Crimson Kingsnake: BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks

According to data from our H1 2022 Email Threat Report, BEC attacks increased by a considerable 84% over the previous six months. And while they’re still relatively low-volume compared to other types of scams (less than one per 1,000 mailboxes), BEC attacks caused almost $2.4 billion in losses last year alone. So, while they’re not as common, they can be expensive. And the practically undetectable social engineering methods used by attackers make these threats especially dangerous.

Recently, we identified a new BEC group leveraging blind third-party impersonation tactics to swindle companies around the world. The group, which we call Crimson Kingsnake, impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices.

We’ve observed Crimson Kingsnake target companies throughout the United States, Europe, the Middle East, and Australia. Like most BEC groups, the group is industry-agnostic, meaning they don’t explicitly target companies in certain sectors. Intelligence collected from some of the active defense engagements we’ve conducted with the group indicates that at least some of the actors associated with Crimson Kingsnake may be located in the United Kingdom.

Blind third-party impersonation attacks are just one type of financial supply chain compromise, an umbrella term we use to refer to BEC attacks that impersonate external third parties rather than internal employees. As we discussed in a report we published earlier this year, more than half of all BEC attacks we observed during the early part of 2022 impersonated third parties.

Unlike other forms of financial supply chain compromise, blind third-party impersonation attacks have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful. Scammers behind blind impersonation attacks are relying on the hope that, like so many other types of social engineering attacks, a target isn’t paying close attention to the email and simply complies with the request.

For example, scammers often prepare authentic-looking invoices with their bank account information and real company details for the organization they’re impersonating. They even create fake email chains with the names and addresses of their victim’s colleagues, making the request look and feel legitimate.

Based on our observations, a typical Crimson Kingsnake attack starts with an email impersonating an attorney and referencing an overdue payment the targets company owes to the firm or a company they represent. The impersonated attorney and the law firm they purportedly work for actually exist in the real world, so if the target ran a Google search for either, they would actually find results for the impersonated parties.

To add legitimacy to their communications, Crimson Kingsnake uses email addresses hosted on domains closely resembling a firm’s real domain. The display name of the sender is set to the attorney that is being impersonated and the email signature contains the firm’s actual company address. Since March 2022, we’ve identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies in the United States, the United Kingdom, and Australia. Many of the firms referenced in Crimson Kingsnake attacks are major, multinational practices with a global footprint.

As a result of our active defense engagements, we have been able to observe what happens after a target responds to a Crimson Kingsnake email. After a victim responds, a Crimson Kingsnake actor replies with payment account details contained with a manufactured PDF invoice, which includes the law firm’s logo, details about bogus services rendered, and the total amount due.

These sophisticated invoices also list a bill number, account reference number, bank account details, and the company’s actual VAT ID. Some invoices even include a “notification of rights” and information about who to contact with questions or concerns. Based on the complexity and detailed nature of the invoices we’ve observed, it’s possible that Crimson Kingsnake is using altered versions of legitimate invoices used by the impersonated firms.

When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company. When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we've observed instances where the attacker sends a new email with a display name mimicking a company executive. In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and “authorizes” the employee to proceed with the payment.

The email impersonating the company executive is still sent from an account hosted on a maliciously-registered domain controlled by the group; however, the display name is extended to include the executive’s email address in parentheses. This added layer of complexity provides a target with a potential signal that the email is coming from a legitimate source rather than a malicious account.

This additional step shows the lengths that this BEC group is willing to go to in order to receive payment. And it clearly pays off, as even one successful attack each day provides Crimson Kingsnake with tens of thousands of dollars.

Social engineering scammers leverage their knowledge of common human behavior to manipulate victims into doing their bidding. To foster a sense of urgency and drive victims to take action, Crimson Kingsnake email subject lines often contain language like “overdue,” “unpaid,” “outstanding,” or “final notice.” This artificial sense of urgency is meant to override any potential red flags that a targeted employee might suspect. Ultimately, this behavioral manipulation is the reason BEC attacks have become so impactful overall in recent years.

