How BEC Actors Abuse DMARC to Impersonate Trusted Contacts
Learn how BEC actors abuse DMARC to impersonate trusted contacts for wire fraud and what steps you can take to protect your organization from risk.
2020 has been a tough year for our world with a global pandemic, a massive shift to remote work environments and maturation in tactics related to business email compromise (BEC) fraud. With the majority of global workforces still working from home, this model has now become the new normal and is unlikely to change in the months, potentially years, to come.
In 2020, BEC fraud campaigns widely abused Domain-based Message Authentication Reporting & Conformance (DMARC) email authentication protocol to perform email spoofing. This has resulted in significant losses through wire transfers performed by victims of BEC fraud attacks.
What is DMARC?
DMARC is an email protocol which authenticates the domain of the sender's “from” email address. Policies are implemented to let email clients and recipients know that the message is protected by Sender Policy Framework (SPF, server DNS validation) and/or Domain Keys Identified Mail (DKIM, email signing). The policy is also configured with particular conditions, which dictate what to do if the email is not protected accordingly or has failed to meet certain criteria.
Over one million domains contain DMARC records. Popular email tools leverage policies around DMARC, SPF and DKIM to enforce email authentication policies. This is critical when it comes to third party domains outside that of the organization, in helping identify and mitigate phishing attacks. When configured correctly, these security tools are able to quarantine emails for future release, block them completely and/or present a banner message warning the recipient the email could be malicious.
What’s the problem?
Organizations have created DMARC records for domains but not configured nor enforced authentication appropriately. An analogy to this is like having antivirus installed on a computer without an updated signature list and not running in memory. The result is that others believe that the computer is protected by antivirus when it is not, due to an improper configuration and use of the solution.
DMARC policy enforcement is generally ineffective, with only 14 percent enforcing it properly, according to Valimail. This is likely due to an emergent 5x increase in adoption of DMARC over the past four years, representing challenges for organizations as they initially deploy and configure this new security solution.
The majority of organizations using DMARC are still able to be spoofed because they either have no DMARC policy enforcement in place or configurations for enforcement. For example, domains with DMARC records often have a policy setting of “p=none” (monitoring mode), achieving a false sense of security that emails are authenticated for this domain when there is actually no enforcement. Other challenges exist with proper configuration and management of DMARC, including configuration for subdomains, ordering of records and properly configured SPF records and DKIM keys.
What are the threats?
In 2018, new TTPs affiliated with BEC fraud were disclosed online involving heavy abuse and migration to cloud solutions for the benefit of adversaries. Typo-squatting (URL hijacking with typos in a domain name) of similar domains to a BEC target, coupled with Autodiscover Trust (Outlook 365 security control) configurations for rogue sub-domains, punycode usage (Unicode domain names) and other tactics emerge. In many respects, this time period marks a notable change in the world of BEC fraud maturation leading to DMARC TTPs now seen globally in large scale fraud operations in 2020.
According to the FBI, BEC fraud continues to skyrocket both in terms of prevalence and losses. The average loss per scam is estimated at $75,000 USD, with over a quarter million cases reported in 2019. The actual number of occurrences is likely to be far higher than those reported, with an upward trend of more attacks, more losses and greater sophistications year on year.
Historically, phishing emails contained obvious errors allowing most recipients to easily spot fakes. Modern BEC attacks, however, are efficiently executed using well-crafted emails which appear to be genuine, making it extremely difficult to detect hostile content from a legitimate request. Mature fraud operations use clever reconnaissance to identify and target individuals for spoofing, such as "CEO," "managing director" and "vice president."
Other factors such as changes to architecture, adoption of cloud services (such as Office 365), failure to implement correct configurations and ineffective security controls all continue to negatively impact the changes in the tools, tactics and procedures used by malicious actors.
“Cosmic Lynx” are a malicious Russian group introducing more sophistication to the BEC methodology. They are well-funded and well-organized, with highly comprehensive attack methods carefully researched and refined ahead of delivery. Their targets are predominantly Fortune 500 financial services organizations, particularly those undergoing merger and acquisition activities.
The group attempts to impersonate corporate executives to bypass security controls and garner trust with hostile emails. The experienced criminals have acute knowledge of M&A procedures, knowing exactly where and how to insert themselves into the high value transaction process.
The group targets organizations with poorly configured DMARC protocols on their domains. Techniques include hijacking a domain, hijacking email and/or DMARC abuse tactics in order to send phishing messages appearing to be authentic. Once they have established a foothold inside the network, they quickly learn payment processing rules, study language and tone of emails, identify key members of staff and harvest knowledge on critical third parties and any platforms involved — recognizing the potential vulnerabilities and looking for the most lucrative opportunity to exploit the process, often without any detection.
As of December 2020, Cosmic Lynx has already launched over 200+ campaigns in 46 countries, leading to substantial theft of funds via fraudulent wired payments.
What can I do?
Implement a DMARC security solution and configure it properly to ensure it is enforced as designed for improved email authentication and security. Perform appropriate levels of governance, review, evaluations and auditing of your DMARC deployment to ensure it is working as designed to lower risk.
Hostile actor groups like that of Cosmic Lynx perform reconnaissance of targets via company websites, social media and other information found on the Internet. Implement policies and awareness training to limit exposure of any such information that may be weaponized against high value executives (spear phishing/whaling/BEC attacks).
Ensure compliance and awareness and consider controls specific to executives, where higher risk exists. Ensure that legal and security teams are involved in helping create, deploy and manage all such policies and enforcement for an organization.
If you haven’t added DMARC to your formalized risk management program, do so. This includes but is not limited to third party assessments, regular reviews and evaluation of DMARC and related email security components as part of organizational governance.
BEC fraud is big business for sophisticated, efficient, global fraud operations. User awareness training for all employees, contractors and temporary workers is often under-rated as an effective proactive detection and prevention control. Each incident commonly involves losses between hundreds of thousands (or millions) of dollars due to wire transfers performed unwittingly by manipulated organizations. Migration to the cloud has resulted in a number of security challenges making it even easier for adversaries to perform fraud operations undetected.
Ensuring strong security policies and procedures are in place, from design to deployment, is critical — especially related to email and cloud solutions — to best address BEC fraud operations. Implement strong DMARC practices with enforcement to lower risk, perform user awareness training and regularly audit and test solutions to ensure compliance and effectiveness for desired risk management outcomes.