author photo
By Bruce Sussman
Thu | Oct 29, 2020 | 3:06 PM PDT

In battleground states like Wisconsin, money from political campaigns and political parties is flowing like water.

For voters, that means a bombardment of ads, mailers, and signs.

On the backend, for campaign bean counters, it means an onslaught of invoices to pay.

Hackers know this, and they just hit a multi-million dollar payday courtesy of the Republican Party of Wisconsin.

Business Email Compromise attack steals millions from Republicans

Republican Party Chairman Andrew Hitt told the Associated Press his organization unknowingly sent more than $2.5 million to hackers after falling for a Business Email Compromise (BEC) attack.

"Hitt said the hackers were able to manipulate invoices from four vendors who were being paid to send out direct mail for Trump's reelection efforts and to provide pro-Trump material such as hats that could be handed out to supporters. Invoices were altered so when the party paid them, the money went to the hackers instead of the vendors."

And this is impacting urgent last minute Republican Party spending, which he says was earmarked to help President Trump win again in this battleground state:

"There's no doubt RPW is now at a disadvantage with that money being gone," Hitt said. The party and campaign needs money late in the race to make quick decisions.

As a reminder, President Trump won Wisconsin in 2016 by just 23,000 votes. Millions of dollars less in last-minute spending could impact the race if it is close again during this election cycle. Especially because Biden has outspent Trump by nearly two-to-one on Wisconsin TV advertising this fall.

Business Email Compromise: how it works now

Republican Party Chairman Hitt says the attack may have started with a phishing email, where someone at the organization revealed their username and password, which gave the cybercriminals access to an email account.

SecureWorld recently interviewed U.S. Secret Service Agent Chris McMahon about how these types of attacks work.

He says once cybercriminals have account access, they don't read every email. Instead, they watch for the ones that could make them money.

"When it comes to invoicing, we've seen this in multiple instances across the country. They [the attackers] set up forwarding rules. So they're being forwarded the important emails, paying attention to those.

And when it's time to do the invoice, they'll go ahead and create the invoice that looks legitimate, but the bad actor's account information is on that invoice. And so it happens that quickly, right? Because the bad actors are sitting on that email address. They're watching and continually watching those emails come back and forth and so they know exactly when to send a fraudulent email. So it doesn't look like it's out of place."

And McMahon says, many organizations respond by changing the login credentials of the compromised accounts, but at that point, attackers are still getting your proprietary information.

"You can change your password all day long. But if those email forwarding rules are there, then those emails are still getting sent to the bad guy.

We recently investigated a case, it was a local government case, and they were infiltrated and there were 136 email forwarding rules on one person's email—136."

The enterprise business model of cybercrime is behind BEC attacks

Business Email Compromise (BEC) attacks occur in both the private and public sector and involve someone's email being compromised. 

It's easy to imagine a hacker in their mom's basement trying to outsmart you or your employees. But the Secret Service's McMahon says BEC attacks led to $26 billion (yes, with a b) in losses between 2016 and 2019. 

In other words, these are big business type of operations, which McMahon calls the Enterprise Business Model of Cybercrime. We interviewed him about this on a SecureWorld podcast episode. Listen here:

And here is what he and his fellow investigators have uncovered about how these BEC attack organizations are structured:

"They have the CEO level where you are giving direction on what to do. And at the end of the day, they get a cut of the money that comes through. So you are kind of the strategy person.

Then under them, you'll have an HR function where you're recruiting people and you are managing the people that you recruit into the fraudulent world.

And then you'll have your IT people who either develop the malware or they'll go out and buy malware... to infiltrate the computers or the systems that they're looking to do... in order to commit the crime.

And then under that, you'll have runners or mules where those people are the ones that are actually passing the money. And so it truly is like an organization."

The number one thing to do after a BEC attack

From multinational victims like Nikkei America ($29 million) to local religious organizations like the Saint Ambrose Catholic Parish in Ohio ($1.7 million), and now the Republican Party of Wisconsin ($2.5 million), BEC attacks continue to claim victims and make cybercriminal organizations massive amounts of money. 

Any organization can become a victim.

However, some have much better chances of getting their money back than others.

What we know is that most monies lost in BEC attacks are headed for either Africa or Asia. Typically it takes a few "hops" for the money to get routed through the U.S. banking system and then leave the country and become out of reach.

That's why U.S. Secret Service Agent Chris McMahon says you absolutely must report your BEC case to federal authorities as soon as you discover you've been duped.

"Reporting it is a hugely important factor when it comes to being able to investigate or recover the money. Typically, we're able to recover some or a even a significant portion of the funds. But usually by 72 hours, it is really, really hard to recover any of that money."

In the case of the Republican Party of Wisconsin, the organization discovered the successful BEC attack on October 22, 2020, and notified the FBI the following day.

So there's at least a chance it might recover some of its $2.5 million in last-minute pro-Trump spending money.

And that could make a difference in this presidential battleground state.