Connect with us

Cyber Security

Cybercriminals Spoof CFO of Major Sports Organisation to Trick Employee to Wire Funds



Written by Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, a Check Point Software Company

If you get an email from your CFO requesting urgent action, what do you do? That’s what Business Email Compromise (BEC) attacks try to do. An executive–often a CFO or CEO–will have an urgent favor. Payment must be made today; gift cards have to be purchased and sent now. It uses social engineering to really get lower-level employees to take an action these employees do not want to do.

We see these all the time and they are difficult to stop because there is often no malware or malicious links. The body of the text may not be terribly different from what is usually sent. These attacks are so convincing, in fact, that the FBI has charted $43 billion in losses from these scams since 2016.

In this attack, the CFO of a major sports corporation is asking someone in finance to send money via ACH (Automated Clearing House) transfer. This blog covers how threat actors managed to get a subordinate to send money back to them.


In this attack, hackers are spoofing a CFO to get a lower-level employee to send funds.

  • Vector: Email
  • Type: Business Email Compromise
  • Techniques: Social Engineering, Domain Spoof
  • Target: Any end-user

Email Example #1

The user is presented with an email from the CFO of this major corporation. The CFO asks the recipient of the email to make payment to a legitimate insurance company, West Bend Mutual. Even more clever is the fact that the URL in the ‘from’ address is taken from their slogan. However, this is clearly a fake, as the “reply-to” address at the top of the email differs from the company’s email address. You will notice the banner that shows the email wasn’t from the displayed sender. This was added by the tenant’s generic Office 365, not Proofpoint. It is the only thing that alerted the end-user that something was amiss.

Email Example #2

This is a nearly identical email that affected another company. In fact, we have seen dozens of this type of attack. Notice two differences: There is no external banner alerting the end-user to potential danger; the “Get in touch” email at the bottom spells Silver Lining as ‘Silver Linning’.

BEC attacks are staggeringly successful because they play on people’s desires to perform well for their bosses. They are also successful because they are hard to stop. Secure Email Gateways do not have the contextual information they need to stop these attacks. These gateways are designed only to monitor inbound emails—therefore they have no way of scanning an internal email or understanding the context or conversational relationships within an organization. When an external gateway sees an email from the ‘CEO’ to the ‘CFO’, it will be the very first time it has seen such a conversation. While an internal solution will have seen thousands of similar real, internal conversations to compare it to, an external gateway can only guess at the context.

In this attack, a banner inserted by default security was key. However, banners are not the be-all, and end-all; research has found that too many banners can lead to end-users ignoring them. We are seeing a dramatic uptick in these types of attacks. The FBI reported a 62% increase in losses between July 2019 and December 2021; this amount of money has been pilfered from about a quarter million reported incidents. In 2021, $40 million of the losses were related to cryptocurrency; in 2020, that number was closer to $10 million.

A variation of this attack happened recently at Cisco, where a hacker was able to steal an employee’s password, then pretended to be a trusted organization during phone calls and emails. This is an escalation of the traditional BEC attack, but it is all part of the same family. The idea is to use trusted names and partners to get lower-level employees to hand over money or credentials. Without using malware, attachments, or malicious links, these hacks represent the apex of social engineering.

This type of attack has been seen in a variety of companies, and in a variety of industries. Any CFO or higher executive is a potential target. The best thing, then, is to proactively block these attacks, so that end-users do not have to make a decision about whether a request or email is legitimate or not.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always check reply-to addresses to make sure they match
  • If ever unsure about an email, ask the original sender
  • Encourage users to ask finance before acting on invoices
  • Read the entire email; look for any inconsistencies, misspellings, or discrepancies
  • If using banners, be sure to not bombard end users with them; only use them at critical times so that end users take them seriously
  • Deploy multi-factor authentication for all accounts, but especially for email
  • Configure accounts to notify you of changes
  • Use a password manager to create and store your passwords–you should never actually know your own password
  • Remind users to only share personal information in real time, either in person or by phone. Encourage them to be skeptical of all messages with links, and to always verify with the sender, in real-time, any messages with attached files

Cyber Security

OneNote Documents Increasingly Used to Deliver Malware



Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs.

