The FBI warns that hackers are increasingly relying on email promotion rules to hide their presence in abusers accounts e-mail. In a notification PIN (Private Industry Warning) released yesterday, the FBI reported that this technique has been observed in BEC attacks reported in the summer. The hacker technique is based on a function found in some services email called "automatic email promotion rules". This is a function that allows the holder of one address email to set "rules" that forward an incoming email to another address if certain criteria are met.
Hackers rely on the rules of automatic email forwarding as they allow them to receive copies all incoming messages in an email, without having to log in to an account on a daily basis and risk causing warning security for "suspect" connection.
In addition, the FBI noted that it received numerous reports over the summer that the technique had been used repeatedly by BEC-involved gangs. scams. It is a form of cybercrime where hackers breach email accounts and then send emails from the breached account, trying to persuade other employees or business partners to approve payments to intruder-controlled accounts.
The FBI cited two instances in which hackers behind BEC scams abused email promotion rules during their attacks:
- In August 2020, hackers created rules to automatically forward email to the recently upgraded web client of a medical device company based in USA. Webmail was not synchronized with the desktop application and went unnoticed by the victim company, which only followed the rules of automatic forwarding to the desktop client. Additionally, RSS was not enabled in the desktop application. After the hackers gained access to the network, they forged a well-known international supplier. They created a domain that had a similar spelling to that of the victim and communicated with the seller using an IP address based on United Kingdom to further increase the likelihood of payment. It is worth noting that the hackers obtained $ 175.000 from the victim.
- In August 2020, another similar incident occurred, where hackers themselves created three rules within the webmail used by a construction company. The first rule was to automatically forward any emails with search terms "Bank", "payment", "invoice", "bank transfer" or "check" to the hackers email address. The other two rules were based on the sender's domain and were forwarded back to the same email address.
FBI officials say many companies around the world are falling victim to this technique because they do not synchronize email settings for web-based accounts with desktop clients. This, in turn, limits visibility to the company's cybersecurity administrators and security software, which can configure and detect promotion rules, but may remain "blind" to new rules until synchronization takes place.
The FBI PIN contains a number of key mitigations and solutions for system administrators to tackle this particular attacker and prevent future abuse.
According to ZDNet, the PIN comes after the FBI reported earlier this year that BEC fraud was by far the most popular form of cybercrime in 2019, accounting for 50% of cyber losses reported last year.