BEC Group Incorporates Secondary Impersonated Personas and Lookalike Domains in Convincing Third-Party Reconnaissance Attacks

No matter the tactic used, the goal of business email compromise doesn’t change: extract money from victims. But attacker tactics are always evolving, as cybercriminals look to stay ahead of both security awareness training and the tools put in place to stop them. For example, because so many potential targets have wised up to the executive impersonation strategies that first emerged in 2013, BEC groups are now adopting financial supply chain compromise strategies that impersonate vendors and suppliers instead.

Firebrick Ostrich* is the latest example of this evolution. This BEC group specializes in third-party reconnaissance attacks—one of the four types of financial supply chain compromise that Abnormal documents and monitors. As we’ll show, Firebrick Ostrich makes an effort to falsify domains and email identities, but they don’t know what they can extract from their victims until one takes the bait.

* Why are they called Firebrick Ostrich? Here’s how the Abnormal Intelligence team names BEC threat groups

In contrast to other forms of financial supply chain compromise where an attacker has deep insight into a specific vendor/customer relationship, third-party reconnaissance occurs when an attacker knows that there is a relationship between two organizations but has limited or no knowledge about actual outstanding payments. In essence, an attacker in these cases has the necessary context to impersonate a vendor but not enough information to be specific in their payment request.

These attacks typically depend on open-source research in lieu of using information gained from an account compromise or document theft. And when someone really wants to discover something, it is impressive how much information is publicly available on the internet about vendor-customer relationships.

For example, many state and local governments offer detailed information about existing and previous contracts on their websites. These records provide key insights into the services a vendor has provided, contact information for both the vendor and customer, and the total contract amounts.

In other cases, an attacker could simply visit a vendor’s website where the company has displayed the names or logos of their customers to help market their products and services via customer proof. Or, they may be able to simply Google two company names to see what the connection may be.

While this information is usually limited, it at least gives an adversary a small piece of information they can exploit in an attack: the fact that there is an existing connection between the two organizations.

Once an attacker has collected this information, they will then initiate their attack by impersonating the vendor and emailing the customer, inquiring about a potential outstanding payment. Because the attacker doesn’t have specific knowledge about an actual overdue invoice, these initial emails tend to be more general requests—rather than containing specific details that might be found in a traditional vendor email compromise attack.

Instead of requesting payment for a current invoice, another tactic that a threat actor might use is to simply request that a vendor’s stored bank account details be updated so any future payments get redirected to the new account. This tactic is a little more stealthy, as the attacker isn’t requesting an immediate payment—the red flag accounts payable specialists are taught to notice. These attackers are playing a longer game, hoping that a simple request now will result in a payment to their redirected account with the next payment.

Thus far, we’ve identified more than 350 BEC campaigns attributable to Firebrick Ostrich dating back to April 2021. These campaigns impersonated 151 different organizations using 212 different maliciously registered domains. While it doesn’t look like the group focuses on a specific industry when selecting vendors to impersonate, nearly all of the companies impersonated by Firebrick Ostrich have been located in the United States. This makes sense since, as we’ll see later, all of the group’s targets have historically been based there.

A majority (60%) of the domains registered by Firebrick Ostrich have been registered on the same day as the execution of the BEC campaign they’re used in. Three-quarters of their domains were obtained within 48 hours of an attack, and 89% of domains were registered within a week of a campaign. The group’s use of newly-registered domains highlights how young domains, in conjunction with other behavioral indicators, can be used as an effective signal to identify threats.

On their newly-registered domains, Firebrick Ostrich creates a number of email addresses that they then use to facilitate their attack. The primary account created—the account that will be communicating with a target—generally impersonates a vendor’s accounts receivable specialist. However, the group also creates a number of additional accounts impersonating other vendor employees, including financial executives. These supplemental accounts are used to add a layer of authenticity to their attacks.

Once the group has set up their offensive infrastructure, they’re ready to launch their attacks. The initial email in a Firebrick Ostrich attack typically starts with a little flattery, stating the impersonated vendor “greatly appreciates you as a valued customer and we want to thank you for your continued business.” This flattery is followed by two requests common to third-party reconnaissance attacks.

The first request indicates the vendor would like to update the bank account on file with the customer. The email makes a point to mention that the vendor is unable to receive payments via check, so ACH and wire transfer payments are the only options available. The indication that check payments aren’t a viable option could suggest Firebrick Ostrich’s mule network—the individuals that would be receiving fraudulent payments—may not be set up to launder funds through physical checks. Many times, the initial mule who receives fraudulent payments from BEC attacks is a victim of a romance or employment scam who is given certain backstories about why money could appear in their account, and a check appearing in the mail may not align with that backstory.

The second request included in a Firebrick Ostrich email inquires about any outstanding payments that are owed to the vendor. The email states that the vendor has lost track of open invoices on their end because their accounting team is unable to review accounts. In one email, Firebrick Ostrich provided more details, stating that the account team is “not able to get onto the server or into Oracle to review accounts or post payments that may have been received.”

