$15 million business email scam campaign in the US exposed

The FBI is investigating the global campaign in which millions of dollars have been stolen from at least 150 victims.
Written by Charlie Osborne, Contributing Writer

The FBI is investigating a global business email compromise (BEC) campaign that has netted cybercriminals at least $15 million in illicit proceeds. 

On Wednesday, cybersecurity researchers from Mitiga said the campaign, which is ongoing, uses social engineering techniques to impersonate senior executives using Microsoft Office 365 email services. 

The Israeli incident response company said over 150 organizations -- ranging from law, construction, finance, and retail -- have been identified as victims worldwide. The majority of those tracked so far are in the United States. 

See also: This latest phishing scam is spreading fake invoices loaded with malware

BEC scams focus on targeting businesses and organizations through email fraud, often with financial gain in mind. Analysts estimate that in Q2 2020, the average successful BEC campaign now nets fraudsters $80,000 -- an increase from $54,000 in Q1 2020 -- but in the worst cases, financial theft can reach millions of dollars. 

It was a "multi-million-dollar global transaction," Mitiga told us, that alerted the researchers to the campaign. Emails were sent between a buyer and seller over several months, in which a threat actor impersonated "senior parties" involved in the transaction, providing alternative wire payment instructions, and vanishing with the proceeds. 

However, this single case of criminality was only one of what appears to be many widespread BEC campaigns run by one or more cybercriminal groups. 

CNET: Facebook says fake accounts tied to Russia posed as journalists and promoted other websites

Digital clues linked over a dozen clusters of rogue domains to the BEC campaign and the researchers say that "each cluster was a coordinated attack on its own."

Numerous rogue domains have been registered via GoDaddy's Wild West Domain registrar, and these domains mask themselves as legitimate businesses. In what is known as a homograph technique, the website addresses used to impersonate a company include alterations made via letters or symbols that would be difficult to spot -- such as the difference between 'paypal.com,' and 'paypall.com."
Office 365 accounts were then linked to email addresses associated with these domains in order to send fraudulent messages. If a victim accepted a phishing message and unwittingly executed a payload, this could also lead to their inboxes becoming compromised. 

The team believes that Microsoft's email service is being abused to reduce "suspicious discrepancies and the likelihood of triggering malicious detection filtering."

TechRepublic: Cybersecurity: How to properly perform vulnerability assessments in your organization

When conversations were intercepted via compromised accounts, the attackers used a forwarding rule to bounce all communication back to another attacker-controlled account. 

"This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided," the company added. 

An investigation into the widespread BEC scam is ongoing. Microsoft and relevant law enforcement agencies have been notified. 

"We're are experiencing a dramatic increase -- 63% in fact -- of ransomware and BEC attacks across our customer base," Tal Mozes, Mitiga CEO told ZDNet. "These attacks are originating mainly from African countries and are showing an increasing level of sophistication. With this specific BEC campaign, our analysts were able to identify a digital fingerprint that allowed us to identify and notify the victims, as well as alert law enforcement of threat vectors."

Cybersecurity reads for every hacker's bookshelf

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards