In general, business email compromise (BEC) scams are widely viewed as a type of cybercrime that necessitates relatively minimal technical ability. Despite this, analysts industry-wide have observed BEC operators progressing from simple schemes such as 419 and fake lottery scams – in which unwitting victims are duped into sending payments to fraudsters after being promised large sums – towards experimenting with malware and creating sophisticated networks in order to quickly and reliably move money from one account to another.
Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity; the campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites.
Threat actors sent seventy-three malicious PDFs in credential phishing campaigns between March 28, 2017 and August 8, 2017. These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches, with the goal of harvesting user credentials.
Of the seventy-three files identified, analysts were able to identify seventy unique Uniform Resource Identifiers (URIs); many of these overlapped based on domains. Attackers used twenty-nine different domains across these documents.
Image 1: A sample of the domains utilized by the actors across campaigns.
A potential victim of this phishing campaign would receive a malicious PDF containing a malicious link. Upon opening the PDF, the potential victim would be presented with a prompt to view a secure online document; when clicked, this prompt would redirect the victim to a phishing website to input their login credentials.
Image 2: Upon opening the malicious PDF, a potential victim sees a prompt to access a secure online document, which directs them to a phishing page.
Once on the phishing page, the potential victim is presented with several options to “download” the file and is asked for login credentials for their organization. Once a victim enters their login credentials, the script redirects the victim to a document or web page owned by the targeted organization.
Image 3: A view of the phishing webpage for harvesting credentials.
If valid credentials were submitted, the actors behind the phishing campaign would harvest them. Once harvested, the threat actors would then use the compromised accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts. This practice helps threat actors committing Business Email Compromise (BEC) gain a better foothold into target organizations, and allows them to potentially breach additional organizations. Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information.
Flashpoint analysts assess that these attacks are likely being carried out by attackers located in Western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the absence of malware, and a lack of operations security (OPSEC) practices on the attackers’ part.
Based on artifacts left in the PDFs, these documents likely represent a small glimpse into the credential phishing community of West African cybercriminals.
Image 4: A phishing email sent from a cloud-provided email service provider has a Nigerian IP address as the originating IP.
While BEC actors operating out of western Africa are broadly considered among the lowest-skilled cyber threat actors, they have been responsible for more than $5 billion USD in fraud in the last three years. In comparison, ransomware was projected to be a $1 billion USD industry in 2016, and Europol estimated that the now-defunct AlphaBay Market was responsible for almost $1 billion USD in business between its creation in 2014 and its closure in July 2017.
BEC actors and cybercriminals located in West Africa typically do not make significant efforts to enhance their OPSEC practices or conceal their locations; however, they are still largely successful in stealing billions of dollars from publicly traded and high-profile organizations each year.
Additional information on Business Email Compromise (BEC) is available in the Cisco 2017 Midyear Cybersecurity Report. Access it here.