Payroll Diversion BEC Attack Mixes a Lithuanian Subject with Dutch Body Content
In this attack, a company executive was impersonated to request the recipient change the bank account associated with their payroll direct deposit. The email was written in two languages. The email subject was written in Lithuanian and the main content in the email’s body was written in Dutch. The email was sent from a freely-available Gmail account and the sender’s display name was spoofed to match the name of the impersonated executive.
I want to change the account on my payroll to a new account and
I would like to know if it will be effective for the next payment?
How Does This Attack Bypass Email Defenses?
Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.
How Can This Attack Be Detected?
Natural language processing enables cloud email security solutions to detect the presence of attacks that request changes to payroll accounts. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception and email is not associated with the executive being spoofed.
What are the Risks of This Attack?
Because the sender’s display name has been spoofed to impersonate the company’s CFO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the target engage with this email, the attacker is likely to send banking information for a new account—enabling him to receive the next direct deposit. Depending on how much the executive makes and how long it takes him to notice the error, the company (and the VIP) could lose tens of thousands of dollars.