Last week one of our channel managers, Brian Byrne, joined ConnectWise over in the UK for their roadshows. These events visited Newcastle, Reading, and Manchester and brought ConnectWise and a few select vendors together to help inform MSPs about the major issues they face in today’s digital world.
With football stadiums as backdrops, Brian educated attendees on the mechanics of impersonation attacks. Below is an overview of Brian’s presentation for those who were unable to make it to the events.
Impersonation attacks are emails that attempt to impersonate a trusted individual or company in an attempt to gain access to corporate finances or data. Business email compromise (BECs) also known as CEO fraud is a popular example of an impersonation attack.
“The BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 Billion.”
According to the City of London Police’s National Fraud Intelligence Bureau (NFIB), the highest reported loss from a single CEO fraud attack is £18 Million (~$24,000,000 USD) They also report that on average a single CEO fraud attack cost a business around £35,000 in losses, highlighting the devastating effects that impersonation attacks like CEO fraud can have on an organization.
These types of attacks can be difficult for users to identify for many reasons, although the main reason is a lack of attention to detail.
For example, below is the same email address written three times, one of them has a spelling mistake in it, how fast can you spot it?
Spelling mistakes like the one above can be easily overlooked during a busy workday, but companies should be sure that their users are closely inspecting email addresses, especially when the email is requesting something of the user.
“do yuo fnid tihs smilpe to raed? Bceuase of the phaonmneal pweor of the hmuan mnid, msot plepoe do.”
Even with careful inspection users may not be able to spot an irregularity, the scammer can use simple tactics like switching a lowercase l with a capital I or by including the actual domain in a longer address. Both are seen the examples below:
Constructing an Impersonation Attack
Step 1: Finding the Victim
Impersonation attacks use social engineering to identify potential victims, social media accounts such as LinkedIn, Facebook, and Twitter are a great way to identify key aspects of a victim’s life.
To showcase how much information can be collected from social engineering, take a look at what can be found from my teammate Brian’s internet presence:
This profile can be found on The Email Laundry website on the About Us page. While this short bio may seem harmless it actually contains a lot of information for scammers:
Name: Brian’s full name is displayed which will come in handy when creating/spoofing a corporate email account. This also helps when doing additional social engineering.
Job Title: This helps to identify what Brian’s role is within the company, allowing for scammers to assume who he would talk to both within the company and with external vendors and customers.
Short Bio: While the bio doesn’t give too much away it does highlight the fact that Brian works with customers directly and more specifically MSP customers.
Just from the information collected from the official Email Laundry website, Brian’s other social accounts can be easily found.
Since we now know an employee named Brian Byrne works at The Email Laundry, we can quickly find his LinkedIn account. This profile gives us additional information:
School: A scammer could use Brian’s old school to impersonation one of his old classmates to get Brian to click on a phishing link.
His Email Address: Listed in the experience section (below) Brian freely gives out his email address, making it easy for a scammer to spoof it or create a similar email address.
Job Duties Overview: While Brian hasn’t listed his job duties for The Email Laundry in his experience section, he does list his experience from his last job (below) which most likely are similar to his current position
His Tone: Brian’s LinkedIn is a profile written by himself personally, this means that a scammer can examine how he writes, his tone, and words he uses frequently. This can be used to customize the email of the impersonation attack.
A simple google search of Brian’s name, his company’s name, and the search term “Twitter” quickly brings up Brian’s Twitter account.
A twitter account can show a lot about the target victim, their tweets, and retweets can identify favorite activities and interests. Twitter is also a great way to identify where the victim is or where they may be going if they are using an event hashtag or giving in the moment updates.
Even without looking through a victim’s tweets, their profile can reveal delicate details for an impersonation attack.
Location: While having your location on Twitter helps users to connect to other local users. Scammers can use the information that Brian is based in Dublin to help identify when he is out of the country or to target him with Dublin based phishing emails.
Bio: Unlike LinkedIn, Brian’s Twitter bio includes some personal interests and information about himself. This includes his favorite football team, music taste, and activities he participates in.
Email: His Twitter profile also shows another company email address, giving the scammer another way to spoof or create a similar address.
Step 2: Creating Credibility
As shown above, a large amount of information that scammers can use to target Brian as an impersonation attack victim. While social engineering is a great way to get to know the potential victim, it can also be used to create credibility, increasing the likelihood of a user completing an action.
To set the stage for the attack, a scammer will use social engineering to identify a chain of command within the company, customers/vendors/partners of the company (or even the victim in particular), as well as holidays and events that the company/victim may be observing or attending. They will also use the above social engineering tactics to better impersonate Brian’s boss, one of his co-worker’s, or trusted individual.
Utilizing the About Us page on The Email Laundry’s website a scammer could identify who Brian’s boss may be, and since his company email is email@example.com, it is likely his boss’s email will be in the same format.
Scammers can also check to see if any of the victim’s (or someone in their company/social circle) login details were compromised from a data breach or previous attack. This is especially likely if the victim is using widely used email services such as Yahoo, Gmail, or OWA.
The site HaveIBeenPwned.com is a great way to see if your email or someone you know’s email address has been compromised in a breach. Below are the results given when one of Brian’s bosses email is searched on the site:
If Brian’s boss had not changed his password after each of these breaches, this information may be easily found online for the scammer to find and use against Brian.
Step 3: Choose Attack Type
There are a variety of ways someone can construct an impersonation attack; however below are the top three tactics a scammer will use:
- Register a Similar Domain
One way of scammer can impersonate a user is by registering a similar domain and creating an email address similar to the person they are impersonating. This is shown below, in which a scammer has identified Mike Smith as Brian’s boss and sent him an email with a domain similar to The Email Laundry’s.
- Edit the Display Name of an Email Address
The display name of an email is easily spoofed, and while it may be easy to spot on a desktop email client or through webmail, many mobile clients will only display the display name. With only the display name shown it can be easy for victims to fall for an impersonation attack. Below the same email is shown, first on a mobile client and second on a desktop client.
- Create a free email account
Another way a scammer will attempt to impersonate an email address is to register for a free email account (Gmail, Yahoo, Hotmail), and then inform the victim that they were locked out of their work account, as seen below:
All three of these tactics will get through any traditional anti-spam service as they will likely not be on any Real-time Blacklist (RBL) or anti-virus engines. The emails also contain no URLs or links, meaning anti-spam URL scanners will not pick up anything distrustful. Finally, these emails do not contain any suspicious content or attachments, allowing it to bypass the content level of many filtering services.
How to combat Impersonation Attacks
In order to protect against impersonation attacks, an email security service should be put in place.
This service should address advanced threats and include protection against looks like and sounds like domains, friendly display name filters that match friendly names with internal user data, and display name and reply-to address analysis.
Other things to consider when choosing an email security service:
- Is the actionable information created in-house or by a third party?
- Are all services from a tier 1 service provider?
- How is the service ranked on review sites like Gartner Peer Insights and Spiceworks?
The number of impersonation attacks continues to rise, it is important that your business is protected. If you would like to find out more about The Email Laundry, impersonation attacks, or our Impersonation Detection you can visit our full stack email security page here or view our Impersonation Detection brochure here.