BEC Fraudsters Targeting Financial Documents: Report'Aging Accounts' a Useful Tool for Stealing Money
As business email compromise schemes continue to evolve, some cybercriminals are focusing on accessing companies' financial documents, which provide useful information to support the theft of money, according to a new report from security firm Agari.
See Also: Account Takeover: The Stages of Defense
One criminal group, for example, has turned their attention to stealing "aging reports" from companies' financial and accounts receivable departments, Agari researchers have found. Aging reports show unpaid invoice balances along with the duration that these balances have been outstanding. These reports enable companies to keep track of clients who don't pay invoices on time and what outstanding debts are owed.
BEC fraudsters are using the details in these aging reports to expand their scams by posing as company officials trying to collect money from clients who have unpaid balances.
In one incident that Agari describes, a criminal group masqueraded as a firm's CFO and asked accounts receivable specialists for the company's updated aging reports as well as the contact information for each of their customer's accounts payable contacts. Researchers dubbed this group "Ancient Tortoise" and believe that it likely is operating from the United Arab Emirates, the report states.
This case shows that business email compromise scams are becoming more ambitious, with fraudsters using social engineering techniques to steal as many financial documents as possible, according to the report. This approach then leads to even more lucrative scams by allowing fraudsters to victimize multiple customers and vendors, says Crane Hassold, senior director of threat research at Agari.
"In these attacks, they are using very traditional BEC tactics simply to get these reports that usually contain all of the payment information for a supplier's customers and all the contact information," Hassold tells Information Security Media Group.
A Growing Threat
Over the last several years, business email compromise scams have surged, with the U.S. Treasury Department estimating that these schemes are costing U.S. firms about $300 million a month. In addition, law enforcement has found that BEC schemes have targeted businesses of all sizes in many industries, including healthcare.
Law enforcement agencies, especially the FBI, have been cracking down on BEC schemes and announcing arrests (see: Business Email Compromise Crackdown: 281 Suspects Busted).
While BEC scams usually target a company's executives, such as the CFO, another subset of this fraud, known as vendor email compromise, targets the vendors or suppliers of an enterprise with phishing emails. Once they have enough information, the scammers then send realistic-looking invoices to their customers in order to steal money, according to security analysts.
Agari has previously documented several cases of organized criminal groups, usually operating out of Nigeria, targeting businesses around the world with vendor email compromise schemes (see: 'Vendor Email Compromise': A New Attack Twist).
The newly identified Ancient Tortoise criminal group, Hassold notes, uses tactics similar to these vendor email compromise gangs. For example, Silent Sterling, another criminal vendor email compromise group that Agari tracks, is believed to have stolen an aging report from a victim that contained the names of over 3,500 customers who owed more than $6.5 million in unpaid invoices, the report notes.
"Vendor email compromise is very similar in that the vendors' credentials are being compromised in a phishing attack and then those vendors' customers are being targeted ... this is a trend that we are seeing where it's a hybrid attack and there are multiple victims along the way," Hassold says.
The Attack Chain
In November, one of Agari's customers contacted the firm about suspicious emails sent to the financial and accounts payable teams in the name of the firm's CFO. The messages asked for updated aging reports and contact information for clients with overdue accounts, according to the new research report.
By only asking for the aging reports and contact information, and not requesting payment information or details, it appears the fraudsters were attempting to build trust, the report states.
To study how the attack chain worked, Agari researchers sent the Ancient Tortoise attackers - still posing as the CFO - an email from a "financial employee" of a fictitious company that the security firm created. This employee then offered to send along an aging report and contact information sheet to the fraudsters. That aging report and contact information sheet also contained fictitious details and email addresses of clients who owed money.
Over the course of two days, Agari researchers watched as the Ancient Tortoise team contacted each of the phony clients asking about overdue invoices and trying to collect those debts.
"Each of our fake 'customers' received an email requesting payment for the outstanding invoices referenced in the aging report," according to the Agari report. "To make their email look legitimate, Ancient Tortoise registered a new domain about an hour and a half before sending the messages that closely mimicked our fake employee's domain. Of course, the display name and username used by the scammer also matched our persona as well."
Over the course of the back-and-forth between the Ancient Tortoise fraudsters and the fake clients, the Agari researchers learned about how the criminal group would update and refine their fake invoices as they discovered new information. The Ancient Tortoise emails appeared realistic because they contained very specific details, including order numbers, debt amounts and other company details that could only be found on a legitimate invoice, according to the report.
The researchers also learned how the Ancient Tortoise scammers would time their requests for money to be sent to bank accounts in order to settle the invoices.
"These engagements continued in a similar manner to most wire transfer BEC attacks, with the attacker directly providing the details for the account where the payment should be sent," the Agari report adds.
It's not clear how many companies have been targeted by Ancient Tortoise and other scammers using similar techniques or how successful these schemes have been in stealing money, Hassold says.
It's difficult to stop these types of attacks because the fraudsters are relying on social engineering techniques and foregoing malicious attachments and malware that email security defenses might be able to stop, Hassold says. He suggest CISOs educate financial teams about these fraud schemes and that companies create new requirements for verifying payments at every level.
"This is a really unique group, and it shows you the imagination that these scammers to use nontraditional means to make money," Hassold tells ISMG.