In this attack, the attacker impersonated the company CEO to ask for the recipient’s help purchasing Apple iTunes gift cards because they had a meeting. The email was written in Danish, which would have been the expected language for business communications since both the impersonated CEO and targeted employee were located in Denmark. The email was sent from a freely-available Gmail account and the sender’s display name was set to mimic the impersonated CEO’s name. 

Status Bar Dots
Danish Gift Card BEC Email

English Translation:

“I have a meeting and need help getting iTunes gift cards online. Can you fix it for me?”

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

How Can This Attack Be Detected?

Natural language processing enables cloud email security solutions to detect the presence of a gift card request. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate the company’s CEO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Although the financial impact of a gift card BEC attack may be limited due to the small amount of this gift card request, these campaigns generally target many employees at once, meaning an attacker has more opportunities for success. In many cases, employees that fall victim to these attacks use their own money to purchase the cards, meaning the company would need to have a discussion about whether to reimburse the employee for the fraud.

Analysis Overview

Vector

Text-based

Goal

Gift Card Request

Tactic

Free Webmail Account
Spoofed Display Name

Impersonated Party

Employee - Executive

Language

Danish

See How Abnormal Stops Emerging Attacks

See a Demo