Cluster25 Threat Intel Team
August 25, 2023
In the modern digital era, businesses operate on a global scale, exchanging information, collaborating, and conducting financial transactions at the speed of light, all this through emails. Yet, this very convenience has paved the way for cybercriminals to exploit human vulnerabilities and manipulate the trust inherent in digital communication. This deceptive phenomenon is known as Business Email Compromise (BEC) scams, a threat that has emerged as a critical concern for organizations of all sizes. For these scams, attackers impersonate key figures within an organization, such as executives or trusted partners, to deceive employees into performing actions they believe are legitimate. These actions often involve transferring funds, revealing sensitive information, or executing other tasks that can lead to financial losses or data breaches. The perpetrators employ various techniques to manipulate human psychology, leveraging urgency, authority, and familiarity to ensure their fraudulent requests are executed without suspicion.
Some common types of BEC scams include what is called CEO Fraud, where scammers impersonate high-ranking executives to request urgent transfers of funds under the guise of confidential deals or unforeseen emergencies, with fake invoice that appear legitimate, targeting employees responsible for processing payments, thus redirecting funds to fraudulent accounts.
In the last few days, Cluster25 observed a BEC campaign using as lure the donation for some non-profit foundations. In all the analyzed cases, the scam email is delivered to employees working in the financial or accounting team, with the CEO's email address as CC. The attacker asks to make a quite huge donation, about 15k-25k dollars, to the non-profit foundation using the specified bank account, which is actually controlled by the attacker.
In this section, we provide an example of the recently observed BEC attack, reporting the entire email message as received by the victim. To increase the effectiveness of the attack, the malicious actor created a complete email thread in which was simulated a conversation with the company CEO (whose address is in the CC of the email), where he agreed to a donation request. As visible in the example below, the CEO replies with “I am pleased to inform you that I am choosing the Premier support level, which is at $25,000. We are excited to be part of your fundraising efforts and to support your organization's mission.” and then “Please send all invoices to <victim> for payment processing”.
The victim receiving this email thread could think that the payment has been already approved by his/her supervisor, so the wire transfer can be sent without asking for a confirmation.
The scam email contains two PDF files. The first one is “Request for Taxpayer Identification Number and Certification”, a document containing tax information about the foundation the victim should donate. The document is used to legitimize the money request, thereby increasing the chances of success.
The second PDF file is a sort of invoice containing the money amount the victim should pay, the Bank details for the wire transfer, and an empty form that should be filled out if the user prefers to use a credit card as the payment method.
The logo on top and the email redirection shown in the document are much possibly a typo from a previous campaign, linked to the Chicago Children’s Museum.
During our investigations, we found several scam attacks having the described characteristics targeting companies in the United States, Canada, and Italy operating in the technology, financial, energy, and logistics sectors. In the following table we reported the email Subjects observed during the investigations, all of them refer to a Gala event and to a possibility of sponsorship.
|Re: Gala Premier Sponsorship for AEC Fund
Re: Fw: Gala Premier
Fw: Gala pledge for Eagle Lake Foundation
Re: Latchman Fund Gala Pledge
We analyzed the non-profit foundations used as bait in the various attacks, all of them really exist. So, the attacker used the real information about these foundations to legitimize the attack attempt. He registered a new domain for any of the foundations to use in the attacks. The registered domains just have set the MX record, because they are used as mail servers by the attacker.
As visible in the following table, some of the reported domains have only been active for a few days, just long enough to carry out the attack.
|The Laskin Foundation, Inc
|Eagle Lake Foundation, Inc
|The Latchman Foundation Inc.
|Alfred E Chase Foundation, Inc
Finally, analyzing the payment details reported in the second PDF file, it is possible to obtain more information about the bank used by the fraudster. For all the analyzed attacks, the attacker used a bank account registered on PNC Bank at Pittsburgh.
MITRE ATT&CK MATRIX
|Search Open Websites/Domains: Search Engines
|Gather Victim Identity Information: Email Addresses
|Gather Victim Identity Information: Employee Names
|Acquire Infrastructure: Domains
|Phishing: Spearphishing Attachment
INDICATORS OF COMPROMISE