Fraud Campaign Targets Accounts Payable Contacts at Fortune 500 Firms

A new business email compromise (BEC) campaign is targeting accounts payable personnel at Fortune 500 companies in an attempt to trick victims into initiating fraudulent wire transactions to attacker-controlled accounts, IBM warns.

As part of BEC scams, attackers take over or impersonate a trusted user's email account to target other companies and divert funds to their accounts. Based on phishing and social engineering, such attacks are relatively simple to perform and are attractive to cybercriminals, IBM notes.

As part of the recently observed campaign, attackers used well-crafted social engineering tactics and phishing emails to obtain legitimate credentials from their targets. The emails appeared to come from known contacts and mimicked previous conversations, while in some cases the attackers managed to insert themselves into ongoing conversations between business users.

Posing as the known contact from a vendor or associated company, the attackers then requested that payments be sent to a new bank account number or beneficiary.

By creating mail filters, the attackers ensured they would communicate only with the victim.

In some cases, they also found and filled out necessary forms or spoofed supervisor emails to provide victim with additional approval.

The group behind the attacks, IBM says, likely operates out of Nigeria, given the spoofed sender email addresses and IP addresses that were used. However, compromised servers and proxies are often used to hide the attackers' location.

The actors created spoofed DocuSign login pages on over 100 compromised websites in various geographic locations. Targeted companies were identified in the retail, healthcare, financial and professional services industries, including Fortune 500 companies.

To harvest business user credentials, the attackers sent a mass phishing email to the user's internal and external contacts, often to several hundreds of them.

The message included a link supposedly leading to a business document, but instead redirecting the victim to a fraudulent "DocuSign" portal requesting authentication for download.

Next, the attackers filtered out the stolen credentials and only used those from companies that only require a username and password when employees access their email accounts.

"The attackers specifically targeted personnel involved in the organization's accounts payable departments to ensure that the victim had access to the company's bank accounts," IBM notes.

Following a reconnaissance phase, the attackers engaged with the targeted employee and impersonated vendors or associated companies with established relations to the client. The attackers likely conducted extensive research on the target's organizational structure and engaged into operations such as impersonating victims, finding and spoofing internal documents, and setting up multiple domains and emails to pose as higher-level authorities.

The attackers set up domains that resembled those of the target company's vendors, either using a hard-to-identify typo change or registering the vendor's name with a different top-level domain (TLD). They used these domain names to set up email accounts purporting to belong to known employees and used the accounts to send emails directly to the targets.

"Finally, although the attackers made some grammatical and colloquial mistakes, their English skills were proficient and the few mistakes they made could be easily overlooked by the target.

The attackers created a false sense of reality around the target and imparted a sense of urgency to pay, resulting in successful scams involving millions of dollars," IBM explains.

The attackers either created email rules or auto-deleted all emails delivered from within the user's company to prevent victims from noticing fraudulent correspondence or unusual messages in their inbox. They also auto-forwarded email responses to different addresses to read them without logging into the compromised accounts.

The security researchers say the attackers had "more financial success using shell corporations and corresponding bank accounts based in Hong Kong or China rather than using consumer bank accounts, in which cases financial institutions were more likely to delay or block large or unusual transactions."

The shell corporations involved in the BEC scams were registered within the past year, some on the same month payments were requested to the account. Wire transfers associated with BEC scams usually end up in accounts at banks located in China and Hong Kong, IBM notes.

Related: Nigerian Sentenced to Prison in U.S. for BEC Scams

Related: Nigerians Sentenced to Prison in U.S.

Over Massive Fraud Scheme

Mirai Variant Sets Up Proxy Servers on Compromised Devices

A newly observed variant of the infamous Mirai botnet is capable of setting up proxy servers on the infected Internet of Things (IoT) devices, Fortinet warns.

Mirai is a distributed denial of service (DDoS)-capable malware family that emerged in late 2016. Targeting IoT devices to add them to a botnet and launch powerful attacks, Mirai has been involved on some massive incidents right from the start.

Referred to as OMG because of strings containing "OOMGA" it its configuration table, the malware keeps most of Mirai's capabilities, but also adds its own features to the mix.

Unlike Mirai, the OMG variant's configuration includes two strings used to add a firewall rule to ensure traffic on two random ports is allowed, Fortinet discovered.

However, the new malware variation keeps Mirai's original attack, killer, and scanner modules, which means that it is capable of performing all of the operations that Mirai could, such as killing processes (telnet, ssh, http, and other processes related to other bots), telnet brute-force login, and DDoS attacks.

After initialization, OMG connects to the command and control (C&C) server on port 50023. Once the connection has been established, the malware sends a defined data message to the server to identify itself as a new bot.

The server responds with a 5-byte long data string, where the first byte is a command on how the newly recruited device should be used: 0 if it should be used as a proxy server, 1 for attack, and >1 to terminate the connection.

OMG, the security researchers discovered, uses open source software 3proxy as its proxy server.

During setup, it generates two random ports for the http_proxy_port and socks_proxy_port, reports them to the C&C, and adds a firewall rule to allow traffic on these ports.

After enabling the firewall rule, the malware sets up 3proxy with the predefined configuration embedded in its code.

The researchers believe the attackers sell access to the IoT proxy server (because the C&C server wasn't active during investigation, the researchers only performed static analysis).

"This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices.

With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization," Fortinet concludes.

Related: Researchers Connect Lizard Squad to Mirai Botnet

Related: Mirai-Based Masuta Botnet Weaponizes Old Router Vulnerability

WhatsApp Co-founder Invests $50 Million in Signal

Open Whisper Systems, the organization behind the privacy-focused messaging app Signal, announced on Wednesday the launch of the Signal Foundation, with an initial investment of £50 million from WhatsApp co-founder Brian Acton. The Signal service is used by millions of people and the Signal protocol is used by billions through its integration into popular applications such as WhatsApp, Facebook Messenger and Google Allo. Despite the success of its product, the Signal team has never had more than seven members and there have only been an average of 2.3 full-time developers.

With the launch of the Signal Foundation and the £50 million from Acton, Signal will have the resources necessary to expand and accelerate its mission to make private communications accessible to everyone. "Starting with an initial £50,000,000 in funding, we can now increase the size of our team, our capacity, and our ambitions. This means reduced uncertainty on the path to sustainability, and the strengthening of our long-term goals and values," said Moxie Marlinspike, founder of Open Whisper Systems and CEO of the Signal Foundation. "Perhaps most significantly, the addition of Brian brings an incredibly talented engineer and visionary with decades of experience building successful products to our team."

The Signal Foundation is a 501(c)(3) nonprofit organization. Up until now, the Freedom of the Press Foundation acted as a fiscal sponsor for Signal. Acton, who left WhatsApp and Facebook last year, will serve as executive chairman of the Signal Foundation and will be actively involved in operations and product development.

"After over 20 years of working for some of the largest technology companies in the world, I couldn't be more excited for this opportunity to build an organization at the intersection of technology and the nonprofit world," said Acton. "In the immediate future we are focused on adding to our talented-but-small team and improving Signal Messenger. Our long-term vision is for the Signal Foundation to provide multiple offerings that align with our core mission," he added.

Related: "Signal" Uses Domain Fronting to Bypass Censorship

Related: Standalone Signal Desktop Messaging App Released

Related: Signal Announces Private Contact Discovery