The U.S. Federal Bureau of Investigation has issued a warning in relation to cybercriminals exploiting email rule vulnerability to increase the likelihood of successful business email compromise.

The warning, published Nov. 25 as a Private Industry Notification but only now made public, warns that the bureau has seen an increase in cybercriminals implementing auto-forwarding rules on victims’ web-based email clients to conceal their activities. Web email is being specifically targeted because it often does not sync with the desktop client, limiting the rules’ visibility to cybersecurity administrators.

With emails being forwarded, cybercriminals can then use the emails they received to increase the likelihood of a successful future business email compromise attack. A typical BEC scam involves victims receiving emails they believe are from a company they normally conduct business with, often with requests for funds be sent to a new account. With the forwarded emails, scammers have more details they can use to trick users in this manner.

The FBI gave an example of a U.S.-based medical equipment company that was targeted in August. In that case, cybercriminals created auto-forwarding email rules on a recently upgraded web client used by the company, which observed auto-forwarding rules only on desktop clients.

Using the information gathered, the cybercriminals impersonated a known international vendor, created a domain name with similar spelling and communicated with the vendor using a U.K.-based IP address to increase the likelihood of payment. They managed to obtain $175,000 from the company before the scam was detected.

Companies are being advised by the FBI to take mitigation action including ensuring both the desktop and web applications allow appropriate syncing and updates, to be wary of last-minute changes to established email account addresses, to check email addresses carefully for changes and to enable multi-factor authentication for all email accounts.

In addition, companies are advised to prohibit automatic forwarding of email to external addresses, arguably the simplest mitigation of them all, as well as frequently monitoring the email exchange server for changes in configuration and custom rules.

“The use of auto-forwarding rules is a standard operating procedure for BEC-focused cybercriminals,” Matthew Gardiner, principal security strategist at cloud cybersecurity firm Mimecast Services Ltd., told SiliconANGLE. “With auto-forwarding set up to forward email to the attacker, the attacker can literally quietly read the target’s email for an extended period and decide when to launch the next step of the attack.”

Wade Woolwine, principal security researcher at cybersecurity and compliance solutions provider Rapid7 Inc., said this kind of behavior is typical in attacks that are targeting intellectual property or other sorts of competitive information, such as in the legal sector and manufacturing.

“It’s becoming a more and more attractive technique for attackers who have little trouble phishing credentials, logging into SaaS email providers and implementing auto-forwarding rules,” Woolwine explained. “In many cases, administrators can set configurations to limit or completely disable auto-forwarding rules. In cases where this feature is required to conduct business, administrators can set up alerts for the creation of new auto-forwarding rules.”

Photo: J/Flickr