While there is an increase in the number of campaigns utilizing OneNote to deliver malware, its use is unusual. Based on Proofpoint’s observed characteristics of past threat campaigns, it is believed that threat actors have increasingly adopted OneNote as of result of their experimentation with different attachment types to bypass threat detection. Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures (TTPs), including the use of previously infrequently observed filetypes such as virtual hard disk (VHD), compiled HTML (CHM), and now OneNote (.one).

Observed email campaigns that use OneNote for malware delivery share similar characteristics. While the message subjects and senders vary, nearly all campaigns use unique messages to deliver malware, and do not typically utilize thread hijacking. Messages typically contain OneNote file attachments with themes such as invoice, remittance, shipping, and seasonal themes such as Christmas bonus, among other subjects. In mid-January 2023, Proofpoint researchers observed actors using URLs to deliver OneNote attachments that use the same TTPs for malware execution.

The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. When the user double-clicks the embedded file, they will be prompted with a warning. If the user clicks continue, the file will execute. The technique may be effective for now. At the time of analysis, multiple OneNote malware samples observed by Proofpoint were not detected by numerous anti-virus vendors on VirusTotal.

It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote. Organizations should educate end users about this technique and encourage users to report suspicious emails and attachments.

Continue Reading

Channel Talk

NetWitness Signs Distribution Partnership with CyberKnight



NetWitness today announced it is partnering with CyberKnight, to bring its extended detection and response (XDR) solutions to enterprises in the Middle East. “Together, NetWitness and CyberKnight will enable enterprise and government customers in the Middle East with fast detection and automatic response capabilities to combat today’s advanced cybersecurity threats,” the companies said.

The NetWitness Platform is an open XDR solution that enables security teams to detect, understand the full scope of a compromise, and automatically respond to security threats across modern IT infrastructures, accelerating threat detection and response. NetWitness delivers enhanced visibility across all capture points, including logs, network packets, net flow, endpoints, and computing platforms on-premise, in the cloud, or as a hybrid of the two. The NetWitness Platform applies threat intelligence as well as user and entity behavior analytics to detect, prioritize, investigate threats, and automate responses, improving the effectiveness and efficiency of security strategies.

“We are excited about this new partnership with NetWitness, as their modern approach to security will give customers in the Middle East an advantage in the battle against cyberattacks, ensuring unsurpassed visibility, smarter threat detection, and faster analytics — all on-premises. Hundreds of organizations in the Middle East are already using this robust platform, which easily integrates with the world’s most critical and widely deployed tools, as well as many specialized and industry-specific solutions,” commented Avinash Advani, CEO and Founder at CyberKnight.

“Keeping end users safe from ever-evolving cyberattacks requires forward-thinking and holistic approaches that enable security operations teams to stay ahead of such breaches. We are proud to continue our expansion in the region and offer enterprises our unparalleled XDR platform. We are thrilled about our partnership with CyberKnight, which allows us to leverage their regional coverage, channel breadth, deep-rooted customer relationships, and cybersecurity expertise to accelerate our growth,” added Motaz Al Mohamady, head of Channel Sales — Middle East, Turkey, and Africa, at NetWitness.

Continue Reading

Cyber Security

79% of MEA Organizations have a “Protection Gap”: Veeam Research



Veeam Software has released findings of the company’s fourth annual Data Protection Trends Report to better understand how data protection is evolving in a digital world.

Notable insights from the report include:

  • Reliability and consistency (of protecting IaaS and SaaS alongside data center servers) are the key drivers for improving data protection in 2023. For organizations that are struggling to protect cloud-hosted data with legacy backup solutions, it is likely they will supplement their data center backup solution with IaaS/PaaS and/or SaaS capabilities.
  • Ransomware is both the most common and most impactful cause of outages, alongside natural disasters (fire, flood, etc.) and user errors (overwrites, deletion, etc.). Organizations should implement backup and recovery solutions that support a holistic approach to data protection, and that can integrate with other cyber detection and remediation technologies to ensure comprehensive cyber resilience.
  • Cloud-based services seem nearly inevitable for organizations of all sizes. But similar to how there isn’t just one type of production cloud, there isn’t just one protection cloud scenario. Organizations should consider cloud tiers for retention, Backup as a Service (BaaS), and ultimately, Disaster Recovery as a Service (DRaaS).

