Abnormal Security recently observed an attempted vendor email compromise (VEC) attack that sought to steal $36 million from the target.
Abnormal's CISO, Mike Britton, wrote about the incident in a March 22nd blog post.
"In this attack, an enterprise in the commercial real estate industry was cc'd on an email containing an invoice for $36 million. The email was sent from what appeared to be a trusted contact of the enterprise to an escrow officer at an insurance company. The sender's domain name, however, ended in [.cam] instead of [.com] so the full domain name looked like trusteddomain.cam—almost impossible to notice for anyone but the most perceptive employee."
The enterprise received this email from a threat actor who was impersonating a VIP, the Senior Vice President & General Counsel, from a trusted partner company with whom it has a long-term relationship. Using a lookalike domain [.cam], the attacker sent an invoice and wire transfer instructions with fraudulent payment details in an attempt to redirect a $36 million loan payment to themselves.
To further bolster their credibility, the attacker cc'd a second well-known real estate investment company on the email, again using a newly created domain that ended in [.cam]. Because the enterprise involved in this attack works in commercial real estate where they often facilitate large-sum loans, and the invoice appeared to be legitimate with legitimate recipients, there was little reason for immediate concern about the validity of the wire transfer request.
Patrick Harr, CEO of SlashNext, said:
"In this case, the BEC [Business Email Compromise] has a URL that was easily identified as malicious given that the ending was .cam. Therefore, a trained user should have been able to identify it as malicious. However, there are many times when a BEC email is sent from a trusted domain or a compromised vendor. That's when you need protection that can identify malicious content from a trusted domain."
Mark Parkin of Vulcan Cyber said:
"Social engineering attacks like this, originating in email, have only been getting worse over the last few years. But there are technical methods that can help stop them already. Some email security tools are quite good at identifying attacks in this family, and there are domain tools that will quickly flag suspect domains—like the newly registered domains in this attack—when they appear. Though it is hard to imagine that a multimillion-dollar transfer like that wouldn't have a voice confirmation step, where one organization called their contact at the other to confirm the details."
Mike Aalto, Co-Founder and CEO at Hoxhunt, said:
"The Target wire fraud attack is particularly sneaky and sophisticated, but it is still basically just a page from the BEC playbook, and provides us a textbook example of preventable catastrophe. From the public information available, there's nothing new here, just a more effective variation of the type of highly targeted spear phish that robs more businesses of more money each year than any other. I call it 'textbook preventable' because any person who, if compromised, can cause outsized damage should also receive outsized training to defend against such attacks.
Always scrutinize the sender's domain from an out of the ordinary request to take an action, and always feel supported to call the executive supposedly making the request. There's a culture element involved, as we see certain global offices of a company can be more vulnerable to BEC attack than others, sometimes due to the reluctance to question high authority. Installing simple best practices and processes such as verifying financial and data requests via secure second channel can save companies a tremendous amount.
I would be remiss not to remind everyone that these attacks are likely to become more sophisticated as attackers adopt AI technology like ChatGPT. We conducted an experiment that showed human social engineers are still better at crafting phishing emails, but that gap is closing as hackers improve at prompt engineering to more effectively use ChatGPT to create convincing phishing emails."
Britton's Abnormal blog post contains screenshots of the VEC attack, including a breakdown of the phony invoice totaling $36,425,293.81—a nice random number to add to its purported "legitimacy."
"Extremely close inspection of the wiring instructions show minor discrepancies, like the 'Reference: Name,' instead of 'Reference Name' and the missing state in the disclaimer text," Britton added. "But again, only someone who was expecting an attack would likely look for these minor issues."
SecureWorld recently hosted a webcast with Abnormal Security on "5 Email Attacks to Watch For: How Threat Actors Are Targeting You" which is currently available for on-demand viewing. The informative session is free and will earn attendees 1 CPE credit.
