A recent phishing attack on an 8,600-student school district in Texas ended up costing an astonishing $2.3 million. The Manor Independent School District phishing attack started in November 2019 and continued through December.
The attack was an example of a highly effective – and highly lucrative – email scam known as business email compromise (BEC) or vendor email compromise, if the attack is conducted through a vendor.
A BEC/VEC scam involves the use of a legitimate business email account to send emails to individuals within the organization (BEC) or to its clients (VEC) requesting a bank transfer. BEC attacks are also conducted to make changes to payroll or requests are sent via email asking for sensitive information such as W-2 forms for use in tax fraud.
The scam starts by sending phishing emails to individuals in the targeted organization. Emails are sent containing a credible ploy to get the recipient to click a hyperlink that directs them to a specially crafted webpage. That webpage is usually a carbon copy of a legitimate website, but on a different domain, that has been set up to harvest credentials.
Attackers often spoof Microsoft to capture Office 365 credentials. When the user visits the website via the hyperlink embedded in the email, they are presented with the standard login prompt that they receive when attempting to login to their Office 365 account. When the credentials are entered, they are captured by the attackers. The attackers then use the credentials to access the email account. The account is then used in the second phase of the attack.
Oftentimes, when attackers gain access to an email account, they set up a mail forwarding rule that will see all messages in the email account forwarded to the attackers. They check the emails until they find something of interest, such as contractors that are performing construction works.
Attackers often insert themselves into legitimate email conversations. Both parties believe they are communicating with each other, when the reality is they are communicating with the scammer. The scammer then asks for payments to be sent to a different email account. These conversations can span many messages and email exchanges can continue for several days or weeks. Since the scammer has full control of one of the email accounts, it is likely that the scam will not be detected until it is too late.
It is unclear whether a vendor’s email account was compromised in the Manor Independent School District phishing attack or if this was a standard BEC attack, with emails sent to the billings department requesting a bank account change. Details on the specifics of the phishing attack have not been released. What is known is that the bank account details of a vendor were changed, and the school district made three separate payments over the space of the following month before the scam was identified and the school district discovered it had been scammed out of $2.3 million.
A defense in depth strategy is required to prevent attacks such as this from succeeding. Technical defenses are essential. An advanced spam filter should be implemented that scans all incoming and outgoing messages, multi-factor authentication should be implemented to prevent stolen credentials from being used to remotely access accounts, and end user training is required to raise awareness of the threat. Policies and procedures should also be implemented that require all bank account changes to be verified, via telephone, before they are authorized.