In this Spanish-language attack, the attacker opened by impersonating a company executive asking if the recipient had been contacted by a partner at KPMG. The email was sent from an address hosted on a domain registered by the attacker and the sender’s display name was spoofed to match the name of the impersonated executive.  A “sent from my mobile device” signature was added to the end of the email.

Status Bar Dots
Spanish BEC Attack 1

If the recipient had responded to the initial email, the attacker would have followed up with additional information, indicating they needed the recipient’s help with a financial obligation. The attacker would have asked the employee if they’re available to work with the KPMG partner over email to assist with the project.

Status Bar Dots
Spanish BEC Attack 2

If the recipient had agreed to help, the attacker would have responded with more information detailing how the project deals with the acquisition of a foreign company. The attacker would have requested that the target employee keep the details of the acquisition confidential and would have provided the recipient with an email address to contact a second persona impersonating the KPMG partner. The email address for the impersonated partner would have been hosted on a domain created to look like a legitimate KPMG domain. The amount of the “first advance” for the supposed acquisition the employee would have been requested to send was nearly a million dollars ($982,555).

Status Bar Dots
Spanish BEC Attack 3

English Translation:

Good Morning,

Has Mr. Rodrigo Ribeiro from KPMG contacted you in the morning?

Regards,

[Impersonated Executive Name]

Sent from my mobile device

—------------------

Email 2:

Okay,

It is regarding a financial file that I am dealing with, and we must process it only by email.

Are you available to take care of this with Mr. Ribeiro right now?

Regards,

[Impersonated Executive Name]

Sent from my mobile device

—------------------

Email 3:

I’ll explain to you,

At this moment we are carrying out the acquisition of a foreign company.

For reasons of confidentiality, we have to communicate only through my private email, to be able to talk about the subject without risk of it being disclosed and to respect the rules of this operation.

Any comment in this regard must be in writing to my personal email, which is the one registered in the confidentiality agreement signed with KPMG.

I need you to contact Mr. Rodrigo Ribeiro right now (rodrigo.ribeiro[at]kpmg-audit[.]com) to request the bank details of the adverse party and proceed with a transfer of a first advance for the amount of 982,555.12 USD (value to date).

Once you have sent the transfer order, let me know and you have to send the receipt to Rodrigo Ribeiro's email.

I trust you.

Regards,

[Impersonated Executive Name]

Sent from my mobile device

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes. Some email defenses rely on training their detection models only using common languages, such as English, so attacks that are written in other languages may not be detected.

How Can This Attack Be Detected?

Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a payment request, even when the message is written in Spanish. Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate a company executive, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of nearly a million dollars.

Analysis Overview

Vector

Text-based

Goal

Payment Fraud

Tactic

Maliciously Registered Domain
Spoofed Display Name

Theme

Mergers & Acquisitions

Impersonated Party

Employee - Executive

Language

Spanish

See How Abnormal Stops Emerging Attacks

See a Demo