Phishing schemes net hackers millions of dollars from Fortune 500

IBM has uncovered sophisticated campaigns which are successfully targeting Fortune 500 companies.
Written by Charlie Osborne, Contributing Writer

Fortune 500 companies are losing millions of dollars due to new and sophisticated phishing scams conducted by cyberattackers, IBM has discovered.

On Wednesday, researchers from IBM's X-Force Incident Response and Intelligence Services (IRIS) team said the Business Email Compromise (BEC) scheme is currently active and is successfully targeting Accounts Payable (AP) teams at Fortune 500 companies.

In a blog post, the researchers said that after discovering evidence of the threat in Fall 2017, their analysis of the campaign led them to Nigeria, where the threat actors appear to be operating.

The BEC uses social engineering attacks and phishing emails in order to obtain legitimate credentials for enterprise networks and email accounts.

In many cases, publicly available information is used to craft messages which appeared legitimate and entice phishing victims to visit malicious domains.

It is not known how many criminals are involved in these schemes, but each appears to be using a phishing kit which creates spoofed DocuSign login pages on over 100 compromised websites to dupe users into handing over their credentials.

Phishing emails are either sent directly from or spoofed to appear as contacts in a target AP employee's address book. If legitimate email accounts are compromised, the threat actors carry previous conversations or insert themselves into active discussions after performing reconnaissance and rifling through inboxes to learn about current payments and projects.

"The attackers typically took a week between the point they gained initial access to a user's email account and the time they started setting up the infrastructure to prepare a credible ruse," IBM X-Force says. "During this time, they likely conducted extensive research on the target's organizational structure, specifically focusing on the finance department's processes and vendors."

While masquerading as legitimate contacts such as vendors or associated companies, the hackers would eventually request wire payments be sent to "updated" bank accounts or beneficiaries.

It is believed millions of dollars has been stolen to date.

The cybercriminals are nothing if not dedicated to their scams. The attackers also create mail filters and email rules to ensure communications are conducted only between them and their victims, as well as to automatically delete company messages.

"In cases where the attacker impersonates the user, the attacker would auto-delete all emails delivered from within the user's company," the researchers say. "The attackers likely did this to prevent the user from seeing any fraudulent correspondence or unusual messages in their inbox."

The criminals also sometimes monitor compromised user's inboxes to remove any messages which could expose their campaign and "in cases where additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals," according to IBM X-Force.

Victims have been identified in the retail, healthcare, professional services, and financial sectors.

This BEC is of special note as no malware was used and as legitimate employees were conducting transactions, traditional security products and protocols would not be able to detect any compromise.

The fraudsters focus on Fortune 500 companies which may be the easiest to exploit due to their company infrastructure. Special attention is given to those who use single-factor authentication and email web portals.

See also: Malware hides as LogMein DNS traffic to target point of sale systems

According to the FBI, the US Internet Crime Complaint Center (IC3) has seen a 2370 percent increase in attempted and actual BEC losses. Trend Micro predicts that BEC attacks will result in over $9 billion in losses in 2018.

5 things you should know about VPNs

Previous and related coverage

Editorial standards