The NCSC released a fascinating report recently which showed attackers are going after a new target, the sports industry.
As defensive walls are increasingly thrown up around the usual target sectors, such as healthcare, critical national infrastructure and financial services, it seems attackers have switched their playbook and are probing the weaknesses in everything from football clubs to horse racing.
Clearly the size of the rights packages, transfer deals, sponsorship money and more has served as something of a lure to cyber criminals, who are keen to cash in with malicious actions. The report highlights that the average amount stolen was £10,000 per incident, with the biggest single loss netting miscreants £4m.
One of the larger attacks financially almost saw criminals getting away with stealing a £1m transfer fee as a result of a Business Email Compromise (BEC) attack in Office 365.
They did this by spear phishing the login of the Managing Director of a Premier League club with a spoofed Office 365 page. Once in control of his email account, the cyber-criminals were able to sit in the middle of the transfer deal and, ultimately, ask for the fee to be sent to an alternative bank account. Luckily, the transaction was denied due to anti-fraud measures at the receiving bank.
A similar social engineering operation targeting a UK sporting body was also highlighted as an example of how actively attackers are using BEC to drain sensitive information from the sports industry.
This one outlined how perpetrators were able to set up auto-forwarding rules from a compromised Office 365 email account. Every time an email was received, it was forwarded to an external address, controlled by the attacker. Over time, nearly 10,000 emails were diverted, leading to the ICO mandating the organisation to contact 100 individuals to alert them that confidential information had been stolen.
How do I protect against email compromise attacks?
Busines Email Compromise is not a new attack, but it is still surprisingly effective across most sectors.
Given it abuses the human element, training people on the receiving end of such attacks is an important part of the solution. Teaching people a questioning mindset when it comes to their corporate email is an iterative and continual process. Running phishing attack simulations on a regular basis and keeping them up to date on the latest phishing techniques are good ways to remind the workforce of the threat.
Training should be bolstered by a multi-layered email security solution that is purpose built to deal with the nuanced details of these more complex targeted social engineering attacks. A standard email platform, such as that built into Office 365, may not necessarily be advanced enough to achieve this.
Advanced email security can interrogate the content inside, attached to, and linked from the messages with innovative algorithms capable of deriving malicious intent. This detail is then cross referenced with contextual and behavioural data points, including originating domain and IP addresses, to understand whether a message is malicious.
To protect against the attacks which auto-forward emails, mail flow rules can be created within the Exchange admin centre, part of Office 365, to prevent auto-forwarding of messages to external addresses.
When deploying such a solution, it is also important to ensure it is designed to integrate tightly with mainstream cloud solutions such as Office 365.
BEC is not just a problem of high visibility targets such as big brand sports clubs, but very much a mainstream attack targeting businesses across the board. Even small organisations can be tricked into transferring large sums of money by an adept social engineer, so it is crucial companies ensure they are adapting to stay ahead as the threat landscape evolves.