Business Email Compromise: A scourge with a no-brainer defense (by Klara Jordan, Global Cybersecurity Alliance & Rois Ni Thuama, Redsift)
In 2016, Vinci, a construction company, became the victim of a significant business email compromise (BEC)[1] attack. An email which appeared to come from Vinci’s communications director was sent to the news agency Bloomberg. The email claimed that Vinci’s finance director had resigned following the discovery of a black hole in their accounting. The email looked convincing; it wasn’t a matter of replacing an i with the number 1, e.g., @v1nci.com.
The email was sent using an authentic @vinci.com address.
Bloomberg staff wouldn’t have known that the email was from a bad actor. This wasn’t a matter of human error. It wasn’t a hack. This was a problem in the machine. The machine treated the email like it was authentic.
Bloomberg’s staff relied on Vinci having proportionate and reasonable measures in place and taking care of their business brand and reputation.
So of course, Bloomberg published the contents of the email on their website. Within minutes, the market reacted nervously to the news. Vinci noticed the drop in the share price, they reacted quickly, and Bloomberg took the article down 40 minutes after it was originally posted.
Throughout the day, the stock price continued to plummet. During the day the share price dropped from €35 billion to €27 billion. An astonishing €7 billion wiped off the share price.
Hackers were able to rely on the weakness in a very old protocol (SMTP), and they do it because it is easy.
The bad news is that a hard-earned reputation can be materially damaged with a single authentic looking email. In Vinci’s defense, this appears to have been a world first in terms of its boldness, so it would be difficult for shareholders to argue foreseeability.
But perhaps the most depressing thing about this scenario is that damaging a reputation in this way has almost no downside. There is zero cost to the perpetrator, it takes five minutes to learn, it takes a few minutes to implement, and the chances of being detected, pursued, and prosecuted are minimal. At least I have found few instances of individuals being pursued, prosecuted, and convicted of this type of crime.
The good news is that there is a fix: it’s called DMARC, and after learning an expensive lesson, Vinci has since implemented it.
Police and prosecutors – duty of care
Phishing/BEC is simple to do and free to deploy. To discover how easy it is to do, watch one of the five-minute video tutorials on YouTube.[2] It is not surprising then that phishing attacks are the starting point for 70% of data breaches and 90% of targeted cyberattacks.
Understanding that phishing/BEC represents a significant threat to businesses means that businesses need to be especially mindful of their reputation and of maintaining the integrity of commercially sensitive information. For this reason, the legal sector has been instrumental in leading the way to protect their firms.
It is clear that the police and the judiciary need to exercise at least the same degree of digital diligence as businesses. While businesses rely on maintaining the integrity of commercially sensitive information, the police, the prosecutor’s office, and the judiciary must maintain the integrity of key pieces of evidence.
As key institutions, the role that the police and the judiciary play is integral to the proper functioning of our society and in many ways underpins the order that our society is accustomed to. In the same way that the police maintain a secure lockup for physical evidence, all digital evidence must be protected.
Evidence of tampering or early disclosure of evidence can be detrimental to an investigation. Suspects, especially in high-profile criminal cases, would benefit from understanding the scale of an investigation (data breach) or from injecting ransomware, viruses, or other threats into the police or judicial infrastructure (targeted cyberattack). Given that 70% of data breaches and 90% of targeted cyberattacks begin with a phishing/BEC email, and it is well known and understood that DMARC specifically protects against this type of attack, it makes sense to deploy it.
Understanding that phishing/BEC is the most significant cyber threat and learning that a solution at protocol level exists, then it comes as no surprise to learn that the British and US governments have mandated DMARC for all government departments and for all suppliers to their governments.
DMARC
Phishing is a systemic risk which affects everyone. As the case above explains, phishing is a social engineering attack in which a fraudulent email message is sent and appears to be coming from a legitimate organization or user. The goal of this attack is to either steal personally identifiable information (i.e., usernames, passwords, bank or credit card information), to orchestrate fraud (e.g., false wire transfer requests), or to infect systems with malware, such as ransomware or a keylogger.
One difficulty for users when it comes to phishing is to determine whether or not the message came from a legitimate organization. Spammers are able to spoof the « From » address on mail messages, resulting in the recipients trusting the mail message. This can lead to BEC, where an organization can lose thousands to millions of dollars as we have seen in the case above.
DMARC is considered the industry standard for email authentication to prevent attacks in which malicious third parties send harmful emails using a counterfeit address. DMARC stops most email impersonation – by implementing DMARC, domains lower the odds of their domains being spoofed and used for phishing attacks on recipients. Not implementing DMARC exposes those who might expect to receive emails from a domain to phishing attacks and, unsurprisingly, 90% of all cyberattacks begin with a phishing email. It is important to note that BEC can be caused not just by just a phishing email. It could also occur because of an account compromise or system breach, which can occur without using spoofed email.
DMARC acts as an identity check to make it easier for email senders and receivers to determine whether or not a message is legitimately from a sender. Implementation of DMARC will prevent spammers from spoofing the « From » address on mail messages, ultimately protecting not only a domain but also increasing the trust and integrity of a brand. Implementation can increase the deliverability of email messages because over 80% of consumer mailboxes worldwide support DMARC.
End users and companies all suffer from the high volume of spam and phishing on the Internet. Over the years, several methods have been introduced to try and identify when mail from (for example) IRS.GOV (the tax collection authority in the US) really is or really isn’t coming from the IRS. However, these mechanisms all work in isolation from each other; each receiver makes unique decisions about how to evaluate the results and the legitimate domain owner (e.g., IRS) never gets any feedback.
DMARC utilizes existing authentication mechanism, provides a policy to apply (none, quarantine, reject) for messages that fail authentication, has a verification mechanism to check all messages for authentication and provides a reporting capability that may contain important intelligence about abuse of the domain name.
It is important to note that DMARC does not protect against all types of spoofing. DMARC is just one layer of email security. DMARC should be implemented on any public facing domain regardless of email use.
To learn more about DMARC please visit https://www.globalcyberalliance.org/dmarc/.
Rois Ni Thuama, PhD, is the Head of Cybersecurity Governance at Redsift. You can follow her on Twitter at @redsift or connect with her on LinkedIn.
Klara Jordan is the Executive Director, EU and Africa, at the Global Cyber Alliance. You can follow her on Twitter at @JordanKlara or connect with her on LinkedIn.
[1] Business email compromise is oftentimes referred to as CEO fraud.