Recently, researchers at Mitiga have sounded the alarm about a new Business Email Compromise (BEC) campaign. They discovered evidence of the campaign responding to another incident and have watched the campaign grow in scope and scale over time.
Here’s how the attack works:
The individual targeted by the campaign receives an email that appears to be from a bank and explains that the corporate account they usually send payments to has been frozen while a financial audit is underway.
In the meantime, the email explains that if the target needs to send payments, they can follow the instructions below the message.
The instructions appear to be inside a document behind a DocuSign wall, which is a contract management platform used widely in the corporate world.
To access the instructions, a potential victim needs to press the “Review Documents” button, which hands the victim off to a website controlled by the hackers.
These websites typically have names that appear to be legitimate companies the victim is familiar with, but a careful review of the URL will reveal an intentional typo, which gave rise to the term “typosquatting” to describe this very phenomenon.
On this page, the victim is asked to log into the Windows domain. If they do so, they inadvertently hand the attackers their Microsoft 365 account details which can be used later for any nefarious purpose the hacker’s desire.
On the face of it, this may not seem terribly convincing, but the hackers employ several tricks to make it seem completely legitimate. Chief among these is the fact that the hackers hijack existing email streams and interrupt them. So to a reader who’s not paying close attention, the instructions seem to come from someone the victim is having an ongoing conversation with.
So far, the campaign has been devastatingly effective, so keep your guard up. You don’t want to become their next victim.