Don't Hack the Computer - Hack the Person! Recently Observed Social Engineering Attacks.

Overview

When most people think about the origin of a cyberattack, the image is that of a hacker using some kind of exploit against software or hardware in order to gain unauthorized access to systems. The hacker is seeking data to exfiltrate and monetize, either through re-sale on the darknet or extortion through ransomware.

While most of the headlines focus on the scourge of ransomware, a much less technically sophisticated method of fraud is also rampant within the digital landscape: invoice fraud and business impersonation, which are deemed a form of?“Business Email Compromise” (BEC) attacks by the FBI.

The?IC3 2021 Annual Report?indicates that BEC is one of the most costly forms of cyber attack, costing businesses around $2.4 billion per year in losses. The high profit potential and low technical barriers for entry indicate that this form of crime will not slow down, and is likely to increase as the scam campaign’s methodologies become more elaborate.

Invoice fraud and business impersonation are ruses that have been used to steal money since the beginning of long-distance correspondence. The Internet has brought new twists to these old schemes. Where old-style scams would use physical letters, new ones will use email or SMS. Where old-style scams would use fake letterhead, new-style scams use fake domain names and fake phone numbers.

Overall, the fraudster’s goal is simple: trick people into sending money. To accomplish this, the fraudster will leverage nothing more than social engineering.

As such, all companies are susceptible to being targeted by BEC attacks. The attackers rely solely on deceiving an employee rather than hacking a computer.?

SecurityScorecard has observed an uptick of reported incidents resulting from BEC-style fraud activity.

Recently Observed Social Engineering Attacks

Gift card scam targeted employees of a business

• We observed a variant of the?gift card scam?targeting businesses and their employees, in addition to the more common widespread targeting of individuals.
• A stark difference in the gift card scam variant that targets businesses is the significant research that attackers do on their targets in order to appear authentic. Attackers will study LinkedIn and other public resources to deduce organizational structure and third-party business connections while also studying posted social media content in order to pre-text their attacks and emulate the writing styles and tone of the person they are impersonating.
• An observed incident targeting a business involved the sending of bulk SMS messages to the personal phone numbers of the company’s employees, impersonating the CEO.
• The attacker described a falsified urgent situation and asked the targets to obtain gift cards and provide them with the gift card’s codes.
• The ruse involved a plausible premise, the company?
• “needed to raffle off gift cards” at an event and the CEO did not have the cards with them and needed them to be obtained urgently.
• Urgency and impersonation of authority will be of the utmost importance, which is what attackers rely on to successfully guide the target into procuring the desired gift cards.
• Whereas in the case of a targeted business, the impersonation involves an authority figure at work, the targeting of an individual involves the impersonation of an authority figure in society (such as the police or tax collector), or impersonation of someone they know.
• The attackers successfully obtained gift card codes from at least one employee who was deceived into purchasing the gift cards from the nearest store.

Invoice fraud scam targeted an accounting department

• We observed a BEC scam targeting a company’s accounting department for the purpose of obtaining a fraudulent ACH transfer.
• The incident’s campaign involved a multi-phase approach that put effort into “pretexting” of the attack.
• In phase one, the scammer used the guise of the CEO in a spoofed email to the accounting department while making a seemingly innocuous request: a spreadsheet of unpaid vendors/third-party service providers along with the outstanding balance amount owed. One employee fell for the ruse, and provided the attacker a list of vendor names and outstanding balances..
• In phase two, the scammers registered an impersonation domain name nearly identical to that of one of the vendors on the newly obtained list. The attackers used the impersonation domain name to send a new email to the same accounting department requesting an update of that vendor's bank account information along with remittance of payment. The attackers were attempting to change the bank information to their own and collect the payment.
• The fake invoice included logos, employee names, and amounts due that matched what was listed on internal systems. The matching resulted from the successful pretexting when impersonating the CEO and follow-up research attackers conducted after a successful phase one of the attack.
• This attack was thwarted during phase two due to the reporting of phase one by other employees who had received the original email, as well as change controls that are in place for billing updates.
• There was no use of malware or attempted unauthorized access to target company systems. The attacker's success was reliant solely on social engineering techniques.

Mitigation & Prevention Suggestions

• Whenever faced with an unsolicited urgent SMS or email appearing to come from a familiar person or authority figure requesting information or money, it is always best to contact the individual or entity being impersonated to verify the authenticity of the request.
• Using “External Email” flag features on webmail services will go a long way in flagging impersonation from CEO’s or other senior executives within the company.
• The employees of a company are truly the first line of defense when it comes to identifying and mitigating social engineering attacks. Continuous situational threat awareness among employees of an enterprise through regularly scheduled training and simulation exercises is crucial, as well as providing an immediate process for employees to directly report suspicious incoming communications.

Conclusion

Even with all the advancements in security and defense technologies, both physical and digital, the nature of scammer’s game remains unchanged - marking the unaware, having the mark assist in their own victimization, and then disappearing into the shadows with their ill-acquired profits.?

Advancements in communication technologies have enabled the scam game to reach an organized, international level over the last century. Social engineering attacks do not require software exploitation or malware to be costly and damaging. At the core, a social engineering cyber attack is a form of?confidence trick.

About SecurityScorecard

SecurityScorecard offers a 360-degree approach to security prevention and response. For more information, request a?demo. SecurityScorecard’s threat research and intelligence could be the competitive advantage organizations need to stay ahead of today’s fast-moving threat actors.

For more custom insights on a regular basis through our team’s 100+ years of combined threat research and investigation experience, or more details on these findings and the other keywords that were provided, please contact Ranell Gonzales for a discussion of our Cyber Risk Intelligence (CRI) offering. If you have already suffered a breach, SecurityScorecard’s?Digital Forensics Solutionscan empower your post-breach actions.