Threat Report: Email Compromise, Partner of Alberta Municipality

Source: Closed Source | Reported to CyberAlberta

Overview:

CyberAlberta recently assisted an Alberta municipality with response to an attempted Business Email Compromise (BEC) attack. BEC is a financially motivated email-based attack that attempts to elicit the transfer of funds from unsuspecting victims to the threat actor’s accounts. 

Threat actors launching BEC attacks typically impersonate high-ranking members of the target organization or business partners who would presumably have the authority to authorize payments. Publicly available information regarding target organizations and their staff members is often leveraged to give the impression that the sender is a trusted contact.

• A member of staff from the municipality received an email from a threat actor impersonating the President of a partner organization, requesting a fraudulent payment be authorized.
• The threat actor claimed the payment was to prevent an upcoming event from being cancelled due to insufficient funds for the venue. The event was a real upcoming event—publicly visible on the partner organization’s event calendar—and was used not just to give the impression of legitimacy, but to also fabricate a time-sensitive issue to apply pressure to the recipient.
• The malicious emails were sent from an address with the legitimate @optimum.net domain. While legitimate, this domain has been flagged multiple times for launching similar attacks. The domain was also found to have a misconfigured DMARC policy. While unconfirmed at this stage, this indicates a realistic possibility that the domain had been spoofed by the attacker. A similar spoofing incident was recently observed in separate email-based attacks targeting the Alberta education sector.

What to Communicate to Executives:

• Consistent Financial Loss: BEC attacks have increased in recent years, in line with many organizations transitioning to remote work, and have continued to be a lucrative attack for cybercriminals. The latest figures from Nasdaq Verafin show that cybercriminals performing BEC attacks accounted for the theft of $6.7 billion worldwide.
• Raise Awareness: Users at all levels and roles, but particularly those at the executive level or in financial roles, should be aware of the threat of BEC attacks. They also should understand how their individual online presences could be used against their organization or business partners.
• Report to CyberAlberta: If organizations received suspicious emails from a sender attempting to facilitate a payment, claiming to be an executive or a member of the financial team of their organization or business partners, please report to CyberAlberta.

Further Reading: