Last updated: 
3 months 1 week ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

Business Email Compromise (BEC) group targeting the academic sector

Tuesday, February 5, 2019 - 10:43

We have observed a regional threat, targeting and attacking the UK academic sector. We have identified them through their attacking behaviours, sources of login activity, and phishing techniques. Here we present the knowledge of their tactics, techniques and procedures (TTPs) observed and how to identify them, to help institutions defend against future attacks.

This activity group uses large scale phishing attacks to conduct financial fraud against UK Universities, and we assess with moderate confidence that these activities closely resemble those of Nigerian cybercrime groups. The attribution has been made through IP address geolocation found during investigations, Business Email Compromise (BEC) techniques and similarities seen in research performed by other security researchers. This activity has been seen to come in waves throughout the academic year with most recent activity reported in December 2018. Across several security incidents handled by CSIRT, their tradecraft has been tracked and using a behavioural analytic approach we class them as an activity group with set observed tactics. The target objective of the group is to steal money via site staff payroll. They seek to phish HR or payroll system credentials in order to change the bank account details of staff, in turn redirecting wages to a third-party account.

The tactics involved in these campaigns show a level of sophistication in evading detection methods:

  • Using compromised websites to host fake login pages – the legitimacy of the compromised site can bypass reputation checks performed by IDS and URL scanning solutions
  • Using high reputation email MSAs (mail submission agent) from other academic institutions provides a higher trust within e-mail systems, often bypassing blacklists.
  • Display names are spoofed, appearing to be a local email address such as the IT department or HR department.

Figure 1 Diagram explaining the phishing attacks performed by the criminal group

It is worth noting that the activity group may target an academic institution simply to use their MSA to send mail out to another academic institution, using a mass mailer such as Turbomailer (see appendix B). They have achieved this by obtaining local VPN credentials, which once on the trusted network, allowed them to use the institution’s MSA.
 

Observations

The BEC activity group, which we have labelled as JSOC-AG-WAGEHAWK, are organised with objectives and set working methods. We can map the methods seen to an operational kill-chain (It is similar to the kill-chain referenced in a related report by Crowdstrike[2]):
 

  1. Reconnaissance and target identification:
    - Understanding roles of key staff at the University
    - Email address harvesting
  2. Delivery: Templated but convincing emails are sent with embedded links that direct the user to fake portal pages. These landing pages are often hosted on compromised European commerce domains, capturing phished user credentials and then redirect to the real login page. It is common for other compromised academic user accounts to be used to send out these phishing campaigns, potentially utilising tools such as Turbomailer and MaxBulk Mailer (see Appendix B) to facilitate mass emailing.
  3. Lateral movement: The captured user webmail login (or user VPN account) is used to either a) mass email further phishing e-mails internally (or to another academic institution), or b) abuse internal business processes.
  4. Exploitation: Compromised credentials are used to log in to Payroll and HR systems to make changes to account details resulting in salaries being transferred to a third-party bank account.
  5. Action on objectives and monetisation: Funds are transferred to international bank accounts and during the campaign we have seen the involvement of money mule operations.

Applying the Diamond model of intrusion analysis[4], we observed a pattern of attacks made across an 18-24 month period (see below diagram). These TTP have been observed targeting multiple victims, and the group has performed a sporadic but continuous phishing campaign using consistent tactics. The IP addresses involved are often assigned to domestic Nigerian ISPs within large DCHP pools. We have been able to identify a number of autonomous systems (ASNs) that bring a higher risk of malicious login attempts. This is due to the number of IP addresses within a single prefix that have been involved in BEC incidents investigated by CSIRT and also security researchers work[2]. It is worth noting however that these ASNs are also home to host legitimate users and businesses.

Figure 2 Diamond Model Intrusion Analysis mapping of threat group
 

Defensive security solutions

There are a range of recommended options to help detect and/or protect against this activity and we have detailed those below.
 

  • Protect Portal account access with 2FA

An important defence against persistent threats covered in this article is having two-factor security on internal portals accessible from the web, such as H.R. portals. If this is not present phished credentials can be used to amend employee bank details.

  • Mark important accounts

E-mail systems can be configured to detect spoofed headers where e-mails sent from outside the institution use the From field in the mail header to impersonate key staff such as the IT or finance manager, or the vice chancellor. Your e-mail system might allow you to add a warning or quarantine the e-mail upon a match. Microsoft have published an article on how to add such a warning: https://blogs.technet.microsoft.com/eopfieldnotes/2018/02/09/combating-display-name-spoofing/

Another method would simply be to mark all externally received e-mails with a tag in the subject line. Note that this may break some forms of e-mail signing.

  • Set up stricter controls on From address/return-path address

Observed behaviour of this group includes spoofing the ‘display from’ address to appear as a local address. Implementing incoming mail filtering controls that detect unmatched ‘display from’ to return-path email addresses could prevent similar activity from impacting the institution. These controls should be applied with caution as to not interrupt other mail flows.

  • Utilise URL scanning functionality within email software/providers

URL scanning is successful in combating many phishing scams. However, their effectiveness against pages hosted on compromised sites is not guaranteed.

  • Limits or alerting on large volumes of outgoing mails from single accounts

Academic student account credentials are phished for the good reputation of the mail servers. The phishing group will abuse the mail accounts to send 1000’s of emails in quick succession. Alerting on large volume mail sends will highlight account abuse. Another possibility is rate limiting on outbound email for student accounts.

  • Implement SMTP authentication

Ensure that all your SMTP MSAs use authentication and do not relay e-mail simply based on the IP address of the client. This prevents attacks that pivot from a trusted IP address.

  • Use the Jisc blacklist service

Freely available blacklist to protect against known, abused spam relays. This is available from securityservices@jisc.ac.uk : https://www.jisc.ac.uk/blacklists

  • Microsoft Azure Active Directory risk-based security policy and conditional access

Microsoft Azure Active Directory can create “risk events” that are associated with sign-in activity (see screenshot below). These could be sign-ins from atypical locations, or sign-ins where travel between locations would be at an impossible speed.

Conditional access can also be used to mandate a second authentication factor for sign-in events from specified countries or address ranges.

Figure 3 Microsoft Azure risk events

 

  • Utilise RBLs (real-time blackhole lists)

Some RBLs such as SpamRATS (aka RATS-NoPtr) provide information on IP addresses that have been observed performing abusive behaviour, brute force attacks, or that have no/incorrect reverse DNS records.

  • Risk/Trust scoring based on IP address / prefix

Associating a suspect IP address or prefix from the ASNs listed above with a heightened risk level or lower trust score could help detect activity targeting your organisation.

  • Recognise/prevent an adversary from scraping

Recognize that the adversary scraping your external Web servers looking for documents is the same adversary who then sends a phishing email” [1]

Review how email contact information is published on your website and consider how access to this information by a single scraping tool might be abused (such as Atomic email hunter (See appendix B)).

  • Referrer monitoring

Common behaviour we’ve seen is for the phishing site, often a cloned version of the real website, to redirect to the organisations website once the user has entered their credentials.  Detecting whether your portal website has been cloned externally could be done by monitoring the referrer field in your web server access logs

Referrers can indicate how the user arrived at your website. Whilst there are a number of legitimate reasons why a third party would redirect to your website. Whitelisting within your monitoring should narrow down to a list of possible suspects.

  • Canary tokens

Canary tokens (free on canarytokens.org) can also be placed in the site graphics, generating an alert if it is hosted outside the institution’s web server.

