About CEO Fraud
CEO fraud is the most recent generation of cyber crimes, which involves impersonation of the CEO and other senior business managers, by using social engineering attacks to trick someone at the organization into wiring business money to the fraudsters. The U.S. Federal Bureau of Investigation (FBI) has warned about a dramatic increase in Business E-Mail Scams, known as CEO fraud, which has, over the past three years, cost organizations more than $2.3 billion in losses. Many organizations think email scams are easy to spot, and thus make the mistake of underestimating CEO Fraud.However, in most cases, numerous emails fly back and forth before the scam is complete. This proves that scams of this kind are highly sophisticated and almost impossible to catch without the help of a real power tool. At LogPoint, we are here to take the weight off your shoulders as LogPoint can fully extract and correlate the events as per the needs. LogPoint can detect email scams such as CEO Fraud and others while improving the information security standards of the organization.
How does CEO Fraud work?
Primarily there are two techniques in CEO fraud; compromising senior management’s email accounts, and using an email domain similar to the business’s domain. In the first case, thieves/hackers begin by compromising email accounts that belong to senior employees and then persuade someone at the organization to transfer funds to other accounts. In the latter case, typosquatting is used to impersonate senior employees in the organization.
You can observe the following behavior discovered by the application through the dashboard or the alerts:
- Domains with suspicious characters.
- Mail requests originating from threat sources.
- Sender’s with suspicious email subjects specifically if they are from managers and top executives.
- And most importantly lookout for email behavior with following attributes in an email or series of emails:
- Sender seems to be a manager or top level executive.
- Abnormal sender domain, this ca be extracted from the message ID in many cases
- Client or the server sending the email does not belong to a list of trusted servers.
Here, we see that the sender impersonates a legitimate email address, and at the same time, the email originates from two different source addresses, which do not fall in the applicable list of email servers. The two examples shown above, lead to the conclusion that this could be a case of possible CEO fraud.
Incidents generated by the alert rules included in LogPoint CEO Fraud application:
How can LogPoint detect CEO Fraud?
LogPoint provides you with the functionality to remain aware, and escalate the information on Business Email scams. Out of the box, you can use the CEO Fraud v1 widgets to analyze any possible incident in and around your infrastructure. Additionally, the scam base can also be enriched by updating the list. You can customize the dashboard and alerts based on the type of data source you integrate.
To start detecting suspicious emails you need to complete the following steps:
- Download the CEO Fraud package from the Help Center and install it. Make sure that you have installed all other required applications including threat intelligence and Exchange.
- Collect and normalize the data from the desired mail sources.
- Use the dashboard and alerts.
Please be aware that the CEO Fraud application relies on data from Exchange MT. The application requires events collected from Microsoft Exchange Message Tracking (MT) 2010, 2013 in space and comma delimited format. Use the file collection option in LogPoint Agent to forward the Exchange MT logs. You can also enrich the log creation using the mail flow rule in the mail server.
Additionally, this approach can be used in validation of other kinds of email threat behaviors, like spear phishing, when you are aware of the list of IP addresses from where you should be actually receiving the emails. The overall approach is also determined by the fact that the email server has a structured and informative logging mechanism.
You are always welcome to get in touch if you have any questions! Find your local LogPoint office here.