Anyone Can Fall for Online Scams

No one is safe from scams. In fact, scams targeting corporations and organizations employ meticulously social-engineered attack scenarios. Unlike smishing targeting individuals or online shopping scams, such attacks design tailored phishing scenarios based on previously collected information about the target. As such, it is not easy for the victim organization to recognize the scam.

This post will explore the business email compromise (BEC) and spear phishing emails, both of which are primary scam examples targeting corporations and organizations, with specific cases.

Contents

1. Business Email Compromise (BEC)
   • Attack Methods
   • Influence of AI Technologies
2. Spear Phishing: Tailored Attack
   • Malware Distribution and Information Exfiltration
   • Even Experts Are Deceived
3. See Related Articles

Definition

Scamming is defined as the crime of deceiving others via immoral means for financial gains, stealing intellectual property, or unauthorized access to assets. Scammers (criminals and attackers) mostly utilize direct channels such as voice calls, messages, emails, messengers, social media, and websites to coerce their victims into performing deeds they want done.

Business Email Compromise (BEC)

Attack Methods

BEC is a typical scam utilizing emails. Attackers mainly target employees of corporations or government organizations, especially high-ranking executives or financial/HR managers. Disguised as someone professionally involved with the victim organization, they induce the victims to transfer money or transmit classified information.

BEC attacks are typically carried out as part of meticulous planning. Attackers first collect information about the targets on LinkedIn or public websites. When sending emails, they use techniques such as spoofing the sender address domains or impersonating trusted organizations. After building rapport with the victim, they use social engineering methods such as pressuring the victims to induce them to transfer money or transmit information. In the following BEC attack cases, they all impersonated high-ranking bank managers who demanded sensitive information while emphasizing urgency to receive money.

• In respect to your unpaid payment of $3.5 Millions Dollar with the Royal Bank Of Asia.
• I work as the Foreign Operations Manager with one of the international banks here in Nigeria.
• There is an overdue unclaimed sum of USD$87.2 million US dollars (NNPC) contract payment in my bank Zenith International Bank Plc…
• reply urgently and to prove that, include your details and as soon as i receive this information I will forward you a text of an application which you will fill and send to the bank for the claim of the fund as i will direct you on what to do.

Influence of AI Technologies

The developing AI technologies are accelerating the evolution of the BEC attacks. An incident at a multinational company in Hong Kong showcases this well. The attackers used AI deepfake technologies to impersonate the CFO of a company in an email, leading a finance worker to trust it and transfer $25 million. The worker suspected fraud and conducted an additional video conference, but even the employees attending the meeting including the CFO were all generated by the deepfake technology. In the end, the employee was deceived and transferred money to the attackers.^[1]

The developing AI technologies will make BEC attacks more sophisticated and ingenious in the coming days. Using technologies like deepfake, impersonation will be easier which in turn will raise the success rate of the BEC attacks. Companies need to exercise extra caution and prepare to effectively address the BEC threat.

Spear Phishing: Tailored Attack

Malware Distribution and Information Exfiltration

Attackers design scenarios with elaborate methods to induce their targets to execute malicious files or enter sensitive data in spear phishing emails. The following 4 cases exhibit spear phishing emails actually involved in attacks.

In the first case, the attacker impersonated an internal employee.^[2] The email below was sent to an AhnLab employee with the sender address domain being AhnLab’s as well. In reality, the sender address was spoofed and appeared to be sent by a member of the same organization. The email notified the recipient of an incoming voice message and included an attachment that led to a phishing page disguised as an AhnLab service. The phishing page had the email recipient’s name and email address pre-filled, giving it a sense of trustworthiness. If the recipient attempts to sign in on this page, the entered account credentials will be sent to the attacker.

In the second case, the attacker used an email thread to give the impression of multiple previous messages being sent back and forth to make the email trustworthy. The email subject started with “RE:,” pretending to be part of a continued conversation. They also mimicked corporate email writing practices by including a sender signature and specifying multiple recipients and CCs. Moreover, the phrase “Caution: This email has been scanned by AVIRA ANTIVIRUS and no virus found” was inserted to make the email look safe to avoid suspicion. In its body, the email demanded that the recipient check the attached file as soon as possible to proceed with the next task. The attacker also sent follow-up emails with subjects like “Reminder” and “Third Reminder” at intervals of a few days to urge the recipient.

In the third case, the attacker targeted an employee who frequently exchanged emails with external parties. Pretending to be interested in the company’s business, the attacker prompted the recipient to click a certain link. The link leads to a malicious phishing page. When the recipient enters their sign-in credentials, the information is exfiltrated and sent to the attacker just like in the first case.

In the fourth case, the attacker identified the target’s social relationships in advance and impersonated a person with whom the target knew. The attacker slightly altered the spelling of the sender’s email address to resemble the actual existing address. Because the attacker adeptly employed social engineering techniques, the recipient is likely to unwittingly execute the malicious attachment without suspicion.

Even Experts Are Deceived

Even security expert researchers can fall victim to tailored spear phishing attacks. According to a report published by Google’s Threat Analysis Group (TAG) New campaign targeting security researchers and the following report Active North Korean campaign targeting security researchers, attackers presumed to be backed by North Korea are utilizing sophisticated social engineering techniques to conduct spear phishing attacks targeting security researchers.

Attackers gather information about the interests and research areas of security researchers, and based on this information, they craft tailored phishing emails in an attempt to carry out their attacks. They run blogs with topics that are likely to interest security researchers or cultivate close relationships with them through social media. Afterward, they launch attacks by sending documents containing malware disguised as analysis reports on the latest security issues or emails containing malicious links, claiming to have discovered interesting vulnerabilities.

In 2023, there was also a case where fake job offers were sent via LinkedIn to attack security researchers. The attackers disguised themselves as recruiters, then continued the conversation via WhatsApp and sent documents containing malware.^[3]

The attackers are attempting ingenious and sophisticated attacks using AI technologies and meticulous scenarios. Even if you receive what seem like urgent requests or emails from trustworthy people, it is crucial to verify the request of the sender and carefully assess their content. 

See Related Articles

1. Online Scams: Are You Safe From Impersonation, Blackmail, and Deception?
2. Online Scams: What Are Online Scams?
3. Online Scams: Fraud Through My Phone
4. Online Scams: Blackmail, Deceptions, and Victims
5. Online Scams: I Just Wanted to Make a Lot of Money Easily
6. Online Scams: Are These All Scams? Distinguishing the Legit from the Scam
7. Online Scams: Anyone Can Fall for Scams
8. Online Scams: So What Should We Do About It?

[1] Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’ | CNN
[2] The email was blocked by the AhnLab email security filtering system
[3] Security researchers targeted with new malware via job offers on LinkedIn (bleepingcomputer.com)

The post Online Scams: Anyone Can Fall for Scams appeared first on ASEC BLOG.