BEC, Domain Jacking Help Criminals Disrupt Cash Transfers

The two hacking methods occur independently but are being used in concert to steal funds that are part of online payments and transactions.

Shane Shook, Venture Consultant at Forgepoint Capital

April 8, 2020

6 Min Read
Dark Reading logo in a gray background | Dark Reading

Spoofed emails and bogus domains allowed bad actors to intercept a $1 million cash transfer between a Chinese venture capitalist and an Israeli startup, Vice recently reported. And rather than just a one-off, the scenario could easily recur anytime two parties exchange money… even experienced users who think they're protected. 

These attacks are done by tricking the paying party into sending the money to an account that appears to be the payee but is not. This should grab the attention of investors, who should always take precautions particularly during significant transactions. A few things to ask before completing a money transfer:

  • Do I really know who I'm sending money to?

  • How do I know?

  • What should I do to protect myself?

Know Your Customer
Business email compromise (BEC) and "domain jacking" are popular methods used by hackers to hijack unwary users. The two methods occur independently, but in recent years have been used in concert to achieve financial fraud in supply chain and vendor payments, customer refunds, foreign exchange currency accounts management, and investment transactions. When money changes hands between counterparties, it is important to know who they (all) are.

In recent years, BEC gangs have taken advantage of social trust engendered by frequent electronic interactions by focusing on related third-parties and using compromised services to interleave or wholly redirect communications between target counterparties of financial transactions. This has led to more than $26 billion in estimated losses from BEC fraud since 2016, according to FBI statistics.

When people think of BEC, they commonly mistake the cybercriminal’s interest as merely intending to cause information loss from the email target. However, determining who the target communicates with, and how often, (the "social graph") from BEC is more valuable to cybercriminals. The social graph is determined by analyzing the frequency in correspondence between victim companies and their customers, investors, services providers, suppliers, and even family and friends. The endgame: Compromise a victim's entire network.

BEC may include compromise of the victim's email services. More sophisticated cybercriminals avoid this tack since that only gives them limited control over the configuration of a system owned by a victim. Thus, they risk leaving evidence for investigators to discover who the criminals are. That's why they have also shifted away from domain-changing malware that changes the lookup for related Internet addresses on a computer (or mobile phone), and instead prefer attacks on the routing architecture that businesses and even home or mobile users rely upon.

More often though, sophisticated cybercriminals will use social graph analysis and engineering domain info to perform "brandjacking," or "typosquatting," simple modifications to the domain names used by common correspondents in business emails. Some are obvious, such as an extra letter or a different top-level domain – .co rather than .com or etc., for example. Some are less obvious – such as a modified character set that is not visibly different to a human but is processed differently by a computer.

Can you spot the differences in these addresses? Would you spot them every time?

Cybercriminals Are Anti-Social
The reason that domain jacking has been used in concert with social graph analysis from BEC is that today's cybercriminals have realized the power of identity. By following the interactions of correspondents, they can choose when and how to use man-in-the-middle (MITM) attacks with maximum effect by impersonating rather than merely intercepting messages. Cybercriminals can interdict common messaging between participants with social references that are familiar from past communications or from public information sources. Thus, by promoting focus on the message, they can obscure indicators that might otherwise tip off a message recipient to an impersonated email address.

Financial transactions are particularly vulnerable to social engineering through these concerted BEC and MITM activitism as they include traits like an established relationship of trust between two parties; regular or typical correspondence between the parties; and defined expectations (and intent) of time and actions by each.

Trust is developed between parties in financial transactions principally on the basis of identity and repetitive correspondence. However, our social nature leads to anti-social opportunities that, after all, are characteristic of cybercriminals.

When a payee account number change is requested by a supplier who has frequent email communication with the payor they are more likely to request verification (if at all) by email than otherwise. When significant transactions occur, such as investments, the transactions are negotiated over time and with social clues that the counterparties develop that can be mimicked by cybercriminals to take advantage of the transaction and redirect the funds.

Trust, But Verify
There are several precautions you can take to protect your information:

  • Keep your computer and phone software updated and run antivirus scans regularly.

  • Use email, domain, and CASB filtering and monitoring services.

  • Use multi-factor authentication with email, social, and financial services accounts.

  • Use encrypted messaging services such as Slack or Signal rather than email for social or developmental correspondence.

  • Don't use the same Internet browser for financial transactions that you do for other purposes. Use a single-session virtual instance or application isolation.

  • Monitor or periodically audit your social profile on the Internet to see who might be lurking in your "friends" as one-degree of separation from your actual friends.

  • Conduct physical audits during transactions and related negotiations.

  • Always verify all participants in conference calls or Web meeting rooms.

  • During transactions audit KYC details of the payee with their financial institution.

  • Remember that the details of your identity, particularly your history and your social graph, are what's most valuable to a hacker.

Hacking for BEC and MITM as well as other purposes will continue. Those activities are too easy to perform because too many (technical and social) vulnerabilities exist. Combating these activities essentially begins with accepting this truth. 

Given our reliance on technology, we need to manage technology as we would our other social situations and verify who we are talking with, when, where, and why. Email filters such as "Impersonation Protection," SPF, and DKIM are useful and even essential technologies – but are subject to these evolving BEC techniques. So just as we'd do when passing a secret (or cash) to a friend, verify that it's really person they claim to be.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

About the Author

Shane Shook

Venture Consultant at Forgepoint Capital

Shane Shook, PhD. is a recognized veteran of information technology and security consulting. An author, trainer and expert witness in cybercrime investigations, Dr. Shook works with the team at Forgepoint Capital while also serving as an advisor to several companies in the US, UK and Japan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights