PhishLabs has discovered a fraudulent invoice campaign targeting corporate executives. The scammers attempt to convince their targets to wire funds to various accounts controlled by the fraudsters in order to settle the terms and outstanding balances on legitimate invoices from other companies.
What to look for
Emails associated with this campaign follow this characteristic pattern:
- Email sent to recipients who are corporate executives at a targeted company.
- The email sender is spoofed to impersonate an executive at another company.
- The spoofed sender info uses look-alike domain names that closely resemble the corporate domain names of the organization being impersonated.
- The spoofed sender appears to be with an actual reseller or distributor with a pre-existing corporate relationship with the targeted organization.
- The body of the email instructs the target to pay all new or outstanding invoices via wire transfer to a new bank account.
- Attached to the email is a PDF document containing wire transfer instructions, including bank name, account number, etc.
The PDF file is not a fraudulent invoice. This attack leverages the likelihood that Accounts Payable at the target company will have actual invoices from the spoofed company. The PDF file includes only wire transfer information. That information is in the form of a text object that many filters can inspect.
Wire transfer destinations include accounts at banks in the US, UK, China and Taiwan. It's unclear if these mule accounts were taken over or if the fraudsters set them up clandestinely to receive funds from the scam.
The body of the message often includes a fake "original message" in an attempt to set the pretext that someone in the same organization as the targeted recipient has had a previous conversation with the impersonated sender regarding a wire transfer. In the faked included message, the impersonated sender's actual domain name is used by the fraudsters. In the headers of the actual message, the sender used the look-alike domain name. The faked message is also back-dated, as if the supposed email conversation were already several days old.
Examples from the scam
The following image is a sanitized sample of an email used in this campaign to trick targets into wiring funds to the attacker's account.
In the attached PDF document are instructions for the wire transfer, including the destination account:
Who is being targeted?
Emails in this fraud campaign are sent to corporate executives, corporate finance personnel, or others likely to have roles in authorizing or executing accounts payable operations.
PhishLabs' first sample was received by an executive at a large media company. Subsequent monitoring reveals that many targeted organizations are large or mid-sized retail companies. One plausible explanation is that these companies will have a high volume of invoicing activity between large numbers of resellers/distributors.
Analysis suggests that the link between targets organizations and the spoofed senders may have been gleaned from data on professional networking websites.
For spoofing the sender, the fraudsters use the actual names of executives at the impersonated company. The domain names, however, are look-alike domain names which are very similar to those of the spoofed organizations. For example, the fraudsters might attempt to register and send email from the domain name "exanple.com" when spoofing the sender from a company using the actual domain "example.com".
The fraudulent domain names observed thus far have been registered via Tucows and VistaPrint using bogus registrant identity information. The first related domain observed by PhishLabs was registered on April 21, 2014, and new domains in this campaign have been registered and used daily since that time.
DNS records indicate that some of the fraudulent domain names were, or are currently being, hosted on Amazon AWS/EC2 cloud services.
Some of the emails using the fraudulent domain names were sent from IP addresses on US networks assigned to QuadraNet (AS29761) and LeaseWeb (AS30633).
We recommend organizations take the following steps to reduce the risk of falling victim to these attacks:
- Implement filtering for messages that match known patterns detailed above.
- Educate finance department personnel so that they are familiar with this scam.
- Require validation of new banking information with trusted accounting contacts at suppliers, distributors, and resellers before authorizing transfer of funds.
- Share information and samples with security and fraud contacts.
In addition to alerting law enforcement, PhishLabs is providing financial institutions with information that will allow them to identify accounts used in this scam and flag them for fraudulent activity.