Business Email Compromise (BEC) group targeting the academic sector

We have observed a regional threat, targeting and attacking the UK academic sector. We have identified them through their attacking behaviours, sources of login activity, and phishing techniques. Here we present the knowledge of their tactics, techniques and procedures (TTPs) observed and how to identify them, to help institutions defend against future attacks.

This activity group uses large scale phishing attacks to conduct financial fraud against UK Universities, and we assess with moderate confidence that these activities closely resemble those of Nigerian cybercrime groups. The attribution has been made through IP address geolocation found during investigations, Business Email Compromise (BEC) techniques and similarities seen in research performed by other security researchers. This activity has been seen to come in waves throughout the academic year with most recent activity reported in December 2018. Across several security incidents handled by CSIRT, their tradecraft has been tracked and using a behavioural analytic approach we class them as an activity group with set observed tactics. The target objective of the group is to steal money via site staff payroll. They seek to phish HR or payroll system credentials in order to change the bank account details of staff, in turn redirecting wages to a third-party account.

The tactics involved in these campaigns show a level of sophistication in evading detection methods:

• Using compromised websites to host fake login pages – the legitimacy of the compromised site can bypass reputation checks performed by IDS and URL scanning solutions
• Using high reputation email MSAs (mail submission agent) from other academic institutions provides a higher trust within e-mail systems, often bypassing blacklists.
• Display names are spoofed, appearing to be a local email address such as the IT department or HR department.

Figure 1 Diagram explaining the phishing attacks performed by the criminal group

It is worth noting that the activity group may target an academic institution simply to use their MSA to send mail out to another academic institution, using a mass mailer such as Turbomailer (see appendix B). They have achieved this by obtaining local VPN credentials, which once on the trusted network, allowed them to use the institution’s MSA.
 

Observations

The BEC activity group, which we have labelled as JSOC-AG-WAGEHAWK, are organised with objectives and set working methods. We can map the methods seen to an operational kill-chain (It is similar to the kill-chain referenced in a related report by Crowdstrike[2]):
 

1. Reconnaissance and target identification:
   - Understanding roles of key staff at the University
   - Email address harvesting
2. Delivery: Templated but convincing emails are sent with embedded links that direct the user to fake portal pages. These landing pages are often hosted on compromised European commerce domains, capturing phished user credentials and then redirect to the real login page. It is common for other compromised academic user accounts to be used to send out these phishing campaigns, potentially utilising tools such as Turbomailer and MaxBulk Mailer (see Appendix B) to facilitate mass emailing.
3. Lateral movement: The captured user webmail login (or user VPN account) is used to either a) mass email further phishing e-mails internally (or to another academic institution), or b) abuse internal business processes.
4. Exploitation: Compromised credentials are used to log in to Payroll and HR systems to make changes to account details resulting in salaries being transferred to a third-party bank account.
5. Action on objectives and monetisation: Funds are transferred to international bank accounts and during the campaign we have seen the involvement of money mule operations.

Applying the Diamond model of intrusion analysis[4], we observed a pattern of attacks made across an 18-24 month period (see below diagram). These TTP have been observed targeting multiple victims, and the group has performed a sporadic but continuous phishing campaign using consistent tactics. The IP addresses involved are often assigned to domestic Nigerian ISPs within large DCHP pools. We have been able to identify a number of autonomous systems (ASNs) that bring a higher risk of malicious login attempts. This is due to the number of IP addresses within a single prefix that have been involved in BEC incidents investigated by CSIRT and also security researchers work[2]. It is worth noting however that these ASNs are also home to host legitimate users and businesses.

Figure 2 Diamond Model Intrusion Analysis mapping of threat group
 

Defensive security solutions

There are a range of recommended options to help detect and/or protect against this activity and we have detailed those below.
 

• Protect Portal account access with 2FA

An important defence against persistent threats covered in this article is having two-factor security on internal portals accessible from the web, such as H.R. portals. If this is not present phished credentials can be used to amend employee bank details.

• Mark important accounts

E-mail systems can be configured to detect spoofed headers where e-mails sent from outside the institution use the From field in the mail header to impersonate key staff such as the IT or finance manager, or the vice chancellor. Your e-mail system might allow you to add a warning or quarantine the e-mail upon a match. Microsoft have published an article on how to add such a warning: https://blogs.technet.microsoft.com/eopfieldnotes/2018/02/09/combating-display-name-spoofing/

Another method would simply be to mark all externally received e-mails with a tag in the subject line. Note that this may break some forms of e-mail signing.

• Set up stricter controls on From address/return-path address

Observed behaviour of this group includes spoofing the ‘display from’ address to appear as a local address. Implementing incoming mail filtering controls that detect unmatched ‘display from’ to return-path email addresses could prevent similar activity from impacting the institution. These controls should be applied with caution as to not interrupt other mail flows.

• Utilise URL scanning functionality within email software/providers

URL scanning is successful in combating many phishing scams. However, their effectiveness against pages hosted on compromised sites is not guaranteed.

• Limits or alerting on large volumes of outgoing mails from single accounts

Academic student account credentials are phished for the good reputation of the mail servers. The phishing group will abuse the mail accounts to send 1000’s of emails in quick succession. Alerting on large volume mail sends will highlight account abuse. Another possibility is rate limiting on outbound email for student accounts.

• Implement SMTP authentication

Ensure that all your SMTP MSAs use authentication and do not relay e-mail simply based on the IP address of the client. This prevents attacks that pivot from a trusted IP address.

• Use the Jisc blacklist service

Freely available blacklist to protect against known, abused spam relays. This is available from securityservices@jisc.ac.uk : https://www.jisc.ac.uk/blacklists

• Microsoft Azure Active Directory risk-based security policy and conditional access

Microsoft Azure Active Directory can create “risk events” that are associated with sign-in activity (see screenshot below). These could be sign-ins from atypical locations, or sign-ins where travel between locations would be at an impossible speed.

Conditional access can also be used to mandate a second authentication factor for sign-in events from specified countries or address ranges.

Figure 3 Microsoft Azure risk events

• Utilise RBLs (real-time blackhole lists)

Some RBLs such as SpamRATS (aka RATS-NoPtr) provide information on IP addresses that have been observed performing abusive behaviour, brute force attacks, or that have no/incorrect reverse DNS records.

• Risk/Trust scoring based on IP address / prefix

Associating a suspect IP address or prefix from the ASNs listed above with a heightened risk level or lower trust score could help detect activity targeting your organisation.

• Recognise/prevent an adversary from scraping

“Recognize that the adversary scraping your external Web servers looking for documents is the same adversary who then sends a phishing email” [1]

Review how email contact information is published on your website and consider how access to this information by a single scraping tool might be abused (such as Atomic email hunter (See appendix B)).

• Referrer monitoring

Common behaviour we’ve seen is for the phishing site, often a cloned version of the real website, to redirect to the organisations website once the user has entered their credentials.  Detecting whether your portal website has been cloned externally could be done by monitoring the referrer field in your web server access logs

Referrers can indicate how the user arrived at your website. Whilst there are a number of legitimate reasons why a third party would redirect to your website. Whitelisting within your monitoring should narrow down to a list of possible suspects.

• Canary tokens

Canary tokens (free on canarytokens.org) can also be placed in the site graphics, generating an alert if it is hosted outside the institution’s web server.