Executive Impersonation Used to Steal Aging Reports
Aging reports are sensitive documents that contain lists of all outstanding invoices alongside customer names. Once stolen, they can be used by attackers to target the company’s customers with messages about outstanding invoices and details on how to pay—directly into accounts owned by the criminals.
In this attack, the threat actor first researches the right executive and recipients to understand who is most likely to make (and respond) to this type of request. He then impersonates the CFO of the organization using display name spoofing, asking the recipient to kindly email all of the outstanding payment information, alongside customer contact emails.
Why It Bypassed Traditional Security
This email originates from an unknown email address that does not have a bad reputation tied to it, and it contains no links or attachments that would identify it as malicious. In essence, outside of the content itself, there are very few indicators that this email is not what it appears to be.
Detecting the Attack
Content analysis is required to detect the aging report request and display name analysis is required to note that an impersonation has occurred. Access to Active Directory via the Microsoft API provides insight into the organizational structure, indicating VIPs within the organization who are more likely to be impersonated in this type of request.
Risk to Organization
While this attack is not likely to have a direct impact on the organization receiving it in terms of financial loss, it could have dire implications on customer trust and brand perception. Once the attacker has access to outstanding payments, he can use that (accurate) information to email customers and request that payment be made immediately. And once those customers make the payment, their money is gone—not to the vendor they thought they were paying but to a bank account owned by the attacker.