Cyber thieves stealing from businesses and how DMARC can help


I read an article yesterday entitled Cyber thieves stole $215 million from businesses using hacked email addresses. How did they do it? Here’s a key except:

Here's a nightmare scenario: You're working in the accounts department, when you receive an email from your boss, asking that you urgently wire one of the company's foreign suppliers a five-figure sum that has been somehow missed. You do, and then you email your boss to let him or her know—only to receive an email back that reads, "Which wire transfer?"

Yep, you've been scammed—and according to a recent alert from the FBI, it's one that cyber thieves have used to pilfer almost $215 million from businesses over the past 14 months… Rather than spamming thousands of people at a time as with a regular email scam, the "business email compromise" (BEC) swindle specifically targets businesses known to work with foreign suppliers or other businesses, and to routinely use wire transfer payments.

As the article says, this is a nightmare scenario, and it is becoming more common. So how do we stop it?

One way to do it is with DMARC which protects the From: address that you see in your email client. Many corporations use Microsoft Exchange which shows your picture when the sending email address matches the person’s account information in Active Directory, for example:

image

Many people looking at that would be tempted to think it was a legitimate message sent from me. After all, it’s got my picture next to it.

But in this case, it’s not from me, it is spoofed. And that’s where DMARC comes in; it helps protect the From: address from spoofing, and that’s the one you really want to protect because in the corporate environment it really looks like it is an internal message, and therefore your guard is down.

This is one reason why DMARC is critically important for businesses – it helps cut down on malicious spoofing like this which is how hackers break in much (most?) of the time. You need to deploy DMARC!

For more information on how to do this in Office 365, please see this previous blog post: Using DMARC in Office 365.

Now, in this article, I did take a few liberties. The article is not about spoofed messages from the outside but instead hacked accounts from the inside. That is, a hacker broke into someone’s account by stealing his username and password. He then logged into that account and sent a message from his account (i.e., a real message) to someone else. In this case, DMARC wouldn’t work because it is an internal message and would have passed DMARC if it even would have been scanned at all.

Those types of compromises are more difficult to detect so you have to have a product that monitors those sorts of things – intrusion detection and hackers moving laterally. There are a few products out there that do this sort of thing.

Security needs to be done in layers and this article, and this blog post, illustrates why – because the type of detection is different depending on where the threat is coming from.

Comments (1)

  1. Tom says:

    This looks like a Social Connector vulnerability.  I sent MSRC (blogs.technet.com/.../msrc) a similar scenario and suggested loading a picture under a spoofed condition would generate liability.  They did not consider it a valid vulnerability.  I think this is a problem as valid externally as internally.  How can you be sure the Sender is who they say they are?  With DMARC at 32.5% global adoption, (https://eggert.org/meter/dmarc) a Sales department is going to insist on letting the rest of the messages through.  This is the nastiest of problems that gets people fired on both sides - i.e. Target's CEO vs. CIOs in general.  

Skip to main content