Researchers at PhishLabs say retail organizations are being targeted by a scam that banks on the companies owing money.
According to PhishLabs, the attackers send emails to executives that masquerade as a message from another company. The email is disguised to look like a message from an actual reseller or distributor with a previous relationship with the organization. The message calls for the target to pay any new or outstanding invoices via wire transfer to a new bank account, and includes a PDF document containing the account number and transfer instructions.
“We’ve seen many organizations targeted, including large or mid-sized retail companies,” said Don Jackson, director of threat intelligence at PhishLabs. “The attackers appear to be selecting targets based on who they think will have a high volume of invoicing activity with suppliers/resellers/distributors.”
The PDF does not contain any malware or exploits; instead it is just another prop in a social engineering trick, Jackson explained.
“The attack relies on the target accepting the pretext – which is why the attackers are going through significant effort to build a convincing pretext that has a good chance of fooling a busy executive,” he said.
Interestingly, the body of the email usually includes a fake “original message” designed to make it appear that someone in the same organization as the person being targeted has already been contacted and given their approval. In the faked message, the scammers use the impersonated sender’s actual domain name, and the message is back-dated, giving the appearance the conversation is several days old.
It is clear the attackers are researching their targets, and according to Jackson, they may be leveraging professional networking sites to do so. What is unknown however is what additional resources they may be using, he added.
“Sometimes they don’t request a specific dollar amount, relying on the fact that the target organization likely has multiple large dollar invoices from the spoofed supplier that are pending payment,” Jackson said. “They’ll just request that all the invoice payments be paid up via wire transfer to the attacker’s account.”
“When we have seen a specific dollar value requested, it has ranged between $90K (90,000) and $500K (500,000),” he added. “The amount requested appears to correlate with the size of the target company and how much business they do with third party suppliers, distributors, and other vendors. It is unclear if they are basing these amounts on hard data they’ve obtained, or if they are just making a best guess of the max amount they can safely request without raising eyebrows at the target company.”
According to PhishLabs, the fraudulent domain names observed so far have been registered via Tucows and VistaPrint using fake registrant identity information. The first-related domain observed by PhishLabs was registered on April 21. Since then, new domains in this campaign have been registered and used daily. DNS records show that some of the fraudulent domain names either were or are currently being hosted on Amazon AWS/EC2 cloud services. Some of the emails using fraudulent domain names were sent from IP addresses on US networks assigned to QuadraNet (AS29761) and LeaseWeb (AS30633).
“More is known about the criminal operations, but we cannot share additional details,” Jackson said. “The scope of the criminal operations and findings show an overall impact that typically warrants law enforcement investigation.”