Attempted Payment Fraud Using Lookalike Domain and Real Invoices Targets Manufacturing Company

In this attack, the threat actor impersonates a vendor with whom the recipient has an existing relationship and inquires about updating their banking information for future payments. Attached to the email are more than two dozen real invoices from the actual vendor totaling nearly $360,000.

The attacker uses a nearly identical email address to that of the individual being impersonated; the only difference is the domain ends in .org instead of .com. The sender even cc’s another spoofed email address using the .org extension to help disguise the domain extension swap.

The attackers have made sure that the email stays within all email defense protocols, allowing the email to penetrate various security systems without being detected. The changes made to the domain are subtle enough for the email to pass verification checks like SPF, DKIM, and DMARC. The email was sent from outside the organization, increasing the chances of the message passing through email defenses.

Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. Understanding legitimate vendor domains would allow a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes.

If the attackers succeed, they can fraudulently modify the vendor’s banking details in the company’s system leading to the company transferring funds into the attacker’s account. As a result, the attackers can obtain a significant amount of funds, leading to possible financial losses.