An Israel-based cybercriminal group has launched more than 350 Business Email Compromise (BEC) campaigns over the past two years, targeting large multinational companies around the world. The group is notable for some of the techniques it uses, such as spoofing email display names and multiple fake people in email chains, and through abnormally large sums of money attempting to extract from organizations
“Like most other threat actors that focus on enterprise email compromise, this group is fairly industry agnostic in its targets,” the cloud email security firm’s researchers said Abnormal Security in a report. “They are targeting multiple industries simultaneously, including manufacturing, financial services, technology, retail, healthcare, energy and media.”
The targeted organizations were headquartered in 15 countries, but because they are multinational corporations, employees of these companies from offices in 61 different countries were targeted. The reason the group focuses on large companies is because of the appeal they chose to justify the very large transfers they seek: corporate takeovers. It is not unusual for these multinational companies to acquire smaller companies in various local markets.
CEO impersonation is followed by lawyer impersonation
In many BEC scams, attackers target employees in finance or accounting departments who have access to the organization’s accounts. However, this group targets company executives and other senior leaders.
The first email appears to be from the company’s CEO and informs the recipient that the organization is in the process of acquiring a new company, but that the transaction is being monitored by financial market authorities and must remain confidential until a public announcement is made to avoid any privileged operation.
This initial email seeks to obtain a promise of confidentiality, mentioning that the transaction could fail if information is leaked, but includes other hints such as that the acquisition will not be done from headquarters for tax reasons because the acquired company is in another country where the organization is looking to expand its operations. This also helps increase credibility if the target employee is a local executive in a given country rather than someone from headquarters.
“First, members of the executive team are likely to send and receive legitimate communications with the CEO on a regular basis, which means that an email from the head of the organization may not seem out of the ordinary,” said the researchers “Secondly, given the stated importance of the purported acquisition project, it is reasonable to enlist the help of a senior leader of the company. And finally, because of his seniority within the organization, presumably there is less red tape that would need to be cut through in order for them to authorize a major financial transaction.”
If the recipient agrees to help, the follow-up email provides more information about the acquisition, such as the company’s location and the need to make an “instalment” payment to secure the acquisition before competitors take over find out This is also where the targeted employee is handed off to a second person telling them to contact a procurement attorney. In many cases, professional services lawyers and financial consulting firm KPMG are being impersonated in this second stage of the scam, and the KPMG logo is used in the email signature.
When this second lawyer is contacted, the attackers respond with bank account information and the amount to be transferred. Communication in this second part of the scam is not always via email, and in some cases the fake lawyer asked to speak via a WhatsApp voice call. Investigators accompanied one of the scams and called the number and spoke to someone with a French accent who reiterated the need for urgency and secrecy and excused his poor English communication skills by saying he resided in Paris.
“An analysis of potential financial impact data from all payment fraud attacks shows that the average amount requested is $65,000,” the researchers said. “In contrast, this group requests an average of $712,000, more than 10 times the average. Because the main theme of these attacks is the acquisition of a company, and large sums of money are usually exchanged in this types of transactions, the amount may not raise red flags.”
Email spoofing techniques
In BEC scams, it’s not uncommon for attackers to compromise a company employee’s real email account and then launch their attack from there. However, because this group uses a specific lure that requires the CEO impersonation to be credible, attackers rely on email spoofing.
First, they establish whether the organization’s email domain has a DMARC policy enabled. It is an email communication protocol that aims to prevent forgery. If there is no DMARC policy or it is misconfigured and ineffective, attackers spoof the email address directly. However, if such a policy exists, they use another technique known as display name spoofing.
Many email clients will only display the sender’s name in the email header in the default compact view. Some customers will also add the email address after the name in a “Name
“Even the most security-conscious employees could be fooled by social engineering decoys like these, especially because of the legitimacy given by phone calls,” the researchers said. “And unfortunately, legacy security tools are unlikely to block initial attacks since they are sent from legitimate domains without suspicious links, malicious attachments, or other traditional indicators of compromise.”
Security awareness training to detect these types of scams is essential, as well as having clearly defined internal procedures for verifying and authorizing transfer requests from company bank accounts, which may include always confirming a single request made by email with a tracking phone number. call the person who did it, of course, using the phone number listed in the company’s internal contact directory, not the one listed in the email.
Unfortunately, these scams are low-effort, high-reward, as attackers don’t need a large number of targets to drop in order to be successful. “Just one successful attack each month means these threat actors could be established for life, which may be why they only seem to work for a few months each year,” the researchers said.
Copyright © 2023 IDG Communications, Inc.
Ikaroa, a full stack tech company, is paying close attention to a recent report from Check Point Research which warned of a new campaign involving a threat group that is using fake company acquisitions as part of their CEO fraud schemes. According to the report, the group, which is identified as “Muddy Water” and is based in Israel, appears to be leveraging the takeover of an unsuspecting unsuspecting company’s legitimate web domains, social media accounts and online branding to carry out their schemes.
Using publicly available information, the group identifies potential targets, creates a resemblance to the employees’ emails and messages, performs social engineering and tricks employees into wiring money or disclosing sensitive information. The attack was initially thought to have been limited to only a few countries, however, with recent news that the group is now targeting companies from a range of industries and countries, companies have to be more aware of their cybersecurity and a proper response plan.
As experts in cybersecurity, Ikaroa urges businesses to stay vigilant about the schemes of cybercriminals and suggests adopting and deploying the latest tools and technologies to protect their systems. Additionally, it is important for businesses to use proper authentication methods for sensitive information and consider implementing virtual private networks and strong passwords. By being proactive and taking the necessary measures, companies can greatly reduce the risk of a successful attack.
By staying informed, increasing security, and heeding the warnings from cybersecurity experts, companies can secure their environments and protect their most valuable data. At Ikaroa, we take pride in helping companies protect themselves from existing and emerging threats and look forward to working with companies in mitigating the effects of cyber-attacks.