Booz Allen Commercial delivers advanced cyber defenses to the Fortune 500 and Global 2000. We are technical practitioners and cyber-focused management consultants with unparalleled experience – we know how cyber-attacks happen and how to defend against them.
Our strategy and technology consultants have empowered our international clients with the knowledge and experience they need to build their own local resources and capabilities.
In facing challenges of modernization, our Middle East and North Africa clients have complex requirements that benefit from our proven experience in guiding major programs and projects for governments and private-sector organizations. The services we offer in UAE, Qatar, Egypt, Turkey, Kuwait, Morocco, Jordan, and other regional countries build on our consulting legacy.
Our clients call upon us to work on their hardest problems—delivering effective health care, protecting warfighters and their families, keeping our national infrastructure secure, bringing into focus the traditional boundaries between consumer products and manufacturing as those boundaries blur.
Booz Allen was founded on the notion that we could help companies succeed by bringing them expert, candid advice and an outside perspective on their business. The analysis and perspective generated by that talent can be found in the case studies and thought leadership produced by our people.
Learn more about Booz Allen's diverse culture and environment of inclusion that fosters respect and opportunity for all employees.
We've come a long way delivering innovative solutions. But our next chapter is still being written.
Our 22,600 engineers, scientists, software developers, technologists, and consultants live to solve problems that matter. We’re proud of the diversity throughout our organization, from our most junior ranks to our board of directors and leadership team.
Booz Allen takes pride in a culture that encourages and rewards the many dimensions of leadership—innovative thinking, active collaboration, and personal service. We’re particularly proud of the diversity of our Leadership Team and Board of Directors, among the most diverse in corporate America today.
Booz Allen’s Advanced Threat Hunt team has identified a Business Email Compromise (BEC) group that has been in operation since at least 2016, targeting organizations across financial, aviation, manufacturing, and consumer sectors.
With business email compromise (BEC) attacks, cyber criminals can take a variety of approaches. Some groups deploy commodity malware and keyloggers. Others simply compromise a machine to monitor an employee's inbox and use it to send attacks from a legitimate address. The most common approach to BEC attacks—one we’ve observed in multiple hunts—continues to be a deceptive email, carefully crafted to appear genuine, sent to employees who are authorized to transfer money, enticing a wire transfer from the targeted company to the attackers' account.
Booz Allen’s Dark Labs Advanced Threat Hunt team recently discovered a highly active BEC group that appears to have been employing that last approach since at least 2016. This adversary group attacked organizations worldwide in a variety of sectors, including financial, aviation, consumer, and manufacturing, resulting in several successful monetary payouts.
One of the group’s campaigns targeted business partners of a Fortune 50 company via a commonly used technique that the Internet Crime Complaint Center (IC3) calls the "Bogus Invoice Scheme.” In this scenario, a business that typically has a longstanding relationship with a supplier is asked to wire funds for an invoice payment to an alternate, fraudulent account. The email samples that our hunt team received very closely mimic email domains that a targeted organization might communicate within the course of legitimate business.
Using the imposter domain, the adversary tricks the target into transferring money by replying to him or her in the middle of what appears to be a legitimate email chain. "Legitimate" messages between familiar email addresses are embedded into the thread to convince the targeted individual(s) of its validity. This technique, which has been used to target multiple companies, deceives using real information and email addresses that are likely harvested through open source means, such as LinkedIn and website scraping.
Pivoting off several of the BEC group’s successful attempts, our Advanced Threat Hunting team used the mimicked illegitimate domains to build a complete picture of the adversary’s wider infrastructure, gaining further insight into their operations and techniques, tactics, and procedures (TTPs).
All the suspected imposter domains used the same group email hosting provider. This provider uses a common webmail platform and hosts the service on eight IP addresses:
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
All domains follow a similar URL format (webmail.<domain name>.<tld>) to access their webmail service. Further investigation found that this provider also provides webmail access for legitimate domains, which made one-to-one attribution of illegitimate domains impossible using resolutions as our sole criteria.
Luckily, our analysts noticed a pattern among the suspect domains—their second-level domain did not resolve to an IP address by itself. When adding webmail to the domain name, however, it resolved to the common eight IP addresses. We also observed that a large portion of the suspect domains are registered using freely available webmail providers.
Using this method, the team identified approximately 580 illegitimate imposter domains being used by the BEC group. This discovery allowed our analysts to gain a fuller picture of the adversary's targeting and TTPs. Looking at historical registration information for the illegitimate domains, we saw that they had been targeting BEC attacks at a variety of companies and industries since at least 2016. Using the technique above, CTI analysts can fully enumerate illegitimate domains hosted here for any defensive tasking.
Partial list of malicious registrant names or emails:
Booz Allen’s Dark Labs Advanced Threat Hunt team has several recommendations for how to detect and/or block this type of activity from an organizational standpoint.i
Contact us to learn what our Advanced Threat Hunting team can do for you.
i. We offer these recommendations for informational use only and do not make any warranties or other promises they will be effective against the threats described herein. If you would like assistance in addressing this type of threat, please feel free to contact us.