A phishing operation likely based in West Africa has been attempting to compromise various business email accounts in order to leverage them in even more targeted spear phishing communications.
A phishing operation likely based in West Africa has been attempting to compromise various business email accounts in order to leverage them in even more targeted spear phishing communications.

An organized phishing scam operation likely based out of West Africa has been attempting to steal the business email credentials of users across a broad spectrum of industries, in hopes of compromising their accounts and leveraging them for even more targeted spear phishing scams, researchers at Flashpoint have reported.

According to a Flashpoint blog post on Tuesday, the Business Email Compromise (BEC) campaign has targeted universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches from March 28 through at least Aug. 8.

The phishers' weapon of choice: PDF files containing embedded, malicious links that redirect victims to credential-stealing websites. Flashpoint has discovered 73 such PDFs linking to 29 distinct malicious domains.

"Upon opening the PDF, the potential victim would be presented with a prompt to view a secure online document; when clicked, this prompt would redirect the victim to a phishing website to input their login credentials," the blog post explains. "Once a victim enters their login credentials, the script redirects the victim to a document or web page owned by the targeted organization."

The scammers then use the stolen credentials to send spear phishing emails to the victim's business contacts, lending instantly credibility to the fraudulent communications.

Flashpoint suspects the culprits are based in Western Africa due to the originating IP addresses of the phishing emails, as well as because the actors' tactics and behaviors match those often exhibited by scammers based in this region -- including a penchant for avoiding the use of malware, and a lack of operational security practices.