BEC Group Uses Open Source Tactics in Hundreds of Attacks

Written by

Security researchers have warned of a highly successful new business email compromise (BEC) group that has targeted hundreds of victims in the past two years using fairly unsophisticated techniques.

Dubbed “Firebrick Ostrich” by Abnormal Security, the group has been responsible for at least 347 campaigns since April 2021. Although it’s unclear how many were successful, the vendor described its hit rate as “massive.”

The group uses open source research, such as trawling through government websites to check information on existing contracts and vendors, and total vendor numbers.

“While this information is usually limited, it at least gives an adversary a small piece of information they can exploit in an attack: the fact that there is an existing connection between the two organizations,” said Abnormal Security’s director of threat intelligence, Crane Hassold.

Once the attacker has collected this info, they will register a domain name via Namecheap or Google that looks very similar to the impersonated vendor’s legitimate domain. Because they don’t have detailed information about the vendor–customer relationship, the BEC email is usually vague – inquiring about an outstanding payment or even requesting an update to the vendor’s payment details.

Firebrick Ostrich has thus far impersonated 151 different organizations using 212 different maliciously registered domains, across a wide variety of sectors, Hassold said.

Most (60%) domains were registered on the day the BEC email was sent, providing corporate threat hunters with some useful clues.

The group’s lack of detailed insight into their targets also means they usually send emails to centralized accounts payable email distribution lists, which target all finance employees at the same time.

If any one of them take the bait, the fraudsters will send over updated account information for them to pay into.

“What makes this group fairly unique is that they have seen massive success even without the need to compromise accounts or do in-depth research on the vendor–customer relationship,” Hassold concluded.

“By using fairly obvious social engineering tactics, they can discover everything they need in order to run a successful BEC campaign – without investing any significant time or resources into the initial research.”

What’s hot on Infosecurity Magazine?