Criminals are using fake domains and emails to pose as CEOs, and convince employees to send them money, in some cases millions of dollars. The FBI calls this scam business email compromise (BEC), or CEO fraud. In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.
It is easy and cheap. There is no barrier to entry for criminals to set up new domains. And, they can set them up using a completely anonymous throw away email address so it can’t traced back. And, it’s free, because domain issuers often run promos for free, 30-day trials. BEC has been reported in all 50 states and 80 countries.
How to get started:
- Pick an organization you want to defraud.
- Get any credit card number (stolen or fake) and throw away free email address.
- Use the credit card number and email account to sign up for a free new domain of your choice and an associated email address using any one of the myriad providers that give away services as a marketing promotion. Pick a domain name very similar to the target organization’s domain, with a slight misspelling. For example, if you are targeting AcmeRoadRunner.com, you could sign up for the AcmeRoadRuner.com domain (notice it is short an “n”) and then set up a fake email account for the CEO, firstname.lastname@example.org.
Case in point: Vistaprint offers a month’s free web hosting with the available domain of your choice plus an email account that uses said domain. They do not verify the requestor’s identity, nor charge the card used to sign up. This offer has proven to be very attractive to fraudsters. They can instantly stand up a domain and email account and immediately begin perpetrating fraud. Our research shows that the average time between setting up the domain and email, to sending the first fraudulent email is minutes.
Here’s an example of how it works: criminals begin by sending a fake CEO email request to the accounting department for an immediate wire transfer payment for an urgent purchase. The request will include wire transfer payment information for a bank account controlled by the criminal. The accounts payable clerk receives the meticulously crafted CEO email request with only one likely undiscernible error—the company email address is missing a letter. There is a high likelihood that accounting will ask for more information, but enough transactions of this type are completed without any questions from accounts payable to make this scam profitable.
And even if it is questioned initially, a confident fraudster can manage the follow-up email conversation well enough to get the money transferred. Whether the scam succeeds or fails, the stolen credit card and disposable email address make tracking down the perpetrator difficult.
A couple of successful scams include:
- Ubiquiti Networks suffered a whopping $46.7 million loss (http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/ )
- The Scoular Co. lost $17.2 million (http://www.omaha.com/money/impostors-bilk-omaha-s-scoular-co-out-of-million/article_25af3da5-d475-5f9d-92db-52493258d23d.html )
With all of the criminal activity perpetrated via domain names and email, one would think that certain safeguards would be put in place. Some thoughts:
- Organizations should put in place a security policy that blocks sending and receiving of emails that are similar to the genuine domain, but slightly different. There are also services that monitor the registration of a domain – though they may be too slow to be effective.
- The domain registration process could build in lag time, perhaps 24 hours, between the request and standing up the site so they can complete some minimal verification of the domain chosen, perhaps confirm that the website is not too similar to an existing website and/or that the user and or credit card are real.
- Of course the problem here is that having a human vet the registration, even by spending a single minute reading the form data, adds cost and that cost threatens the viability of the intended business model. Though possibly not as much as the potential class action lawsuit from the fraud victims.
Registration of fake domains by fraudsters and hackers is a real problem that is relatively easy to solve and even a very simplistic fix would prevent a great deal of crime. The BEC scam is just one example of how criminals use fake, free domains to perpetrate crimes. One would hope that domain vendors take notice of this issue, and begin to put policies and processes in place to help stamp out this type of criminal activity.