A business email compromise campaign emanating out of Western Africa is targeting companies in a wide swathe of industries, bucking a trend of these scams focusing on wire fraud and targeting CEOs.
The criminals are using phishing emails with links redirecting victims to sites designed to harvest corporate email credentials.
Researchers at Flashpoint said it’s likely one individual or a small group working together on each phase of the attacks, which date back likely to before March and were still active as of Aug. 8. The researchers saw emails targeting large retail organizations, universities, software and tech companies, engineering, real estate companies and churches.
“These waves of emails are customized per organization, which is why we think it’s one individual or a small group because of the way the file structure is set up and the overlapping domains,” said Ronnie Tokazowski, senior malware analyst at Flashpoint.
He added that so far, the attackers have sent 73 PDFs with redirect links, and of those 73, Flashpoint was able to identify 70 unique URIs and 29 domains involved.
“We’re thinking it was email credentials they were targeting,” Tokazowksi said. Once the attackers have access to a victim’s email, they’re able to send additional phishing emails to contacts and target other organizations, Tokazowksi said.
Like most BEC campaigns, this one is fairly low-tech, relying instead on convincing social engineering to achieve its goals. While these attacks overall are progressing in sophistication, most still opt not to use malware or exploits for example, meaning the attacks avoid detection by antimalware and intrusion detection systems.
Another commonality among BEC campaigns is the targeting of executives in the hope of luring them into making fraudulent money transfers. This one, however, is much more scattered.
“The emails we saw were widely spread out, targeting anyone [in an organization],” Tokazowski said. “There’s no correlation between the targets other than throwing something out there hoping it sticks. This is very widespread, broad targeting.”
When the PDF is opened, it presents the victim with a prompt to view a secure document online. The prompt redirects the victim to a phishing site where there are several options available to download the alleged file. The user is prompted to enter their credentials, and once they do, the script redirects them to a document or webpage owned by the targeted organization, Flashpoint explains in a report published today.
Once the criminals harvest valid credentials, they can continue to pivot out and send additional emails to contacts who would view the messages as coming from a trusted source. They could also monitor the victim’s inbox for additional valuable information, Flashpoint said.
Despite the lack of technical sophistication, losses from BEC dwarf those attributed to ransomware. The FBI in May said that fraud and phishing due to BEC grew 2,370 percent from 2015 and led to $5.3 billion in losses since late 2013. Wire transfers are the primary vehicle for fraud in these schemes, the FBI said.
“If someone targeted me with this, it’s not something I would click. But with $5 billion in losses, these have to be convincing to someone,” Tokazowski said. “Going to a website that has a secure document with your company names adds an extra level of legitimacy to it. If it’s coming from a known organization or large entity out there, that adds more trust to the document.”