Threat Actor Attempt At Auditing: New Business Email Compromise Tactic
By Noah Mizell and Ashley Tran, Cofense Phishing Defense Center
The tactics used for conversations in business email compromises (BEC) can vary based on topics that often appear specific to a fellow coworker or to a collaboration on a private task for the CEO or other high–ranking executive. The members of the Cofense PDC are all too familiar with, for example, the line, “I want to surprise the staff with gifts.” However, threat actors have caught on to the fact that their tactics are not so secret anymore, and are well documented. With this newfound awareness comes the need to evolve methods. As noted in previous Cofense blogs, this can involve soliciting end users for sensitive revenue and customs details or, in the case shown in Figure 1, posing as an audit for open invoices between two companies.details or in this case posing as an audit for open invoices between two companies.
Figure 1: Email Body
In Figure 1, it can be noted that an email has been forwarded by an external user who had suspicions regarding the email seen under “Begin forwarded message.” The initial email is a request detailing the need to update the impersonated company’s “account record” for the forwarding user’s company, and asks for details on “any unpaid payments or an invoice due till date.” Following this request is the forged – yet convincing – email signature for that impersonated company’s chief financial officer, complete with logo.
Because this email was forwarded, the sender details can be seen in the body of the email. The threat actor has spoofed the sender email to appear as though it really did originate from the impersonated company: [email protected][REDACTEDCOMPANY].com. However, the actual email behind this attack is in the reply-to section of this email: [email protected]
The goal of this scam is simple – to obtain the invoice information and utilize it in a follow-up attack. This attack would reference the specific confidential information that was attained to get payment in the name of the impersonated company. Although the subject and wording of this BEC is different from the typical gift card request, or favor for the CEO, the impact most likely to result remains the same: financial crime.