Cybercriminals know no boundaries. While the world battles the COVID-19 pandemic, threat actors continue to attack businesses that may already be suffering from operational setbacks. Over the past few weeks, we have seen attackers hit companies with various phishing and malware attacks. This time, even business email compromise (BEC) gangs have joined the malicious cause.

Case in point, members of the well-known BEC gang Ancient Tortoise are attempting to cripple companies with payment detail change requests and fake invoices supposedly from suppliers. The attackers are seemingly hijacking ongoing email threads to make the scam believable. The emails sent include legitimate transaction details that only the supplier knows. And since the requests for payment almost always involve overdue invoices, the attackers are able to give their ploys a sense of urgency.

How Email Validation API Can Help Tackle BEC Threats

Thwarting BEC attacks can be difficult. However, email validation solutions and domain monitoring capabilities, in general, can help. In the above-cited example, while the cyber thieves may have been able to explain why the change in payment details was necessary, there is no possible reason for them to use a different domain than the one used by a long-term supplier.

That said, an organization that indeed does obtain supplies from a company with the domain acme[.]com, for instance, should still treat getting an email from an address under acmee[.]com as a red flag. Businesses that employ email validation may be able to see warnings about the sender’s email address if that’s the case.

Our Email Verification API query for the suspicious email address jsmith@acmee[.]com revealed that it failed the Simple Mail Transfer Protocol (SMTP) test. That means that the email address doesn’t exist on the target SMTP server or temporarily cannot receive messages. Thus the message a potential victim received could probably either not have come from the said sender, or the sender account has been deleted since.

This fact should already invalidate the email address from being able to send messages to any employee, thus saving the targeted organization from an otherwise huge financial disaster.

A company’s security operations center (SOC) can integrate Email Verification API into existing cybersecurity solutions to serve as an additional layer of protection against attacks such as BEC and other phishing scams. In this particular case, the API can be set to block emails coming from addresses that lack an SMTP connection.

For companies that want to make doubly sure they aren’t blocking legitimate emails from suppliers and other stakeholders, using WHOIS Lookup on top of Email Validation API may help.

Via a WHOIS lookup, users can easily compare suppliers’ domain registration details with those of potential copycats. A comparison of the WHOIS records of acme[.]com and acmee[.]com, for instance, revealed:

• Varying domain ages: Acme[.]com has been active for around 29 years while acmee[.]com is only about 14 years old. Organizations, even those that register misspelled variations of their domain names as an additional cybersecurity or anti-infringement measure, typically do so at the same time.
• Different registrars: Acme[.]com’s registrar is Enom, Inc. while acmee[.]com’s is Epik, Inc. Registrants often use the same registrar for all their domains. That saves them the hassle of dealing with several companies when proceeding with renewal.
• Varying states: While both acme[.]com and acmee[.]com are U.S.-based, the former’s state is California (CA) while the latter’s is Washington (WA).
• Different hostnames: Acme[.]com’s hostnames include dns[.]bitway[.]com, ns1[.]indra[.]com, and ns2[.]indra[.]com while those of acmee[.]com’s are ns3[.]epik[.]com and ns4[.]epik[.]com.

These inconsistencies may point to two separate entities or registrants. So, even if J. Smith were an acmee[.]com employee (which is not likely as his e-mail address does not really exist there), he certainly isn’t from the organization’s supplier acme[.]com. What’s more, in this whole story, one may likely expect that acmee also just came as an additional victim of email spoofing.

BEC attacks are no laughing matter as they accounted for half of the total amount which organizations lost to cybercrime in 2019. Every victim can lose an average of US$75,000 per attack, which let’s face it, can be detrimental especially amid the ongoing crisis. That makes email validation a crucial part of all SOCs’ standard cybersecurity protocols.