An Israeli group of cybercriminals has launched more than 350 business email compromise (BEC) campaigns over the past two years, targeting large multinational companies from around the world. These criminals are utilizing techniques that set them apart from other BEC attackers, including email display name spoofing and multiple fake personas in the email chains. They are also different as they are attempting to extract unusually large sums of money from their targets. The targeted organizations have headquarters in 15 countries, but since they are multinational corporations, employees of these companies from offices in 61 different countries were targeted.
What makes this group unique compared to other BEC attackers? The group has focused more on targeting large enterprises and using a particularly persuasive lure to justify the very large transfers they are after, namely company acquisitions. Companies usually acquire smaller companies in various local markets. By using this lure, large sums of money are commonly exchanged during acquisitions, making the money requested in these emails seem plausible, and therefore less likely to raise any red flags.
In many BEC scams, attackers target employees from the finance or accounting departments that have access to the organization’s accounts. However, this group targets company executives and other senior leaders. The first email appears to come from the company’s CEO and informs the recipient that the organization is in the process of acquiring a new company but that the transaction is supervised by financial market authorities and needs to remain confidential until a public announcement is made to avoid any insider trading.
One of the unusual aspects of this BEC group is that it follows up the CEO impersonation with lawyer impersonation. The second part of the scam is where the targeted employee is referred to a lawyer specializing in acquisitions. In many cases, solicitors from professional services and financial consulting firm KPMG are being impersonated in this second stage of the scam and the KPMG logo is used in the email signature. When this second attorney persona is contacted, the attackers respond with the bank account information and the amount that needs to be transferred to carry out the acquisition before competitors might get wind of it.
In BEC scams, it’s not unusual for the attackers to compromise the real email account of a company employee and then launch their attack from their fake email account. This group uses a specific lure that requires impersonation of the CEO to be credible. Therefore, the attackers rely on email spoofing instead. To trick victims, the attackers configure their display name to be not just the CEO’s full name but their email address as well.
According to researchers from cloud email security firm Abnormal Security, “Even the most security-conscious employees could be tricked by socially engineered lures like these, particularly due to the legitimacy given by the phone calls. And unfortunately, legacy security tools are unlikely to block the initial attacks since they are sent from legitimate domains without suspicious links, malicious attachments, or other traditional indicators of compromise.”
Security awareness training for spotting these types of scams, as well as having clearly defined internal procedures in place for verifying and authorizing transfer requests from the company’s bank accounts, is essential. This could include always confirming a request made via email with a follow-up phone call to the person who made it, of course by using the phone number listed in the company’s internal contacts directory and not the one listed in the email.
These scams are low effort and high reward, as the attackers do not need a large number of victims to fall for them to be successful. “Just one successful attack each month means that these threat actors could be set for life, which is perhaps why they appear to only work a few months each year,” the researchers said, adding that these attacks are likely to continue as the group successfully extracts large amounts of money from unsuspecting victims.