“IT leaders are facing a dual challenge. They are building and supporting increasingly complex hybrid environments, while the volume and sophistication of cyberattacks are increasing,” said Danny Allan, CTO and Senior Vice President of Product Strategy at Veeam. “This is a major concern as leaders think through how they mitigate and recover business operations from any type of disruption. Legacy backup approaches won’t address modern workloads – from IaaS and SaaS to containers – and result in an unreliable and slow recovery for the business when it’s needed most. This is what’s focusing the minds of IT leaders as they consider their cyber resiliency plan. They need Modern Data Protection.”

The report shows that data protection budgets are increasing. Globally, organizations expect to increase their data protection budget in 2023 by 6.5%, which is notably higher than overall spending plans in other areas of IT. Of the 85% of organizations planning on increasing their data protection budgets, their average planned increase is 8.3% and often in concert with increased investments in cybersecurity tools.

The Middle East and Africa market throw up some interesting findings:

Protection and Availability Gap in the MEA region

  • 78% have an “Availability Gap” between how quickly they need systems to be recoverable and how quickly IT can bring them back
  • 79% have a “Protection Gap” between how much data they can lose and how frequently IT protects their data

Ransomware in the MEA region

Ransomware attacks continue to be more frequent

  • Only 14% experienced no ransomware attacks in 2022
  • 18% experienced only one attack
  • 48% experienced two or three attacks
  • And 21% experienced four or more attacks in 2022
  • 45% of organizations stated that ransomware (including both prevention and remediation) was their biggest hindrance to Digital Transformation or IT modernization initiatives, due to its burden on budgets and manpower
  • When organizations were asked about their most significant attacks suffered in 2022:
    • 39% of their entire production data set was successfully encrypted or destroyed
    • Only 55% of the encrypted/destroyed data was recoverable

“Ransomware is indiscriminatory – every business is a target. Rather than be gripped with fear at the prospect of being attacked, organizations must focus on what they can control – their defence. The fundamental principles of how to prepare defences against even the most sophisticated and powerful ransomware stay relatively the same. The first is the practice of impeccable digital hygiene. All employees must be trained to identify suspicious content and be warned of the impact that malpractice using work devices can lead to. Secondly, all businesses must prepare for their defences to fail. Concepts such as zero trust and deploying techniques such as two-factor authentication can be useful for restricting the access an attacker has to data. The best way to protect data is to ensure that it has been securely backed up and is fully recoverable before an incident takes place with the 3-2-1-1-0 backup rule – there should always be at least three copies of data, on at least two different types of media, at least one off-site and one immutable or offline, with zero unverified backups or errors,” concludes Rizk.

Business Continuity and Disaster Recovery (BC/DR) initiatives in the MEA region

  • Every facet of IT continues to be a candidate for cloudification, with data protection being a common scenario.
    • 84% of Middle East & Africa organizations anticipate using Backup as a Service (BaaS) or Disaster Recovery as a Service (DRaaS) to protect at least some of their servers over the next two years.
  • That said, cloud-based storage is not misunderstood as the “tape killer” that early pundits tried to sell it as. When discussing the media used within their backup systems, the Middle East & Africa organizations reported that in addition to disk-based protection:
    • 64% of production data is stored in a cloud at some point in its lifecycle
    • 52% of production data is stored on a tape at some point in its lifecycle
  • 86% organizations consider their cyber and (traditional) BC/DR initiatives to be either mostly or completely integrated. To achieve that among organizations in the Middle East & Africa:
    • 41% want to orchestrate recovery workflows, instead of relying on manual processes
    • 25% will leverage on-premises infrastructures for their BC/DR
    • 41% will leverage cloud infrastructures for their BC/DR, using IaaS or DRaaS

“It is no surprise that BaaS and DRaaS are becoming so popular among regional organizations. They provide viable alternatives to managing everything. It can be more cost effective to outsource backup and disaster recovery needs instead of hiring and training in-house resources. A BaaS provider can ensure backups are not only successful but regularly tested and restorable. A DRaaS provider can support with as little as an off-site replication or fully manage your complete disaster recovery plan from testing and execution to failing over and failing back, should an unplanned event occur,” comments Rizk.

“Veeam understands these changing market dynamics and data protection needs of enterprises today. From critical workloads running on-premises to the sprawl of data in the cloud and at home offices, Veeam-powered BaaS and DRaaS service provider partners offer the off‑site backup, monitoring and management, and disaster recovery services organizations need to stay resilient in the face of any threat.”

Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.