Business Email Compromise: A Case Study

Published by Ryan Miller on

Update: The screen capture below was taken from the Parents Nest page on Facebook. The only parent to get through to anyone at Charter School Associates that can provide information didn’t receive any of the phishing emails and was given a head in the sand denial about the email compromise.

Pinellas Academy of Math and Science (PAMS) experienced business email compromise on Tuesday, June 6th. Based on my experience as a Chief Information Security Officer and the information in the Verizon 2019 Data Breach Investigations Report I will give a rundown of what happened, what should have happened, and what could have happened. This analysis will be conducted with some speculation because of the information vacuum that PAMS has put parents in due to minimal communication about the compromise. I will provide the most likely scenario’s for the speculative portions.

The Compromise

Two phishing emails were sent from two different PAMS email addresses. The first email was received by several people (total recipients unknown) at 12:45 PM on Tuesday, June 6th. Approximately 24 hours later, a second phishing email from a different PAMS email address was sent out and reported by several people (total recipients unknown). Both email accounts that were compromised had communication with most of the parents and faculty, making them high-value targets and the targeting of these accounts appears intentional.

There is the possibility that the targeting of these two accounts was random (value-wise) and the attacker hit pay dirt by chance.

After speaking to one of the account owners, just after the second phishing email was received, it was apparent they weren’t phished for the email account credentials leaving credential stuffing the likely culprit. Credential stuffing is where someone reuses a password on multiple accounts (email, Netflix, etc.) and one of the services where they reused a password is compromised, dumped on the internet where attackers buy the email/password lists, then try the email address and password combo on commonly used services.

Another possible scenario is that malware resides on the computer and is capturing every keystroke and sending the captured data to a remote server where the attacker later analysis the data for useful information. Malware being on the computer is a less likely scenario, but should still be considered and checked for by running an anti-virus scan and looking at operating system logs.

What concerned me is that 24 hours after the first phishing email was received was when they notified IT of the compromise – moments before I called. All subsequent communication with the school faculty turned protective of the incident. Any information that I gave to the faculty returned a reply that my information would be passed along to IT and any information I requested went unanswered. Based on the responses shortly after IT was notified, and that there was no compromise notification after 24 hours there’s a good chance they are trying to sweep this incident under the rug except for the Parents Nest post where parents were told not to open the email and that the problem was being fixed.

The difference with this incident and credential stuffing is that these were PAMS email addresses. While the PAMS email addresses could have been used to sign up for accounts the likelihood is low making a case for intentional targeting stronger because a degree of open-source intelligence (OSINT) would be required to tie a non-PAMS address to an individual that worked at PAMS, then use methods to discover the individuals PAMS email address. OSINT involves using various search engines to find information on people such as public records for speeding tickets, voter registration records, social media (Facebook, Twitter), and people finder websites such as the White Pages, and Fast People Search.

I left the IT Director of Charter School Associates a voicemail on Wednesday, June 7th after the second phishing email was received. When speaking with the receptionist at Charter School Associates, I kind of gathered that information security was a secondary duty to IT staff, and that there are no dedicated information security employees – a common occurrence. I asked to speak with someone that had information security responsibilities then I was transferred to the IT Director. I have not had my phone call returned as of Tuesday morning, June 11th.

At this point, it’s impossible to know how many parents were phished for their email account credentials and have an attacker going through the details of their lives as you read this. All because the communication channels, the school has weren’t used to notify all (if not most) parents of the compromise, and a central point of communication for questions and answers about what’s happening and when was not established. Something else to keep in mind is that we don’t know how long the attackers had access to the email accounts before the phishing emails were sent out. It’s possible that the attacker had days, weeks, or even months of access. The amount of time the attacker had access to the accounts whether it was days or months is enough time to scrape personal information such as name’s, email addresses, phone number’s, physical and mailing addresses, birthday’s, and possibly social security numbers because you might or might not be surprised what people will put in an email.

Communication

The reason for the unknown total of recipients is due to who received the emails first. PAMS has a private Facebook group called Parents Nest where announcements, news, and questions about the school can be answered. Parents Nest is ran by parents of students that go to PAMS, but is not directly supported by the school. Since the Parents Nest isn’t an official PAMS Facebook group, PAMS has not gone to any lengths to advertise Parents Nest existence so only a fraction of the parents have joined the group.

