Crimson Kingsnake: BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks
According to data from our H1 2022 Email Threat Report, BEC attacks increased by a considerable 84% over the previous six months. And while they’re still relatively low-volume compared to other types of scams (less than one per 1,000 mailboxes), BEC attacks caused almost $2.4 billion in losses last year alone. So, while they’re not as common, they can be expensive. And the practically undetectable social engineering methods used by attackers make these threats especially dangerous.
Recently, we identified a new BEC group leveraging blind third-party impersonation tactics to swindle companies around the world. The group, which we call Crimson Kingsnake, impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices.
We’ve observed Crimson Kingsnake target companies throughout the United States, Europe, the Middle East, and Australia. Like most BEC groups, the group is industry-agnostic, meaning they don’t explicitly target companies in certain sectors. Intelligence collected from some of the active defense engagements we’ve conducted with the group indicates that at least some of the actors associated with Crimson Kingsnake may be located in the United Kingdom.
A Quick Primer on Blind Third-Party Impersonation Attacks
Blind third-party impersonation attacks are just one type of financial supply chain compromise, an umbrella term we use to refer to BEC attacks that impersonate external third parties rather than internal employees. As we discussed in a report we published earlier this year, more than half of all BEC attacks we observed during the early part of 2022 impersonated third parties.
Unlike other forms of financial supply chain compromise, blind third-party impersonation attacks have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful. Scammers behind blind impersonation attacks are relying on the hope that, like so many other types of social engineering attacks, a target isn’t paying close attention to the email and simply complies with the request.
For example, scammers often prepare authentic-looking invoices with their bank account information and real company details for the organization they’re impersonating. They even create fake email chains with the names and addresses of their victim’s colleagues, making the request look and feel legitimate.
Anticipating (and Overcoming) Victim’s Due Diligence
Based on our observations, a typical Crimson Kingsnake attack starts with an email impersonating an attorney and referencing an overdue payment the targets company owes to the firm or a company they represent. The impersonated attorney and the law firm they purportedly work for actually exist in the real world, so if the target ran a Google search for either, they would actually find results for the impersonated parties.
To add legitimacy to their communications, Crimson Kingsnake uses email addresses hosted on domains closely resembling a firm’s real domain. The display name of the sender is set to the attorney that is being impersonated and the email signature contains the firm’s actual company address. Since March 2022, we’ve identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies in the United States, the United Kingdom, and Australia. Many of the firms referenced in Crimson Kingsnake attacks are major, multinational practices with a global footprint.
As a result of our active defense engagements, we have been able to observe what happens after a target responds to a Crimson Kingsnake email. After a victim responds, a Crimson Kingsnake actor replies with payment account details contained with a manufactured PDF invoice, which includes the law firm’s logo, details about bogus services rendered, and the total amount due.
These sophisticated invoices also list a bill number, account reference number, bank account details, and the company’s actual VAT ID. Some invoices even include a “notification of rights” and information about who to contact with questions or concerns. Based on the complexity and detailed nature of the invoices we’ve observed, it’s possible that Crimson Kingsnake is using altered versions of legitimate invoices used by the impersonated firms.
Getting the Boss Involved
When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company. When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we've observed instances where the attacker sends a new email with a display name mimicking a company executive. In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and “authorizes” the employee to proceed with the payment.
The email impersonating the company executive is still sent from an account hosted on a maliciously-registered domain controlled by the group; however, the display name is extended to include the executive’s email address in parentheses. This added layer of complexity provides a target with a potential signal that the email is coming from a legitimate source rather than a malicious account.
This additional step shows the lengths that this BEC group is willing to go to in order to receive payment. And it clearly pays off, as even one successful attack each day provides Crimson Kingsnake with tens of thousands of dollars.
Protecting Your Organization from Crimson Kingsnake and Other Impersonation Attacks
Social engineering scammers leverage their knowledge of common human behavior to manipulate victims into doing their bidding. To foster a sense of urgency and drive victims to take action, Crimson Kingsnake email subject lines often contain language like “overdue,” “unpaid,” “outstanding,” or “final notice.” This artificial sense of urgency is meant to override any potential red flags that a targeted employee might suspect. Ultimately, this behavioral manipulation is the reason BEC attacks have become so impactful overall in recent years.
There are a few things organizations can do to reduce their chances of falling victim to impersonation attacks, like those we’ve seen with Crimson Kingsnake. First and foremost, it’s imperative to prevent social engineering emails from reaching employee mailboxes. To accomplish this, organizations should adopt more modern email security solutions, like a behavioral AI-based, context-aware platform. By using software that analyzes email identities and content, social engineering attacks can be blocked before employees have the opportunity to engage with them.
If these attacks do end up in an inbox, ensuring that there are robust procedures in place for outgoing payments is extremely important. Organizations should have a process for validating that money is getting sent to the correct recipient, particularly for these high-dollar invoices. And security awareness training is imperative, as employees should know to carefully consider sender addresses, especially when an email asks them to share sensitive information or send a payment.
See how Abnormal stops socially-engineered attacks from Crimson Kingsnake and other BEC threat groups. Request a demo of the platform today.
Appendix: List of Domains Linked to Crimson Kingsnake BEC Campaigns