New email scam targeting accounts personnel at Fortune 500 companies

Security researchers have uncovered an active Business Email Compromise (BEC) campaign targeting Accounts Payable personnel at Fortune 500 organisations. 

According to a blog post by researchers at IBM X-Force Incident Response and Intelligence Services (IRIS) team, the campaign is being executed by criminals in Nigeria and has successfully stolen millions of dollars from organisations in a major uptick in BEC scams. The campaign is focused on credential harvesting, phishing, and social engineering to steal financial assets via wire transfer from Fortune 500 organisations. 

The attackers in this BEC campaign find success in compromising legitimate email accounts without compromising the network and performing the attack largely from within these compromised accounts. The attackers are specifically targeting companies that use single-factor authentication and an email web portal, for instance, Microsoft Office 365. 

According to researchers, the following tactics were common to attacks. Phishing emails were sent either directly from or spoofed to appear to be from known contacts in the target employee's address book. Attackers mimicked previous conversations or inserted themselves into current conversations between business email users.

Attackers masqueraded as a known contact from a known vendor or associated company and requested that wire payments be sent to an "updated" bank account number or beneficiary.

Attackers created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user's inbox.

In cases in which additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals. Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise.

X-Force IRIS assessed that the threat groups that conduct these attacks are likely operating out of Nigeria because both the spoofed sender email addresses and IP addresses used to log in to email web access portals are primarily traced to Nigeria. 

“However, it is worth noting that the same threat actors often leveraged compromised servers or revolving proxies that may be traced to other countries to mask their actual location,” said Alexandrea Berninger, global security intelligence analyst on IBM X-Force Incident Response and Intelligence Services (IRIS).

“Although the size of each individual group is unknown, the threat actors appear to have used a phishing kit to create spoofed DocuSign login pages on over 100 compromised websites. This indicates that the groups comprise more than one person each and are actively engaged in widespread phishing campaigns to harvest business user credentials,” she added.

Berninger said that implementing key security features and revisiting internal processes can help reduce the risk of being targeted by a low-tech social engineering campaign.

Nir Polak, CEO at Exabeam, told SC Media UK that getting in the middle of potentially huge transactions that normally occur entirely over email is a great example of cyber-fraudsters broadening their sights in a bid to take advantage of wherever a weak link lies. 

“The attack itself is a type of insider threat, where a trusted employee has credentials that have been compromised. To stop such cases, businesses need to be able to monitor logins or access to email services such as Google, Office 365, or OWA, looking for behavioural anomalies,” he said.

“These anomalies could include abnormal devices, IP addresses, access times and more. By building a baseline of normal behaviour for these users and their usual patterns of credential usage, it's possible to detect these impersonation attacks without the false positives that legacy email security tools tend to create because of their lack of situational awareness."

Eyal Benishti, CEO and founder of Ironscales, told SC Media UK that vigilance is key in avoiding becoming the next victim of a phishing scam. “If it looks too good to be true - it probably is. Never click on a link in unsolicited emails, and if you have even the slightest suspicion, do not interact with the email and instead seek support from your IT Security Team. Look out for typos, change in language style and other mistakes which are often tell-tale signs of a dodgy email,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.