This type of email from Firebrick Ostrich is to be expected since an inquiry about pending invoices is a common characteristic of third-party reconnaissance attacks. The manufactured pretext of a technical issue is a common excuse used in many of the third-party reconnaissance attacks we see to explain why a vendor isn’t able to access their own inventory of invoices, but the flattery shown here seems to be unique to this BEC group.

Like most BEC groups we track, Firebrick Ostrich is “industry agnostic,” meaning they don’t focus on targeting any specific industry or type of organization. Throughout our research, we’ve seen Firebrick Ostrich target organizations in multiple industries, including financial services, healthcare, education, hospitality, and retail.

While a company’s industry doesn’t seem to factor into target selection, it does seem that geography is a factor—as all of the targets we’ve uncovered have been based in the United States.

Rather than targeting specific employees, Firebrick Ostrich generally sends their emails to centralized accounts payable email distribution lists, such as ap@companyname[.]com, which effectively targets all of the employees on the list at the same time. And instead of including the targeted email addresses on the main To line of an email, Firebrick Ostrich adds targets to the BCC line. Using this tactic, the group hides the full recipient list from anyone receiving an email, increasing the likelihood that recipients will believe they were the only ones to receive and thus reply.

While using this BCC tactic raises the possibility that the group could streamline their attacks by targeting numerous organizations at once, there is no evidence to suggest that Firebrick Ostrich does this. We observed 120 campaigns from Firebrick Ostrich where they targeted two or more organizations with the same message, but the analysis of the email headers conclusively shows that each email is sent to each target organization individually.

In addition to impersonating an accounts receivable employee from the vendor, Firebrick Ostrich goes a step further and also creates a handful of additional accounts impersonating other vendor employees. The roles of these other impersonated employees vary, but at least one of them is almost always a company executive—usually the vendor’s CFO. Firebrick Ostrich copies all of the additional fake accounts on their emails to make it look like they are including others in the conversation, which adds credibility and social proof to the message. The use of secondary impersonated personas that are shown simply to add legitimacy to the message but aren’t actually involved in the conversation is a tactic we rarely see being used by other BEC groups.

Using active defense, we can see what would happen if a Firebrick Ostrich attack is successful. Over the past year, we’ve conducted more than 100 active defense engagements with Firebrick Ostrich actors, which tells us more about what happens after their initial emails are received.

After receiving a response from a targeted employee, the content of the group’s secondary email is fairly consistent. In it, they simply provide the vendor’s “updated” account information for ACH payments. The account name and address provided by Firebrick Ostrich match the name and headquarters address of the impersonated vendor.

It should be noted that even though the account name provided by Firebrick Ostrich matches the vendor’s company name to provide additional legitimacy, the actual receiving account likely isn’t set up in the vendor’s name. Generally, ACH payments only require the account and routing numbers of the receiving account. In most cases, the name an account was opened with isn’t validated when sending a payment, so a scammer can provide the name of any recipient without worrying about a failed transaction down the road.

In a few instances, we’ve also observed Firebrick Ostrich attaching PDFs that contain payment account information, rather than including them in the body of an email. In addition to the account details, the group also includes other artifacts that add a layer of authenticity to the document, including the impersonated vendor’s logo and their employer identification number (EIN).

These PDFs also include the correct name and legitimate contact details for the CFO of the impersonated vendor, who is also one of the supplemental impersonated accounts copied by Firebrick Ostrich on the initial email. Interestingly, the PDFs also include a note to send a copy of the payment confirmation to an email account that, instead of being hosted on a lookalike vendor domain, is hosted on a mail.com address with a lookalike vendor username.

All this combines to create a convincing BEC scam that users may indeed fall victim to, without ever realizing that they are interacting with an adept cybercrime group.

BEC has been a problem for a decade now, despite security teams’ efforts to raise awareness about fake messages that impersonate trusted parties to request money. Unfortunately, most people simply don’t take the time to carefully scrutinize every email message they receive—especially when they’re overloaded at work and the message appears to come from a trustworthy sender.

Beyond the human tendency to trust, there’s the fact that attackers keep changing their tactics, as shown by Firebrick Ostrich. What makes this group fairly unique is that they have seen massive success even without the need to compromise accounts or do in-depth research on the vendor-customer relationship. By using fairly obvious social engineering tactics, they can discover everything they need in order to run a successful BEC campaign—without investing any significant time or resources into the initial research.

Ongoing BEC awareness training can help employees stay aware of these attacks and keep vigilance top of mind. However, removing the need for employees to make those judgment calls in the first place is the most effective solution. Preventing attacks from Firebrick Ostrich and others like them is possible with modern, behavioral AI-based analysis that understands identity, recognizes good email behavior, and detects deviations from that behavior to block malicious emails before they reach inboxes.

To learn more about how Abnormal Security can stop third-party reconnaissance attacks from Firebrick Ostrich, request a demo of the platform today.