Vendor Impersonation Payment Fraud

In this attack, attackers impersonate a known vendor account in order establish a relationship, and possibly extort products or money.

Quick Summary of Attack Target

Platform: Office 365
# Mailboxes: 300,000+
Email Security Bypassed: Proofpoint
Victims: International Business Department 
Payload: Text
Technique: Impersonation

What was the attack?

Setup: This organization often communicates with a partner. Recently, several international business mailboxes at this organization received a message from what appeared to be this vendor to discuss payments over prior shipped goods.

Email Attack: The attacker is using a young domain that was a look-alike to the vendor’s legitimate domain, to initiate a conversation to discuss payments over prior shipped goods. Interesting to note is that the company the attacker is impersonating appears to owe money for prior goods and the recipients of these fraudulent messages are requesting the attacker send proof of payment. The attackers appeared to know information about invoice payments by the real vendor, and used that information to further their attack. We believe they were hoping to receive and redirect future shipments or payments. 

The target company requested outstanding invoices be paid before moving any further with the attacker impersonating the vendor.
The attacker apparently had access to inside information of the vendor they were impersonating.

Result: The goal of this email chain is to establish a relationship with the targeted company. The attacker will most likely order more product and not pay for it.

Why is this attack effective?

Targeted Impersonation and Recipients: The attacker impersonates a high level employee of a known vendor. This attacker targets the employees who would normally work with the impersonated vendor so they are likely to expect these types of emails.  

Vendor Impersonation: The attacker sends an email that appears to be from an employee of the impersonated vendor, and includes an email signature with the impersonated vendor’s legitimate information. The email domain the message was sent from was recently registered, and the registrant information not consistent with the impersonated vendor. The attacker’s domain mimicked the real vendor domain to trick the recipient into believing they were the legitimate vendor.

The post Vendor Impersonation Payment Fraud appeared first on Abnormal Security.

Abnormal Security