The business email compromise (BEC) had been widely and wildly popular over the last three years. This is partially due to how very easy this is to execute, low technical skills required, low cost, and high reward when the attack is successful. This has been used as the attack method across many industries with varied success. The attack template is very simple. The attackers send the phishing email. One or more targets click the link or the other specific attack mechanism. Their system becomes infected, allowing unauthorized access. The emails sent to the appropriate parties, generally in finance or accounting, directing them to change the bank account information for payments.
The Saint Ambrose Catholic Parish was targeted in this case. This is the second-largest church in the Diocese of Cleveland. This is also the largest church in Brunswick, OH. There are 16,000 members and 5,000 families with the church.
The attackers used the tried and true BEC attack, successfully. The attack was done with a phishing email. In this instance, two employee accounts had been compromised. The fraudulent email tricked the person into believing the contractor’s bank account information had changed and provided the new account information. This was discovered on April 17, 2019. The payments had been made, as they thought, for their Vision 2020 project. The payments were meant for one of the contractors (Marous Brothers Construction). There were not, obviously, received. The attackers were only focussed on the money and did not attempt to pivot from the BEC attack to access the parish database or other areas of the system.
Father Bob Stec sent a letter to the parish regarding the issue. This indicated the contacted him and informed him the payments had not been received for the prior two months. The total payments not received by the legitimate party totaled $1.75M. The parish did file a claim with their insurance company. They also contacted the FBI and continued to work with them. The church also contracted with IT consultants to review their security stance. They had the staff all also change their passwords, and verified the integrity of their database.
With the BEC, the primary social engineering tool which makes this so useful is the lack of communication and staff not wanting to bother management and the C-level. The BEC depends on the targetted user not communicating with the alleged user sending the email These maybe strongly-worded indicating the transfer has to be done right away, and there are financial implications if this is not done (e.g. significant lost discounts). All the person has to do is pick up their phone and cal the other person for verification. This should be a standard operating procedure when working with the accounts payable, and especially when dealing with cash or other liquid assets. It’s curious why these two users, whose email accounts were compromised, did not notice anything wrong with the transaction.
Digital Munition. (2019, April 30). $1.75 million stolen by crooks in church BEC attack. Retrieved from https://www.digitalmunition.me/2019/04/1-75-million-stolen-by-crooks-in-church-bec-attack/
Gatlan, S. (2019, April 29). $1.75 million stolen by crooks in church BEC attack. Retrieved from https://www.bleepingcomputer.com/news/security/175-million-stolen-by-crooks-in-church-bec-attack/
Paginini, P. (2019, April 30). Saint ambrose catholic parish-crooks stole $1.75M in BEC attack. Retrieved from https://securityaffairs.co/wordpress/84689/cyber-crime/church-bec-attack.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!