Pierluigi Paganini April 30, 2019

Crooks have stolen $1.75 million in a church BEC (Business Email Compromise) attack, the victim is the Saint Ambrose Catholic Parish.

Cybercriminals have stolen $1.75 million in a BEC (Business Email Compromise) attack against the Saint Ambrose Catholic Parish.

Saint Ambrose is the second largest church in the Diocese of Cleveland and the largest church in Brunswick, Ohio.

The Saint Ambrose Catholic Parish discovered the BEC attack on April 17 when was making payments related to a Vision 2020 project that were never received by a contractor (Marous Brothers Construction).

According to the investigation conducted by the FBI and Brunswick police, hackers broke into the parish’s email system, likely via a phishing attack. Attackers were able to trick the personnel into believing that the contractor had changed their bank, and asked them to transfer the funds to a new bank account under their control.

In a letter to the parish, Fr. Bob Stec explained he was contacted by the contractor that informed him that he did receive the payments for the past two months.

“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000.” reads a letter sent to parish by Pastor Father Bob Stec.

“This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”

According to Stec, crooks accessed two St. Ambrose employees’ email accounts. Attackers only compromised the email system, they did not access to the parish database that is stored in a secure cloud-based system.

“We are working closely with the Diocese and its insurance program to file a claim in the hopes that Marous Brothers Construction can receive their payment quickly and we can bring this important project for our parish to a positive completion,” Stec said in the letter.

The parish submitted an insurance claim in the attempt of recovering the stolen money.

“At the same time, we brought in information technology consultants to review the security and stability of our system, change all passwords, and verify the integrity of our databases and other pertinent information.” Stec added. “They have determined the breach was limited to only two email accounts.”

BEC attacks represent a serious threat for businesses, according to the recently released 2018 Internet Crime Report by FBI’s Internet Crime Complaint Center (IC3), BEC scams reached $1,2 billion in profits.

“In 2018, the IC3 received 20,373 BEC/E-mail Account Compromise (EAC) complaints with adjusted losses of over $1.2 billion” reads the report.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]