More Than 1,000 Companies Targeted in New Business Email Compromise Scam

More than 1,000 companies worldwide have been targeted in a business email compromise (BEC) campaign that has been running since March 2020.

The scam was uncovered by researchers at Trend Micro who report that more than 800 sets of Office 365 credentials have been compromised so far. Trend Micro has attributed the campaign to a cybercriminal group called Water Nue. While the group is not particularly technically sophisticated, the attacks have proven to be successful and the gang is extremely proficient.

Trend Micro identified the campaign when it appeared that a large number of email domains were being used to phish for credentials and most of the victims were individuals in high corporate positions.

The attackers target the Office 365 accounts of executives, particularly those working in finance. Cloud-based email distribution services are used to send emails containing malicious hyperlinks that direct the recipient to a fake Office 365 login page.

The emails claim a voicemail message has been left and a hyperlink is included that must be clicked to listen to the message. Clicking the link directs the recipient to a fake Office 365 domain that requires credentials to be entered to listen to the message. The credentials are harvested using a PHP script and are used to access executives’ email accounts. Fake invoices and documents are then created and sent to lower level employees.

Since the emails are sent from a known executive’s email account, the invoices are often paid without being questioned. The payments are sent to bank accounts under the control of the scammers. When the phishing attacks are discovered and domains are blacklisted, the group changes their infrastructure and uses new domains to continue their campaign.

Trend Micro said the phishing tools used by the group are basic, no malware is distributed, and cloud services such as SendGrid are used to obfuscate their operation. “The use of cloud services allowed them to obfuscate their operations by hosting infrastructures in the services themselves, making their activities tougher to spot for forensics. This tactic has become more commonplace among cybercriminals,” explained Trend Micro.

The campaign is ongoing, and the recent attacks indicate executives in companies in the United States and Canada are being targeted.

Since the emails do not include malicious attachments, they are often not identified as malicious by traditional security solutions and are delivered to inboxes. It is therefore important to ensure that all employees are educated about the threat and told to be on high alert and to scrutinize all emails they receive. Training should be provided to everyone from the CEO down on how to identify the scams and the actions that should be taken when a suspicious email is received. A system should also be implemented that includes multiple signoffs and verification protocols for invoices. Trend Micro also recommends turning on mail inspection for messages from sendgrid[.]net

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.