The FBI warns private sector companies about scammers forged construction companies within BEC targeting organizations from many critical infrastructure sectors in the US. BEC scammers use various tactics Including social engineering and Phishing - to violate or yes forge business email accounts, with the ultimate goal of redirecting outstanding or future payments to bank accounts under their control.
The FBI issued the warning via TLP: GREEN Private Industry Notification (PIN) sent on 9 June, to organizations, in an effort to help cybersecurity professionals defend themselves against these active attacks. According to the police service, the malicious agents exploit the business relationships of the construction companies, in order to deceive their customers in the private and public sector.
These attacks are part of a campaign that started in March and has already led to financial losses ranging from hundreds of thousands to millions of dollars.
In order for their attacks to be successful, BEC scammers use information collected through online services on counterfeit construction companies and targeted customers.
Platforms used to collect valuable data - e.g. contact details, bid data and project costs - include, but are not limited to, local and state government budget data portals,
The information collected by the intruders allows them to customize the emails, which are designed to exploit the business relationship between the victims and the construction contractors.
To make the messages more convincing, scammers send emails asking targets to change their instant deposit and automated settlement (ACH) account information. New account information leads to bank accounts controlled by scammers.
These emails are sent using domains which falsify the legitimate sites of contractors and the legal logos and graphics of companies, in order to reduce the chance that victims will perceive that these are "fraudulent" messages.
In March, the FBI issued a warning about another series of BEC attacks targeting more and more U.S. entities, with losses ranging from $ 10.000 to $ 4 million. between November 2018 and September 2020.
In addition, Microsoft last month unveiled a large-scale targeted BEC campaign more than 120 organizations.
The FBI's 2020 annual report on cybercrime affecting victims in the US highlighted a large number of complaints and financial losses last year.
The FBI reported the following: "The FBI Internet Complaints Center (IC3) points out that the BEC is a growing and evolving threat, as malicious agents become more complex and adapt to current events. "There was a 5% increase in losses from 2019 to 2020, with more than $ 1,7 billion in losses reported to IC3 in 2019 and more than $ 1,8 billion in losses in 2020 respectively."
In other warnings issued last year, the FBI cited BEC scammers exploiting automated email promotion and cloud email services, such as Microsoft Office 365 and Google G Suite, in their attacks.
Source of information: bleepingcomputer.com