Nowadays, attackers use advanced techniques to scam organizations to pay them a hefty amount via fake invoicing.
Fremont, CA: Email scammers are getting sophisticated every day using advanced tactics for stealing from organizations across the world. Earlier, scammers used to send an invoice, letter, or invitation to be listed in a bogus trade directory or renew the website domain name. Today, however, the attacker’s campaigns revolve around supply chains, espionage, and research. Attackers dupe their victims by injecting themselves into a legitimate email thread about finance. These attacks are difficult to detect, and victims will realize that they have been scammed when their vendor follows up about an unreceived payment.
According to researchers at Agari, email fraud is linked to a cyber-criminal gang operating out of Nigeria. Known as Silent Starling, the group started in 2015 with romance scams and cheque fraud and then later advanced to wire transfer requests and gift card scams. Employing new attacks, the group has duped over 500 companies in 14 countries with the majority of their victims from the U.S., Canada, and the UK. The group has hacked 700 employee email accounts and stole over 20,000 emails to help cash-out campaigns successfully.
The attack begins with the hackers attempting to steal email login credentials using phishing attacks redirecting users to a spoofed version of tools like Office365 and other enterprise software. After gaining the credentials, the attacker’s login and set up a forwarding rule to automatically redirect copies of all the emails to a separate account they control. Further, they inspect the content of the emails to understand their victims. Later, email scammers set up alerts for keywords such as invoices and payments to gather information such as the language used by the real sender and the times of day they tend to be most active. Further, they gain access to the attachments and links used in the email to create a fake invoice that looks completely legitimate.
The invoice requests are precise because the customers will be expecting an invoice from the vendor. The only detail which is different in the invoice is the bank details, which redirects the money to the bank account of the cyber-criminal. These attacks are more time and resource consuming as compared to a regular BEC campaign, but the reward is higher. These attacks are stealthy, and they cannot be caught. In the meantime, the organizations can cross-check the outgoing payments to protect themselves from these attacks.