With business email compromise (BEC) attacks, cyber criminals can take a variety of approaches. Some groups deploy commodity malware and keyloggers. Others simply compromise a machine to monitor an employee's inbox and use it to send attacks from a legitimate address. The most common approach to BEC attacks—one we’ve observed in multiple hunts—continues to be a deceptive email, carefully crafted to appear genuine, sent to employees who are authorized to transfer money, enticing a wire transfer from the targeted company to the attackers' account.

Booz Allen’s DarkLabs' Threat Hunt team recently discovered a highly active BEC group that appears to have been employing that last approach since at least 2016. This adversary group attacked organizations worldwide in a variety of sectors, including financial, aviation, consumer, and manufacturing, resulting in several successful monetary payouts.

One of the group’s campaigns targeted business partners of a Fortune 50 company via a commonly used technique that the Internet Crime Complaint Center (IC3) calls the "Bogus Invoice Scheme.”  In this scenario, a business that typically has a longstanding relationship with a supplier is asked to wire funds for an invoice payment to an alternate, fraudulent account. The email samples that our hunt team received very closely mimic email domains that a targeted organization might communicate within the course of legitimate business.

Using the imposter domain, the adversary tricks the target into transferring money by replying to him or her in the middle of what appears to be a legitimate email chain. "Legitimate" messages between familiar email addresses are embedded into the thread to convince the targeted individual(s) of its validity. This technique, which has been used to target multiple companies, deceives using real information and email addresses that are likely harvested through open source means, such as LinkedIn and website scraping.

How We Found the New BEC Group

Pivoting off several of the BEC group’s successful attempts, our Threat Hunting team used the mimicked illegitimate domains to build a complete picture of the adversary’s wider infrastructure, gaining further insight into their operations and techniques, tactics, and procedures (TTPs).

All the suspected imposter domains used the same group email hosting provider. This provider uses a common webmail platform and hosts the service on eight IP addresses:

                199.79.63.206                199.79.63.241                199.79.63.110                199.79.63.239

                199.79.63.227                199.79.62.62                   199.79.63.243                199.79.62.248

All domains follow a similar URL format (webmail.<domain name>.<tld>) to access their webmail service. Further investigation found that this provider also provides webmail access for legitimate domains, which made one-to-one attribution of illegitimate domains impossible using resolutions as our sole criteria.

Luckily, our analysts noticed a pattern among the suspect domains—their second-level domain did not resolve to an IP address by itself. When adding webmail to the domain name, however, it resolved to the common eight IP addresses. We also observed that a large portion of the suspect domains are registered using freely available webmail providers.

Using this method, the team identified approximately 580 illegitimate imposter domains being used by the BEC group. This discovery allowed our analysts to gain a fuller picture of the adversary's targeting and TTPs. Looking at historical registration information for the illegitimate domains, we saw that they had been targeting BEC attacks at a variety of companies and industries since at least 2016. Using the technique above, CTI analysts can fully enumerate illegitimate domains hosted here for any defensive tasking.

Partial list of malicious registrant names or emails:

• khanbhiamurtaza@gmail[.]com
• DavMore Associate
• stavesco@gmail[.]com
• sderty477@gmail[.]com
• vera.kenasaki@gmail[.]com
• bill.riser07@gmail[.]com

Tips to Protect Yourself from BEC Activity

Booz Allen’s DarkLabs Threat Hunt team has several recommendations for how to detect and/or block this type of activity from an organizational standpoint.ⁱ

• If possible, implement SPF, DKIM, and DMARC at your organization. These technologies are important for reducing this type of malicious activity by increasing authentication and integrity of email and will only become more relevant as other organizations implement them. 
• Create a list of known good domains used by your organization and business partners, and use a domain name permutation algorithm to create a list of similar domain names. Use this second list to create alerts or blocks from a network or email perspective. 
• Create a network or email policy to block recently registered domains as well as those who are categorized into non-work-related groups such as unknown.  If this impacts the organization, exceptions can always be whitelisted.
• Because BEC groups typically target individuals with the ability to make payments and transfer funds, conduct BEC attack awareness training among such employees, and hold periodic simulated phishing attack drills.