BEC Gift Card Attack Leverages Foreign Character Substitution to Bypass Defenses
In this attack, the actor impersonates a company executive and asks the recipient to respond back with their personal cell phone number. The email is sent from a Gmail account and the display name has been altered to appear as the name of the impersonated executive. The email subject is personalized with the recipient’s first name and multiple lookalike characters are substituted throughout the message, including Polish characters to spell “Greetings” in the subject and an exclamation point instead of a capital “I” in the body. Based on previous experience, the second stage of this attack is likely a request for the recipient to purchase gift cards.
Why It Bypassed Traditional Security
This attack replaces English letters with similar-looking foreign characters to prevent threat detection tools relying on identifying known malicious text strings from identifying the email as a threat. Furthermore, because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent.
Detecting the Attack
The attacker is attempting to move the conversation off of email to hide their bad activity, and with traditional email security, this kind of all-text attack could be successful. Natural language processing enables cloud email security solutions to detect the presence of this kind of cell phone number request. Integration with Active Directory allows the platform to know that the email is not associated with the executive being spoofed and understand VIP emails to know when an executive is being impersonated via display name deception.
Risk to Organization
The attacker is attempting to pivot out of email to an employee’s personal cell phone, which would cause the targeted organization to lose visibility into malicious communications. As the attacker pretends to be the executive, they obtain the recipient's cell phone number and instruct them to purchase gift cards or send unauthorized payments.