]tutanota.com<\/p>\n<\/td>\n<\/tr>\n

      \n

      Criptext.com<\/p>\n<\/td>\n

      		\n

      iphone <BLOCKED> [@]criptext.com<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Table 2. Sample encrypted email services used for BEC<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

      \n
      \n

      These emails are not only found in the From<\/i> email header, but at times also hidden in the Reply-to<\/i> section. A common trick in email scams like BECs involves forging the From header into something legitimate-looking and hide the actors\u2019 actual email in a hidden Reply-to.  When users directly reply just by clicking the in-mail Reply button, the Reply-to header will automatically be the recipient email address. This is unknown to the victim and it allows the BEC actor to communicate with the victim thereafter. The example in Figure 11 shows how a BEC actor hides the actual email address ceoof<BLOCKED>[@]protonmail.com in the Reply-to section. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n

      \n
      \n

      4. Self-registered domains and direct-to featured email service<\/b><\/p>\n

      Aside from using globally known email services, BEC actors also register domains themselves. This can bring two benefits when they conduct attacks:<\/p>\n

      1.       They can create look-alike domains to deceive victims. The actors register domains with different characters but appear similar to a legitimate domain. Some commonly seen tricks include the interchange between specific letters and numbers:<\/p>\n