BEC Scam Leads to Theft of $18.6 Million

Anti-Phishing, DMARC , Awareness & Training , Data Breach

Chinese Hackers Stole From Indian Unit of Italian Firm(gsuparna) • January 11, 2019    BEC Scam Leads to Theft of $18.6 Million

In a case of business email compromise, Chinese hackers stole $18.6 million from the Indian arm of Tecnimont SpA, an Italian engineering company, through an elaborate cyber fraud scheme that included impersonating the firm's chief executive, the Economic Times reports.

See Also: Live Webinar | Sunset of Windows Server 2008: Migrate with Docker

The scammers sent emails requesting funds to the India head of Tecnimont, part of the publicly traded Maire Tecnimont, from an account that looked deceptively similar to one used by the Italian group's CEO, and also organized conference calls to discuss a "confidential" acquisition in China, the ET report said. The company has filed a complaint with Indian police.

The incident highlights the lack of awareness of business email compromise attacks, especially in the manufacturing sector.

"I am surprised that India head of an Italian subsidiary could be duped of such a huge amount. How could he trust only email and conference call and not have a direct call with the CEO of the company?" asks Shashank Kumar, security researcher at Binary.com, an online trading platform.

But defending against sophisticated BEC scams can be more difficult than spotting a phishing email, security experts note. "My advice would be have a direct face-to-face meeting or call while going forward with such requests [for funds], no matter how urgent the request seems," Kumar says.

Modus Operandi

According to the report in Economic Times, after sending emails to head of Indian subsidiary of the Milan-headquartered firm, hackers then arranged a series of conference calls to discuss a confidential acquisition in China. People pretending to be the group CEO, a top Switzerland-based lawyer and other senior executives of the company, were part of this call, according to the report.

The hackers requested that the India head transfer the money for an acquisition in China, convincing him that the money couldn't be transferred from Italy due to regulatory issues. He then transferred the amount in three batches during one week in November. The money that was transferred - $5.6 million, $9.4 million and $3.6 million - from India to banks in Hong Kong and withdrawn within minutes.

The scam came to light when Tecnimont SpA chairman Franco Ghiringhelli visited India, according to the news report.

The company has sacked the India chief and the head of accounts and finance, according to the company's complaint filed with the Mumbai cyber police.

Battling the Threat

BEC can be difficult to spot. For example, tools such as DMARC, Domain Message Authentication Reporting and Conformance, and SPF, Sender Policy Framework, only work when emails are sent from the same domain name.

"DMARC is a lot about business email compromise, spoofing of email etc, but it works only if hackers are spoofing on your domain. In such cases, SPF policies and DMARC will work and stop you from getting conned," says Shomiron Das Gupta, founder and CEO at Netmonastery, a SIEM security and event log management firm. "But if the email is coming from similar looking domain [as in this case], then it becomes tough as tools like DMARC won't work."

In BEC attacks, the fake message often comes from a legitimate email account that an attacker has gained access to, either through social engineering or a targeted compromise. The usual targets are high-level executives or others who have some financial authority in a given organization.

Between December 2017 and May 2018, BEC campaigns caused more than $12.5 billion in actual and attempted losses around the world, including $2.9 billion in the U.S., according to new statistics from the FBI's Internet Crime Complaint Center (IC3).

An Earlier Scam

In an earlier BEC case in India, an organization working on a large project with a client in Canada was scammed in 2015.

"Since they were old partners, invoices were usually cleared within one month of delivery. However, in this particular case, an invoice of $ 1.5 million was not cleared in the stipulated time," says Tarun Wig, senior consultant at AuthShield, a company in the authentication space, said in an interview with Information Security Media Group.

"On reminding the client, they were informed that the invoice had been cleared almost 15 days prior. On investigating, it was found that one of their accounts had been hacked; the hacker had sent mails requesting a change in bank accounts and communicated with the client on the matter."

David Stubley, CEO at 7 Elements, a security testing firm, says use of multifactor authentication is an important step in the battle against the BEC threat.

"But certainly if there is a compromise, the more auditing you've got, the more alerting you've got and the more blocks you have in place, you're going to frustrate the attacker and you're going to give yourself the opportunity to see it occurring and therefore stop it before the worst-case scenario, which is money being paid out of the business," he tells ISMG.

Another important strategy is to leverage brand monitoring. "Here you emulate similar looking domains, similar sounding domains and go block those domains," Das Gupta explains. "But manufacturing companies generally have lower level of awareness, and the problem is most of them don't want to learn these new techniques."

Companies in all sectors also need to educate their employees about how BEC scams work so they can identify warning signs. "All technologies in place will only be effective when employees are cyber aware," says Prashant Mali, a Bombay high court lawyer.

Rakesh Goyal, a CERT-In certified auditor, says that in addition to always using two-factor authentication to verify the identity of those sending messages, for money transfer requests, recipients should ask for related documents using known emails, SMS, fax or secure/encrypted social media modes, such as WhatsApp - or via a personal visit.