This morning the headlines shouted out about another Business
Email Compromise (BEC) attack. It seems that an employee of the professional basketball team, the Milwaukee Bucks, received a seemingly legitimate email message from a spoofed email address. The email requested W2 records for the teams players and staff, and the targeted employee fell for the scam and released the information.
The fallout was immediate and intense.
“The communication received on this major security breach is unacceptable,” an agent for a Bucks player told The Vertical. “The players need to know the exact measures being taken by the Bucks and the FBI to ensure each and every player’s identity and financial information will not be compromised. There needs to be accountability for such a mistake, details on the steps taken to rectify it and a process put in place to make sure this never happens again.”
What does it really mean to create a process where "this never happens again"? In the case of BEC and other socially engineered email attacks, the process should begin with comprehensive threat monitoring across the internet. Who is registering email domains that are similar to the Milwaukee Buck's legitimate email domains? Are those domains email-enabled -- do they have active MX records? Ultimately, that's the reg flag - the MX record.
Since the beginning of the 2015, BrandProtect has reviewed more than two million suspected phishing or spear phishing emails, and taken action against more than 35K URLs. We are experts in this field. We've observed that these attacking email domains come online, launch their attack, and then go offline. The spoofing domain is only operational for a few days, or less. That means that the window for detection and response is small. MX record monitoring makes it possible for CISOs to take fast action against these domains, neutralizing them before they can launch their attacks.
Unfortunately it's not just professional sports teams that are affected by this scam. Banks, healthcare companies, retailers, manufacturers, and pharmaceuticals firms have all been targeted. This time, the cyber criminals were stealing W2 forms, but they might have just as easily used their email exploit to request for a cash transaction, or to infect the Buck's infrastructure with ransomware, malware, or other nefarious mechanisms.
And every industry has experienced the fallout of BEC attacks that succeeded. Victimized banks, and healthcare organizations have recently been in the news, and will continue to be prime targets. But the attack on the Milwaukee Bucks should serve as a warning to all CISOs -- no business is safe from cyber attackers.