There are a few things organizations can do to reduce their chances of falling victim to impersonation attacks, like those we’ve seen with Crimson Kingsnake. First and foremost, it’s imperative to prevent social engineering emails from reaching employee mailboxes. To accomplish this, organizations should adopt more modern email security solutions, like a behavioral AI-based, context-aware platform. By using software that analyzes email identities and content, social engineering attacks can be blocked before employees have the opportunity to engage with them.

If these attacks do end up in an inbox, ensuring that there are robust procedures in place for outgoing payments is extremely important. Organizations should have a process for validating that money is getting sent to the correct recipient, particularly for these high-dollar invoices. And security awareness training is imperative, as employees should know to carefully consider sender addresses, especially when an email asks them to share sensitive information or send a payment.

See how Abnormal stops socially-engineered attacks from Crimson Kingsnake and other BEC threat groups. Request a demo of the platform today.

activedebtrecoveryeo[.]com

allanovarry[.]com

allen-overylaw[.]com

allenovanys[.]com

allenoverry[.]com

allenoverys[.]com

backupofficeworks[.]com

chancllflaw[.]com

chncllflegal[.]com

clfchnnukllp[.]com

clfpchnlp[.]com

cliff-chancellfp[.]com

cliffchancelegal[.]com

cliffchnclegal[.]com

cliffchnllp[.]com

clifford-chancelaw[.]com

clifford-chancellegal[.]com

clifford-chancellp[.]com

cliffordchance-llp[.]com

cliffordclaims[.]com

cllppchancelegal[.]com

debtaget[.]org

debtrecoveryeo[.]com

delciolawoffice[.]com

delloitesuk[.]com

deloiitteslps[.]com

deloitesllp[.]com

deloitte-eu[.]org

deloittetouch[.]net

deloittetouchellp[.]net

deloittetouchelp[.]net

deloittetouchs[.]net

dengroups[.]net

dentonsfirm[.]com

dentonsfirms[.]net

desk-work[.]space

dlapierr[.]com

dlapiier[.]com

dloitte[.]org

eofficeipad[.]com

evershads-sutharland[.]com

evershed-sutharlands[.]com

evershed-sutherlands[.]com

herbertfreehillslaw[.]com

hoganllvlpfs[.]com

hoganlovellslpfs[.]com

hoganlovlllp[.]com

hogavells[.]com

homezoffice[.]com

ipad04-work[.]space

ipad09email[.]com

ipadepost[.]com

kirklandellisfirm[.]com

kirklandsglobal[.]com

kirklendsglobal[.]com

lindsayhartllp[.]com

lindsayhlawyers[.]com

lindsaylawyerllp[.]com

lindsayshart[.]com

lindsayslawyer[.]com

makenotlon[.]com

manixlawllc[.]com

monlexlawllp[.]com

morrisonfoersterlaw[.]net

myipadpro[.]us

office1-desk[.]com

office1-mail[.]com

quinamenual[.]com

rfglonline[.]com

simmonslegalhq[.]com

suilivancromwell[.]com

sulivamcromwell[.]com

sulivancromwell[.]com

sullcromwell[.]com

sullcromwelllaws[.]com

sullcromwells[.]com

sullivacromwell[.]com

sullivamcromwell[.]com

sullivamncromwell[.]com

sullivancrom[.]com

sullivancromllp[.]com

sullivancrommwell[.]com

sullivancromw[.]com

sullivancromweill[.]com

sullivancromwellaw[.]com

sullivancromwelli[.]com

sullivancromwelllp[.]com

sullivancromwells[.]com

sullivancromwwell[.]com

sullivancronwell[.]com

sullivancrowell[.]com

sullivanmcromwell[.]com

sullivcrom[.]com

sullivcromwell[.]com

sullvancromwell[.]com

sutharlands-evershards[.]com

whitecaselp[.]com

whitecaseukp[.]com

whitescases[.]net

whitneasellp[.]co