Researchers have identified a new business email compromise (BEC) group that has been impersonating legitimate attorneys, law firms and debt recovery services in order to trick accounting employees into paying fake invoices.
The group, which researchers with Abnormal Security call Crimson Kingsnake, targets companies across different sectors in the U.S., Europe, the Middle East and Australia. Researchers said that since March, they have identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies – including major global practices like Deloitte or Sulllivan & Cromwell – in the U.S., UK and Australia.
Crane Hassold, director of threat intelligence at Abnormal Security, said that researchers were able to link multiple non-proxy IP addresses to members of the group that would indicate that at least some of the actors are based in the UK.
“While Nigeria is still the main epicenter for BEC actors – about 65 percent of actors we’ve conducted active defense engagements with this year have been based in Nigeria – we’ve starting seeing a slow emergence of actors in other countries, such as South Africa, the United Arab Emirates, Turkey, and the United Kingdom,” said Hassold.
BEC continues to cost businesses millions of dollars, with the Internet Crime Complaint Center (IC3) showing that BEC (and email account compromise) victims reported nearly $2.4 billion in losses in 2021, and a recent Abnormal Security report highlighting that BEC attacks increased by 84 percent over the previous six months in the first half of 2022. The profitability of these types of attacks stem from a number of tactics that rely on social engineering and emotional manipulation, in order to foster a level of urgency with victims.
“Scammers behind blind impersonation attacks are relying on the hope that, like so many other types of social engineering attacks, a target isn’t paying close attention to the email and simply complies with the request.”
Crimson Kingsnake attackers first send an email impersonating real-life attorneys with legitimate law firms, and reference an overdue payment purportedly owed by the target to the firm that they represent. The BEC group uses email spoofing – leveraging email addresses hosted on domains that resemble these firms’ true domains – to add legitimacy to the scam. Once a victim responds, the actor replies with payment account details in a PDF invoice, which includes a bill number, bank account details and the company’s actual VAT ID. Researchers said the BEC group may even be using altered versions of legitimate invoices used by the impersonated firms.
If they face any resistance from the target, the BEC actors also have been observed impersonating an executive at the targeted company (under a new email with a spoofed display name) in order to put further pressure on the victim. Through this fake persona, the attackers “authorize” the employee to proceed with the payment.
“This additional step shows the lengths that this BEC group is willing to go to in order to receive payment,” said Hassold. “And it clearly pays off, as even one successful attack each day provides Crimson Kingsnake with tens of thousands of dollars.”
The impersonation of third-party companies – rather than the more traditional BEC method of impersonating executives within a victim’s organization – has rapidly increased over the years, and Hassold said that more than half of all BEC attacks observed in the first part of 2022 impersonated third parties.
“Unlike other forms of financial supply chain compromise, blind third-party impersonation attacks have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful,” said Hassold. “Scammers behind blind impersonation attacks are relying on the hope that, like so many other types of social engineering attacks, a target isn’t paying close attention to the email and simply complies with the request.”
