Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam. Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.
Just last week, yet another phisher tried to phish PhishMe. Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.
Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani. These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer. Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works. It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.
With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills. But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button. The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages. We knew that we should have a look right away at her report, shown in Figure 1 below. The subject line of the message was the accountant’s first name, and the salutation included her first name.
Figure 1 Initial message from BEC phisher
Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition. (Ah! The Intrigue!)
Figure 2 BEC phisher makes plea for a wire transfer
In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.” She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher. Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.
Figure 3 The BEC phisher sends wire transfer instructions
Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location. From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.
The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more. In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.
Figure 4 The BEC phisher returns the next day to request more money
The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.
Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity. It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address email@example.com. When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.
We took the list of domain names and guessed at which real company each domain was meant to imitate. We then notified the administrative contacts of record for those legitimate domain names. Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.
We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains. We notified 1&1 on December 19th and requested that all the names be de-activated. (see list at this link)
Though the song remains the same, phishers are constantly evolving their tactics to lead to more success. In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message. He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured. Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.
We also want you to understand that this does not just affect large companies. Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons. And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.
PhishMe also wants everyone to understand how simple but effective these scams can be. Learn how to spot them, and make sure your employees are great reporters. Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.