BEC scammers actively targeting Fortune 500 companies
Nigerian scammers are targeting Fortune 500 companies, and have already stolen millions of dollars from some of them, IBM Security researchers have found.
Their strategy is well known: they take over or impersonate a trusted user’s email account to target companies that conduct international wire transfers, and trick accounts payable personnel into wiring money into bank accounts under their control.
These so-called business email compromise (BEC) scams don’t require much technical knowledge, malware or special tools, and each successful attack against a well-heeled individual or organization can net scammers quite a lot of money.
The scammers’ tactics, techniques and procedures
More often than not, the scammers use publicly available information to create legitimate-looking messages that will entice the targets to visit phishing pages (spoofed DocuSign login pages) “parked” on compromised websites:
Once the victim enters the login credentials for their business email account, the scammers can harvest them and use them.
“The attackers focused on stolen credentials from companies that use single-factor authentication and an email web portal. For example, companies that only require a username and password for employees to access their Microsoft Office 365 accounts were compromised,” the researchers explained.
“Using email web portals ensured the attackers’ ability to complete these attacks online and without compromising the victim’s corporate network. The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts.”
After gaining access to the victim’s email account, the attackers would scour the various email folders for opportunities to exploit. It usually takes them a week or so to gain a good understanding of the current situation and of company-specific wire payment policies.
They would also create mail filters to ensure that communications were conducted only between them and victim and, in some cases, to monitor a compromised user’s inbox.
The attacks usually end by the scammers impersonating a known vendor and requesting the victim wire payments to an “updated” bank account number or beneficiary. And, if additional approval or paperwork was needed, the scammers would find and fill out appropriate forms and spoof supervisor emails to deliver the approvals required for the transfer.
Where are these scammers from?
The researchers say that the scammers are very likely of Nigerian origin.
“Both the spoofed sender email addresses and IP addresses used to log in to email web access portals are primarily traced to Nigeria. However, it is worth noting that the same threat actors often leveraged compromised servers or revolving proxies that may be traced to other countries to mask their actual location,” they added.
Interestingly enough, the scammers had more financial success using shell corporations and corresponding bank accounts based in Hong Kong or China rather than using consumer bank accounts, the researchers noted. Financial institutions were more likely to delay or block large or unusual transactions if the bank accounts were in the name of a person.
The researchers advise potential targets to implement two-factor authentication for account logins and strict international wire transfer policies. Also, to verify the vendor and confirm the transaction (before it is executed!) by contacting the vendor directly, via a validated phone number.