A massive business email compromise (BEC) campaign is targeting Fortune 500 firms, using well-crafted, sophisticated phishing emails.
According to the IBM X-Force Incident Response and Intelligence Services (IRIS), criminals of likely Nigerian origin are behind the widespread credential harvesting, phishing and social engineering initiative designed to steal financial assets.
Beginning in the fall of 2017, X-Force IRIS started seeing a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. Attackers in these cases use stolen email credentials and solid social engineering tactics; there’s no need to infiltrate the corporate network to defraud a company, so the BEC scam involves little to no technical knowledge, malware or special tools.
The “whaling” attempts followed a common pattern: Convince accounts payable personnel at Fortune 500 companies to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
X-Force IRIS said that phishing emails are sent either directly from or spoofed to appear to be from known contacts in the target employee’s address book; the phish is often sent to several hundred contacts at a time and is engineered to look legitimate to the spammed contacts. However, this isn’t a spray-and-pray effort. Researchers said that before engaging with any employee, the attackers likely undertook a reconnaissance phase, looking through activity within the user’s email folders in search of subjects and opportunities to exploit and, eventually, creating or inserting themselves into relevant conversations.
Attackers also mimicked previous conversations or inserted themselves into current conversations between business email users. They then masqueraded as a known contact from a known vendor or associated company and requested that wire payments be sent to an “updated” bank account number or beneficiary. In cases in which additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals.
They also created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user’s inbox.
The effort also has two separate but connected goals.
“The first is to harvest mass amounts of business user credentials, and the second is to use these credentials to impersonate their rightful owners and ultimately trick employees into diverting fund transfers to bank accounts the attackers control,” said researchers in a blog.
In terms of the size of the threat, the bad actors appear to have used a phishing kit to create spoofed DocuSign login pages on over 100 compromised websites. X-Force IRIS researchers identified targeted companies in the retail, healthcare, financial and professional services industries, among others.
“Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise,” researchers said.
Businesses can avoid getting hooked in a whaling attempt by implementing two-factor authentication (2FA) for account logins, creating banners that identify emails coming from external email addresses and blocking the ability to auto-forward emails outside of the organization.
They can also prevent fraud the old-fashioned way: by picking up the phone to verify transfer requests before initiating them.