Bec Campaigns Header
29, 2017

BEC Campaigns Target Organizations Across Sectors Using Credential Phishing


Business email compromise (BEC) scams are widely viewed as being a type of cybercrime that necessitates relatively minimal technical ability. Despite this, analysts industry-wide have observed BEC operators progressing from simple schemes such as 419 and fake lottery scams – in which unwitting victims are simply duped into sending payments to fraudsters after being promised large sums – towards experimenting with malware and creating sophisticated networks in order to quickly and reliably move money from one account to another. 

Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity; the campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites. 

Using a VirusTotal retro hunt, Flashpoint analysts identified a campaign in which threat actors sent 73 malicious PDFs in credential phishing campaigns between March 28, 2017 and August 8, 2017. These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches, with the goal of harvesting user credentials.

Of the 73 files identified during the retro hunt, analysts were able to identify 70 unique Uniform Resource Identifiers (URIs); many of these overlapped based on domains. Attackers used 29 different domains across these documents.


BEC-Campaigns-1.png#asset:2294

Image 1: A sample of the domains utilized by the actors across campaigns.

A potential victim of this phishing campaign would receive a malicious PDF containing a malicious link. Upon opening the PDF, the potential victim would be presented with a prompt to view a secure online document; when clicked, this prompt would redirect the victim to a phishing website to input their login credentials.


BEC-Campaigns-2.png#asset:2295

Image 2: Upon opening the malicious PDF, a potential victim sees a prompt to access a secure online document, which directs them to a phishing page.

Once on the phishing page, the potential victim is presented with several options to “download” the file and are asked for login credentials for their organization. Once a victim enters their login credentials, the script re-directs the victim to a document or web page owned by the targeted organization.


BEC-Campaigns-3.png#asset:2296

Image 3: A view of the phishing webpage for harvesting credentials.

If valid credentials were submitted, the actors behind the phishing campaign would harvest them. Once harvested, the threat actors would then use the compromised accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts. This practice helps threat actors committing Business Email Compromise (BEC) gain a better foothold into target organizations, and allows them to potentially breach additional organizations. Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information. 


Who’s Responsible for the BEC Campaigns?

Based on analysis of the phishing emails identified by Flashpoint in VirusTotal, analysts assess with moderate to high confidence that these attacks are likely being carried out by attackers located in Western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the relatively minimal use of malware, and a lack of operations security (OPSEC) practices on the attackers’ part. 

Based on artifacts left in the PDFs, these documents likely represent a small glimpse into the credential phishing community of West African cybercriminals.


BEC-Campaigns-4.png#asset:2297

Image 4: A phishing email sent from a cloud-provided email service provider has a Nigerian IP address as the originating IP. 

While BEC actors operating out of western Africa are broadly considered among the lowest-skilled cyber threat actors, they have been responsible for more than $5 billion USD in fraud in the last three years. In comparison, ransomware was projected to be a $1 billion USD industry in 2016, and Europol estimated that the now-defunct AlphaBay Market was responsible for almost $1 billion USD in business between its creation in 2014 and its closure in July 2017. 

BEC actors and cybercriminals located in West Africa typically do not typically make significant efforts to enhance their OPSEC practices or conceal their locations; however, they are still largely successful in stealing billions of dollars from publicly traded and high-profile organizations each year. 

Additional information on Business Email Compromise (BEC) is available in the Cisco 2017 Midyear Cybersecurity Report. Access it here.

 

Key Takeaways

  • Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity; the campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites. 
  • Using a VirusTotal retro hunt, Flashpoint analysts identified a campaign in which threat actors sent seventy-three malicious PDFs in credential phishing campaigns between March 28, 2017 and August 8, 2017. These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches, with the goal of harvesting user credentials.
  • In this campaign, attackers used compromised email accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts. This practice helps threat actors committing Business Email Compromise (BEC) gain a better foothold into target organizations, and allows them to potentially breach additional organizations. Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information. 
  • Analysts assess with moderate to high confidence that these attacks are likely being carried out by attackers located in western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the relatively minimal use of malware, and the lack of operations security (OPSEC) practices on the attackers’ part.

This article was originally published on Flashpoint’s blog and was republished with their permission. 

Flashpoint Sources: 
https://www.ic3.gov/media/2017/170504.aspx
https://documents.trendmicro.com/assets/resources/olympic-vision-business-email-compromise.pdf  
http://abcnews.go.com/amp/Technology/wireStory/justice-dept-announces-takedown-online-drug-marketplace-48745482
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017


Get access to more content by becoming a member of Consortium today.