Business Email Compromise (BEC) attacks are some of the most popular and devastating attacks out there. They work, broadly, by sending an email from a spoofed or legitimate address and then asking someone to do something. 

The spoofed address variety is difficult to spot, although a clue usually lies in the reply-to address. When an actual account is compromised, and then used to send out BEC-style emails, it becomes really hard to identify.

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how legitimate college student email accounts are being compromised, and then used to send out larger BEC and credential harvesting campaigns.

Attack

In this attack, hackers are compromising student accounts to launch broader BEC and credential harvesting attacks. 

  • Vector: Email
  • Type: BEC, Credential Harvesting
  • Techniques: Account Takeover
  • Target: Any end-user



Email Example #1



This email is sent from a legitimate university account. The email uses standard social engineering to convey a sense of urgency–messages have been blocked, and the only way to release them is to click on this link. In this case, 11 emails are waiting to be reviewed. 

Email Example #2

When hovering over the “Release messages” button, the URL first points to a Buy Now, Pay Later service called Tabby. However, look a little further down the URL string, and you’ll see a redirect to a different site. That leads to a credential harvesting site.

Techniques

We’ve seen a generous uptick in threat actors compromising student accounts, and then using them to send out BEC and credential harvesting messages. 

In this case, this same compromised account sent out numerous messages to a variety of organizations.

The university, based in Arizona, is not an Avanan customer, and it’s not clear how the compromise began.

Regardless, this represents an effective tactic by hackers. Compromising a student account can be done quite efficiently. From there, leveraging the legitimacy of that email account, it’s easy to send out multiple of the same messages to a variety of targets.

That makes this an effective way for hackers to send out a wide spectrum of messages with just one compromise. 

There are tells in the email, such as where the URL goes to and also the fact that a university account wouldn’t be used to send support messages.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always hover over URLs to ensure the destination is legitimate
  • Always look at sender address
  • If ever unsure about an email, ask IT