Once one or more business emails accounts are compromised the attackers can either work on financial fraud (bad wiring instructions) or use it as a launching pad to other organizations. In the case of this campaign, the trusted organization was compromised and used as a launching pad to target additional organizations. These in turn become launching pads for compromise of additional organizations. As each newly compromised organization loses its value as a launching pad, they often switch to more direct forms of attack by targeting clients of the organization for financial fraud.
The new group, tracked as Storm-1167, also appears to use an indirect proxy for their attack. The attackers send the phishing email to the target with a page intended to harvest the credentials. The page also forwards the information to the legitimate page (using the proxy) so that the user will get the correct MFA prompts etc. and will be logged into the spoofed service. This style of attack lets an attacker not only grab the credentials that are input, but any session cookies used. If the attack is sophisticated enough, it can potentially capture authentication methods that are often considered “phishing resistant” like PINs and even authentication tokens.
Fortunately, there is no indication that this attack has that level of sophistication. The attackers do add an additional SMS based MFA to the compromised accounts to get around session cookie expiration challenges. They can log back in as needed for follow on activities, which usually include another phishing campaign. Storm-1167 is believed to have sent out more than 16,000 emails as part of this campaign targeting even more financial organizations.
Business Email Compromises, like other cybersecurity threats, are not slowing down. Attackers may have paused to get a good feel on the current battlefield, but they are now back at it with new and more advanced attacks. Some of these attacks are on an industrial scale in terms of the sheer amount of phishing emails sent out. Companies that are relying on the same old tools to prevent phishing will want to take a deep look at the new landscape and see if there are areas where they are vulnerable. We anticipate that BEC attacks using AitM techniques will ramp up on a large scale over the next few months. After all it is budget season for many companies. Tools might be projected to be bought and installed, but they are not there yet. The fancy new “next gen” phishing detection tools might be on your radar, but attackers understand how businesses work and when their normal implementation cycles are. They are also very aware that in a down economy, security tools and teams are often the first to get cut in order to save money. Stay Safe out there.