The FBI is investigating a global business email compromise (BEC) campaign that has netted cybercriminals at least $15 million in illicit proceeds.
On Wednesday, cybersecurity researchers from Mitiga said the campaign, which is ongoing, uses social engineering techniques to impersonate senior executives using Microsoft Office 365 email services.
The Israeli incident response company said over 150 organizations -- ranging from law, construction, finance, and retail -- have been identified as victims worldwide. The majority of those tracked so far are in the United States.
BEC scams focus on targeting businesses and organizations through email fraud, often with financial gain in mind. Analysts estimate that in Q2 2020, the average successful BEC campaign now nets fraudsters $80,000 -- an increase from $54,000 in Q1 2020 -- but in the worst cases, financial theft can reach millions of dollars.
It was a "multi-million-dollar global transaction," Mitiga told us, that alerted the researchers to the campaign. Emails were sent between a buyer and seller over several months, in which a threat actor impersonated "senior parties" involved in the transaction, providing alternative wire payment instructions, and vanishing with the proceeds.
However, this single case of criminality was only one of what appears to be many widespread BEC campaigns run by one or more cybercriminal groups.
Digital clues linked over a dozen clusters of rogue domains to the BEC campaign and the researchers say that "each cluster was a coordinated attack on its own."
Numerous rogue domains have been registered via GoDaddy's Wild West Domain registrar, and these domains mask themselves as legitimate businesses. In what is known as a homograph technique, the website addresses used to impersonate a company include alterations made via letters or symbols that would be difficult to spot -- such as the difference between 'paypal.com,' and 'paypall.com."
Office 365 accounts were then linked to email addresses associated with these domains in order to send fraudulent messages. If a victim accepted a phishing message and unwittingly executed a payload, this could also lead to their inboxes becoming compromised.
The team believes that Microsoft's email service is being abused to reduce "suspicious discrepancies and the likelihood of triggering malicious detection filtering."
When conversations were intercepted via compromised accounts, the attackers used a forwarding rule to bounce all communication back to another attacker-controlled account.
"This provided the threat actor with full visibility of the transaction and allowed for the introduction of the fake domain at just the right moment, i.e., when the wire transfer details were provided," the company added.
An investigation into the widespread BEC scam is ongoing. Microsoft and relevant law enforcement agencies have been notified.
"We're are experiencing a dramatic increase -- 63% in fact -- of ransomware and BEC attacks across our customer base," Tal Mozes, Mitiga CEO told ZDNet. "These attacks are originating mainly from African countries and are showing an increasing level of sophistication. With this specific BEC campaign, our analysts were able to identify a digital fingerprint that allowed us to identify and notify the victims, as well as alert law enforcement of threat vectors."
Previous and related coverage
- Average BEC attempts are now $80k, but one group is aiming for $1.27m per attack
- FBI: BEC scams accounted for half of the cyber-crime losses in 2019
- This phishing campaign targets executives with fake emails from their phone provider
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0