Parents Nest is where all of the communication about the compromise happened. PAMS has a mass communication system in place that uses email and text messages to disseminate information. No word about the compromise came through email nor text message leaving anyone that wasn’t a member of Parents Nest unaware that an attack was underway unless individuals are able to recognize a phishing email.

The Email

After looking at the header information in the email it appears that the email did originate from within Office 365 which is what the school uses.

Email header information from the phishing email

In the image above the mailbox type is hosted, has the originating organization as PAMS, and lines above the part I took a screen clip of verifies the sender mailbox as active. The IP address points to webmail (office.com) being the place the email was sent from.

The method that was used to execute this phish is more sophisticated than what I usually see. The link in the email brings you to box.com (a cloud storage provider) where there’s a shared file that looks like a webpage and has a link in the middle. The link on the page in box.com brings you to the actual phishing page where you are asked to sign-in to view a protected document using Gmail, Outlook.com, Hotmail, and several other options.

The link inside phishing email one
The link inside phishing email two

The reason for using a cloud storage provider to host the real phishing link in two different shared files is two-fold. 1) cloud storage providers go to great lengths to keep their service from being placed on any malicious URL blacklists, thusly, app.box.com/s/<file name> will pass incoming and outgoing spam filters, and 2) phishing pages can be set up and deleted quickly using different service accounts to maximize the length of time the attacker can collect email credentials. The email addresses used for the Box.com phishing page accounts likely to belong to victims.

Here are some findings from the Verizon Data Breach Report that give you a better idea of why these compromises happen.

  • Financially motivated breaches fell from 76% to 71%
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC [Business Email Compromise] attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved employees
  • 43% of cyberattacks were on small businesses
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

A Better Response

Once there was evidence that one email account had shown signs of compromise a breach notification should have been sent out over text message and email to reach as many people as quickly as possible alerting that phishing emails had been sent from an account and do not click on any links inside of PAMS emails until further notice. If a phishing email hadn’t been sent the response would have been different because there wasn’t immediate danger of compromise outside of PAMS. The notification would come after mitigation (password reset, two-factor authentication) and an investigation into whether or not data had been taken that would include what Charter School Associates did, when they did it, what they found as a result of the investigation, and any steps that people would need to take to protect themselves if sensitive data was stolen.

Upon indication that a second email account had been compromised within 24 to 48 hours, a password reset for all PAMS email accounts should’ve been initiated, and another alert sent via text message and email stating that an email account had been compromised and do not click any links in emails from PAMS until further notice. In addition to the mass password reset a password history restriction of at least three passwords should be implemented if it hasn’t been already. A password history restriction means that you can’t use the last three passwords you’ve had for that email account.

Based on the time of day the emails were sent, the attacker is doing a good job of blending in with normal traffic patterns for email use at the school. The mass password reset is due to two compromises close together leaving the presumption that more accounts could be compromised. Instead of waiting for each account to have indicators of compromise, it’s best to take care of all accounts at once. An investigation into what happened and when would be greatly aided by turning on much of the logging in Office 365 so you can gather as many details of activity as possible. Also, Office 365 offers several options for two-factor authentication that includes a randomly generated passcode, a phone call, a smart card, and a biometric device making better security possible for any budget.

What’s at the core of proper incident response is policies and procedures that each employee must be informed of so they can report suspicious activity promptly (ASAP/immediately). A policy would have dictated that there was to be a breach notification and procedures would have shown when and how to conduct a breach notification, and who the responsible party is for sending out the notification. A policy would dictate the extent that IT is to investigate and remediate compromises (scenario wise) while procedures and guidelines would dictate what to do in each scenario and who to contact when a third-party incident response is needed.

In conclusion, the school has sensitive information on you and your children, and you have the right to know when that information falls into the wrong hands. PAMS is obligated to do what a school at their size and funding can do to protect the information of parents and students. Based on what they didn’t do publicly and how they became tight-lipped, they fell well short of minimal expectations. A lot has been said by PAMS by what they haven’t said throughout this incident.


Ryan Miller

A husband, a father of 3, my daughter's sounding board, writes on all topics of cybersecurity, an expert at dad humor, a security engineer, an analyst, a network administrator, and Desktop Support Tier I-III.