The FBI investigates a global BEC (Business email compromise) fraud campaign, through which cybercriminals have earned at least $ 15.000.000.
Security investigators from the Israeli incident response company "Mitiga" said yesterday that the ongoing campaign uses techniques social engineering for the "falsification" of senior executives who use services emails of Microsoft Office 365.
Mitiga stated that more than 150 organizations in various fields (legal, construction, financial, retail, etc.) worldwide are among the victims of the campaign. It is worth noting that most of the casualties recorded so far are at USA.
The BEC scams target mostly businesses and organizations, usually motivated by financial gain. Analysts estimate that in the second quarter of 2, the average successful BEC fraud campaign raised $ 2020, while the corresponding profits in the first quarter of 80.000 amounted to $ 1. However, the profits of cybercriminals from BEC scams can reach up to millions of dollars.
Mitiga described the campaign as a "multi-million dollar global transaction". Emails were sent between buyer and seller for several months, during which cybercriminals talked about "senior parties" involved in the transaction, providing alternative payment instructions by bank transfer, and eventually disappearing with the proceeds.
However, this is only one of the BEC campaigns conducted by one or more hacking groups. Dozens rogue domains associated with it. Many rogue domains are registered through GoDaddy's Wild West Domain and are listed as legitimate businesses. In what is known as the homography technique, site addresses used to forge a company include changes to letters or symbols that would be difficult to detect - such as the difference between "Paypal.com" and "paypall.com". Office 365 accounts were then linked to email addresses associated with these domains, in order to send them "fraudulent" messages. If a victim accepted one Phishing email and unknowingly executed a payload, this could also lead to a breach of his incoming messages.
According to the researchers, Microsoft's email service is being abused to reduce "suspicious differences" and the possibility of activating detection filtering. malware. "
When conversations were blocked by compromised accounts, attackers used a forwarding rule to return all communication to another account controlled by them. This provided the intruders with full visibility of the transaction, while at the same time allowing the introduction of the fake domain at the appropriate time, ie when the bank transfer details were provided.
An investigation into the widespread BEC fraud campaign is currently ongoing. Microsoft and related law enforcement agencies have been notified.
Tal Mozes, CEO of Mitiga, told ZDNet: "We are facing a dramatic increase (63%) of ransomware BEC fraud attacks and incidents throughout our customer base. These attacks come mainly from African countries and have an increasing level of complexity. "With this particular BEC fraud campaign, our analysts have been able to detect a digital fingerprint that has allowed us to identify and alert victims, as well as law enforcement agencies to the threat agents."