Hand-in-glove cooperation with customer security team blocks theft of $700,000 with minutes to spare
Even security-conscious organisations with strong security policies and posture are potentially vulnerable to business email compromise from targeted attackers, as an Arctic Wolf® retail industry customer recently learned.
In this case, however, close collaboration with the Arctic Wolf Concierge Security® Team stopped a wire transfer smash-and-grab attack in its tracks.
The Target
The retail organisation targeted in this attack uses Office 365 for internal office software, including the Outlook cloud application. As a security-conscious business, this company’s IT team had enabled and required multi-factor authentication (MFA) across cloud services, including O365. It had also partnered with us, using the Arctic Wolf® Managed Detection and Response (MDR) and Managed Cloud Monitoring security operations solutions to provide in depth defence of their on-premise and cloud systems.
One more key fact: The business frequently uses high-value wire transfers to pay suppliers, merchants and business partners.
The Cyberattack
Most financially motivated cybercriminals focus on data breach attacks, where they can steal sensitive information for resale on the dark web. These attackers, however, schemed to cut out the middleman. They planned a business email compromise attack, which would result in the direct theft of three-quarters of a million dollars in a single afternoon.
The first step was selecting the right target. Criminals frequently use open-source intelligence to identify their targets, scraping business sites, professional social media and other public sources to zero-in on high-value accounts. In this case, the attackers ultimately targeted a highly-placed employee of the retail company – an executive whose job included requesting and authorising major wire transfers.
The attackers likely used a low-and-slow dictionary attack to compromise this high-value individual account. Because the attackers were slowly targeting a single email account, their failed logins – perhaps just one or two a day – would not have raised the alarm. Eventually, they were able to identify the correct username-password combination.
That’s when the attackers ran into the next line of defence: multi-factor authentication. The attackers now knew the username and password to access the account, but they had no access to the executive’s phone. That meant that they couldn’t directly access the account. However, the attackers weren’t daunted.
They prompted their target with a login request. And they got lucky. A malicious authentication request popped up on the target’s phone as the executive was using an Office 365 service, and the executive clicked ‘OK’.
The attackers were in.
What Happened Next
This incident was now an official business email compromise. And this is when the Arctic Wolf Managed Cloud Monitoring solution generated its first alert.
On their end, the attackers moved quickly. They immediately began reconnaissance of the now-compromised user account, looking to identify information or access to exploit. In this case, they discovered that the targeted executive routinely requested wire transfers.
The attackers scoured the email and identified precisely how these requests were made: who the executive emailed, the format of the requests and the amounts of money transferred. Now that they had collected this information, the attackers were ready to strike.
But before doing so, they covered their tracks. To prevent the target from noticing the malicious wire transfer request and any reply, they created a new mail rule that would hide any incoming email from the accounting department in an out-of-the-way folder.
The stage was set and the attackers were ready to go. They then requested a wire transfer to an account they controlled to the amount of $700,000.
Arctic Wolf’s Response
Fortunately, in the meantime, the attack had not gone unnoticed. The first sign of trouble was the initial log in: the attackers logged into the executive’s account from a suspicious country. This raised a high-priority alert in the Arctic Wolf® Platform, which was immediately flagged to the customer. It was decided that no immediate action was needed at this stage, since these alerts can also be generated by employee travel or VPN.
But Arctic Wolf was now monitoring the situation closely. That’s when the second indicator of compromise came in: the new mail rule.
This combination – a suspicious log in followed by a new mail rule – strongly indicated that an attack was in progress. The Arctic Wolf team swung into action to disrupt it.
Arctic Wolf’s security operations team quickly alerted the customer and engaged the customer’s Concierge Security Engineer (CSE). The Arctic Wolf CSE is a dedicated security operations expert who works closely with this retail customer on an ongoing basis to understand their environment and needs. The CSE was then in constant contact with the customer to help monitor and manage the response during the ongoing attack.
Meanwhile, the Arctic Wolf team hurried to understand the objective of this business email compromise. They reviewed the logs and identified the malicious mail rule: It would conceal replies from accounting. So this attack was targeting a wire transfer.
This customer’s CSE had nearly a decade of experience as the CSO of a community bank. The CSE knew intimately how rapidly funds could be stolen by wire transfer and how impossible it would be to recover them. And the malicious request was already being processed.
Working with the customer’s IT security team, the Arctic Wolf CSE connected with accounting, which was able to put an emergency stop to the wire transfer. The $700,000 was safe.
Then the IT team locked down the compromised account and reset its credentials, kicking the attackers out for good.
Enhancing Protection
Arctic Wolf’s engagement did not stop once the attackers were removed from Outlook.
The CSE provided the customer with additional consultation that went into great detail. This guidance helped the customer to revise their wire transfer policies in order to enhance security, in addition to security training and guidance for employees who could be targets for business email compromise (BEC). The customer implemented these suggestions and is now more secure from any future attempts of a BEC wire-transfer smash-and-grab attack.
To learn more about how Arctic Wolf helps other customers with their security, have a look at other entries in this series or read some of our case studies. And to learn more about how we protect customers’ cloud environments, including SaaS tools like Office 365 and IaaS platforms, read about our Managed Cloud Monitoring solution.
