New Delhi, August 30, 2022 - Researchers at Avanan, a Check Point Software company, caught and blocked a cyberattack that spoofed the CFO of a major sports organization for financial gain. The attackers tried to trick a lower-level finance employee to send funds to an alleged insurance company. The cyberattack technique used is known as a Business Email Compromise (BEC) attack, where cybercriminals impersonate organizational supervisors for financial gain. Avanan researchers warn that these cyberattacks are on the rise, playing on people’s desires to perform well for their boss.

·       Attackers have struck more than once 

·       Two examples of spoofed emails caught in the campaign are provided

·       Avanan researchers offer several cyber safety tips to protect from BEC attacks 

Researchers at Avanan, a Check Point company, spotted a cyber-attack that spoofs the CFO of a major sports organization to get a lower-level employee to send funds directly to hackers. The spoofed CFO requested a wire to be sent to what appears to be an insurance company. Avanan Research was able to block the cyberattack. 

It is right to assume that the drive behind the attack was financially motivated. Little information is known about the attackers, except that they have struck more than once. 

Attack Methodology

The cyberattack type used is what’s known as a business email compromise (BEC) attack. The attack methodology in this case was as follows: 

1.       Hacker first created a spoofed account of the company’s CFO 

2.       Hacker finds the legitimate email address of someone on the finance team 

3.       Hacker creates an email that looks like the CFO has forwarded, with attached instructions for wiring. 

4.       CFO asks employee to wire money instantly 

5.       If the employee bites, money will land in the hackers’ account

Email Example #1

The user is presented with an email from the CFO of this major corporation. The CFO asks the recipient of the email to make payment to a legitimate insurance company, West Bend Mutual. Even more clever is the fact that the URL in the ‘from’ address is taken from their slogan. However, this is clearly a fake, as the “reply-to” address at the top of the email differs from the company’s email address. You’ll notice the banner that shows the email wasn’t from the displayed sender. This was added by the tenant’s generic Office 365, not Proofpoint. It is the only thing that alerted the end-user that something was amiss. 

Email Example #2

This is a nearly identical email that affected another company. In fact, we’ve seen dozens of this type of attack. Notice two differences: There is no external banner alerting the end-user to potential danger; the “Get in touch” email at the bottom spells Silver Lining as ‘Silver Linning’.

Quote: Manish Alshi, Head, Channels & Emerging Technology, Check Point Software Technologies, India & SAARC: 

“Our team at Avanan discovered an attack that spoofs the CFO of a major sports organization. The spoofed CFO asks a lower-level finance employee to send a wire transfer to what appears to be an insurance company. Instead, it would go straight to the hacker. In this case, we were able to successfully block the attack. 

These ‘business email compromise’ attacks are incredibly popular, difficult to stop and tough to identify. End users should always exercise caution before paying invoices. It’s best to confirm directly with the CFO before paying out. 

I strongly recommend people to implement advanced email security that relies on more than one factor to determine if an email is malicious or not. Be sure to read the entire email before acting, looking for any discrepancies or oddities.”

Cyber Safety Tips

·       Always check reply-to addresses to make sure they match

·       If ever unsure about an email, ask the original sender

·       Encourage users to ask finance before acting on invoices

·       Read the entire email; look for any inconsistencies, misspellings or discrepancies

·       If using banners, be sure to not bombard end-users with them; only use at critical times so that end-users take them seriously

*Disclamier: "The pages slugged ‘Press Release’ are equivalent to advertisements and are not written and produced by Industry Outreach Magazine journalists/Editorial." We do not hold any copyrights towards the content or image. Image source: Newswire