When someone mentions advanced fee or romance scams most people immediately associate them with Nigerian scammers. But there is another type of scam that these fraudsters actively engage in: the so-called “change of supplier” scam.
Trend Micro has even managed identify two cybercriminals who are performing them: “Uche” and “Okiki”.
“In ‘change of supplier’ fraud, the cybercriminals’ ultimate goal is to hijack ongoing business transactions to divert payments into the cybercriminals’ account. This is done by monitoring the engagements happening between the supplier and their customer as it unfolds over email,” the researchers explain.
“At some point during this engagement – most likely during the time when payment is discussed – the cybercriminal sends an email to the customer using the supplier’s compromised email account to inform them that the account where they should deposit their payment has changed to a different account – one controlled by the cybercriminal. What happens then is that the customer sends their payment to the cybercriminal’s account, causing loss to the supplier.”
The scammers’ main targets are small-to-medium size businesses (SMB), predominantly in India, Egypt, and Iran, but also in other Asian countries, the US and Russia.
“We think that this could be related to the fact that companies who were targeted by these schemes were small businesses (or in one case, the regional office of a large enterprise), which are more abundant in developing countries. Small businesses have been known to be prone to simple attacks due to their lack in resources to set up proper security strategies,” the researchers noted.
The targeted companies are also often related to one another (by location or industry) or already doing business together – attacks are more likely to succeed if the attackers are already in possession of information that can be used to highly personalize the emails to new targets, and can send them from legitimate, compromised business email accounts.
In order to gain access to the suppliers’ business email account, the scammers first send out emails to the companies’ publicly searchable email addresses (usually info or email@example.com).
Those initial emails are usually targeted enquiries, but do not contain a malicious attachment (click on the screenshot to enlarge it):
The malware is sent after a few back-and-forth emails, once trust is established and makes it likely that the target will open the attachment without thinking twice.
The payload in question is Hawkeye, a generic, relatively straightforward keylogger/information-stealer that searches for system information and extracts user credentials (from email clients and web browsers), logs keystokes, and can also do things like deny access to certain websites, download and execute additional files, and spread via removable drives.
The collected information is sent in encrypted form to an email account or server used by the attackers.
“Simplicity and meticulous planning are the strengths of cybercriminals like Uche and Okiki. As we have observed with the HawkEye malware attacks, all they needed was to craft a clear plan for each victim,” the researchers noted. “They have a penchant for long game social engineering tactics or ‘long cons,’ clear proof of their willingness to create trustworthy characters and wait for a long time if it means there’s larger payout.”
“Change of supplier” scams are similar to “business email compromise” (BEC) scams, which also present a great danger to businesses. In 2014, in the US, BEC scams caused businesses losses of over $215 million.
The Internet Crime Complaint Center (IC3) issued a public service announcement on BEC scams in January 2015, and the Financial Services Information Sharing and Analysis Center (FS-ISAC) has again issued an alert about them just a few days ago.
According to Trend Micro, previous “change of supplier” scams using Predator Pain, a keylogger that’s likely the predecessor of Hawkeye, have netter scammers over $75 million in just six months.
For more information about the scammers tools, tactics and identities, check out this whitepaper.