BEC Attack Impersonates Vendor to Request Account Update Using Fake Bank Authorization Letter

In this attack, the attacker impersonated an accounts receivable manager at  an external third-party vendor to request an update to their bank account information on file with the recipient’s company, so all future payments would get directed to the new account. The email indicated the account update was needed following an internal audit that had been performed at the end of the previous year. In addition to providing the new account details in the body of the email, the attacker also included a “bank authorization letter” from a bank associate attesting to the change in account information. The email was sent from an address hosted on a domain that was registered by the attacker to mimic the vendor’s legitimate domain. Rather than including the email recipient(s) on the To line of the email, the attacker BCC’d all of the recipients to hide all of the targets of the attack.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The PDF attached to the email was not inherently malicious, so it wouldn’t be flagged by traditional email defenses.  The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes. Because the lookalike domain was registered by the attacker and didn’t spoof a legitimate domain, countermeasures like DMARC would not have been effective.

Content analysis can detect the presence of suspicious payment-related requests, including those contained within benign attachments, indicating when an email should undergo additional scrutiny. Understanding legitimate vendor domains would allow a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients.

Because the email address used by the attacker is hosted on a domain that looks very similar to the impersonated sender’s actual domain, an employee may easily mistake the email as coming from a legitimate address. Should the targeted employee comply with the attacker’s request, money that was intended to be directed to the external vendor would be diverted to an account controlled by the attacker and could damage the relationship between the companies.