BEC Group Crimson Kingsnake Linked to 92 Malicious Domains

Written by

A business email compromise (BEC) group dubbed 'Crimson Kingsnake' has recently been spotted impersonating well-known international law firms to trick recipients into approving overdue invoice payments.

As outlined in a technical write-up by cloud email security platform Abnormal, 92 malicious domains of 19 law firms and debt collection agencies across the US, UK and Australia have been identified and linked to the threat actor.

"The group, which we call Crimson Kingsnake, impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices," the company wrote.

"We've observed Crimson Kingsnake target companies throughout the United States, Europe, the Middle East, and Australia."

Abnormal also explained that, like most BEC gangs, the group is industry-agnostic, so they do not explicitly target companies in specific sectors.

"Intelligence collected from some of the active defense engagements we've conducted with the group indicates that at least some of the actors associated with Crimson Kingsnake may be located in the United Kingdom," reads the advisory.

The Crimson Kingsnake attacks had typically started with emails impersonating actual attorneys and law firms and referencing an overdue payment.

"To add legitimacy to their communications, Crimson Kingsnake uses email addresses hosted on domains closely resembling a firm's real domain," Abnormal said. "The display name of the sender is set to the attorney that is being impersonated, and the email signature contains the firm's actual company address."

According to Sean McNee, CTO at DomainTools, BEC attacks remain a lucrative business, and impersonating third-party vendors is the newest trend.

"Criminals are hijacking the external relationships businesses have with their suppliers, particularly those that share highly sensitive data and invoice large amounts," McNee told Infosecurity.

"Since law firms, construction firms and other such suppliers are considered trusted vendors, employees are less likely to verify their transaction requests or catch a spoofed domain."

To protect against these attacks, McNee said companies should conduct awareness training, teach employees to verify domains and establish processes requiring employees to verify all transactions and partner details before initiating transfers.

"BEC attacks that spoof third-party domains are becoming a major concern for businesses today, but with the correct tools, training and processes, organizations can remain one step ahead of attackers," McNee concluded.

The Abnormal advisory comes months after Accenture published a report suggesting ransomware data theft operations are increasingly fueling BEC attacks.

What’s hot on Infosecurity Magazine?