Recent examples of email templates

Example wording seen:

Example email on outgoing SMTP mail server incident :

 

Appendix A: Background on attribution
 

As previously mentioned, we assess with moderate confidence that these activities closely resemble those of Nigerian threat actors. Perceptions of the threat posed by Nigerian cyber criminals is outdated: groups have moved on from Nigerian Prince 419 scams and now deal in Business Email Compromise (BEC) and Business Email Spoofing (BES) frauds. These are effective criminal enterprises, with threat actors abusing the trust inherent in email correspondence. Nigerian Confraternities[3] are often involved in the organised group approaches and implant themselves into the processes operating inside businesses. They will target Western academic institutions or businesses and have a good command of the English language.

The intention of the threat group tactics is to gain access to email addresses belonging to members of a University and the inherent trust that is given to them, particularly between different universities. One common example we’ve seen is phishing emails sent impersonating one institutions Human Resources department using the compromised account of another university. This is why these groups target Academic Mail Submission Agents (MSA) and academic email addresses for the trust within the academic community. Frequently, these threat actors gain access to user accounts, then work to utilise them against webmail portals or VPN authentication from Nigerian IP addresses. Once connected to a trusted part of the network, they access MSAs to perform fraudulent email activity.  

Nigerian universities have a long history of confraternities, and sometimes they are involved in crime. Chris Yule of Secureworks provided details on one such criminal group when he detailed the Gold Galleon BEC campaign and e-mail spoofing fraud [6]. His research suggested there were as many as twenty individuals collectively performing BEC campaigns, controlled by a loose organisational structure. The associates share tactics, intel and knowledge using TeamViewer, a publicly available tool, typically known for its remote access and collaboration feature set. In the past, this sharing took place on Yahoo chat, which lead to the moniker ‘Yahoo Boys’ [5].

The criminal organisation performed reconnaissance using off the shelf tools that scrape the email addresses from public websites. They also purchased email lists of their targets.

Wider research[6] indicates that these groups may exist in over 300 higher education institutions, and have spread to other countries including Canada, Italy and the United Kingdom. One confraternity is the Neo Black Movement AKA Black Axe Confraternity that Crowdstrike has investigated[2]. The organisation is divided into zones and has been tracked by U.S. Law Enforcement, with each zone having a boss or ‘Oga’ that directs the scams and various email crimes. The zone’s members have different roles that perform different parts of the operation. This is illustrated in Crowdstrike’s graphical image below. Whether or not this is a group that can be related to the phishing campaign we’ve observed with JSOC-AG-WAGEHAWK is unknown.

Figure 4 Crowdstrikes proposed Nigerian Confraternity organisations structure[2]

Other groups include the Icelanders, Greenlanders, Bobos, De Bam, De Well, and the Vikings. Computer Security vendors have provided reports on other Nigerian threat groups that use malware and are more advanced in their operations. One such example includes the report published by Palo Alto Network’s Unit 42 that details activity which they attribute to the SilverTerrier group [7].

Appendix B: Example adversary toolsets used by Nigerian phishing groups.

Research work by security researchers such as ‘malwaremustdie’ has uncovered some of the software tools used (and likely shared between) threat agents performing targeted phishing:

Sanmao SMTP

Sanmao SMTP uses password lists to crack long lists of email addresses, attempting password guessing against the SMTP server itself. It varies the SMTP EHLO command to avoid being blocked. It seeks access to an account on an SMTP server to later use for phishing.  Source Twitter: .sS! @sS55752750 malwaremustdie https://twitter.com/sS55752750/status/1010840047954866176

Atomic Email Hunter

A website scraper, Atomic Email Hunter, harvests email addresses from targeted websites. In this example, a wildcard could be used to filter on domains such as *.NNN.ac.uk.

GA Email Spider

GSA Email spider, collects email addresses directly from websites or harvests email addresses with the help of search engines.

Turbo-Mailer

Turbo-Mailer uses an MSA, a valid user account, and a mailing list to send automated phishing emails. Source Twitter: .sS! @sS55752750 malwaremustdie https://twitter.com/sS55752750/status/1014120715346481152/photo/2

Example template landing page

Example of a generic Office 365 landing page. Ready made templates such as this are shared as a toolkit with email wording templates amongst activity groups.