BEC Groups Wage Multilingual Executive Impersonation Attacks Targeting Companies Worldwide

Business email compromise (BEC) attacks are one of the fastest-growing and financially destructive cyber threats in history. BEC attacks accounted for more than one-third of all cybercrime losses in 2021, totaling nearly $2.4 billion in damage for the year, and the FBI estimates there have been more than $43 billion in exposed losses since 2016.

While these attacks aren’t as common as phishing or identity theft, they represent the most expensive threat currently facing organizations internationally. Since 2016, BEC attacks have consistently ranked at the top of the FBI’s list of costliest cybercrimes in the United States.

But it turns out that BEC is prevalent beyond English-speaking countries.

Recently, we’ve identified two groups using executive impersonation to execute BEC attacks on companies worldwide. These groups are Midnight Hedgehog, which engages in payment fraud, and Mandarin Capybara, a group that executes payroll diversion attacks. Combined, they have launched BEC campaigns in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish.

This post will look at the tactics and techniques associated with each of these groups and provide some context about how organizations can defend themselves against multilingual email-based attacks.

(Want to learn more about how we name our threat groups? Check out the recent blog post on our BEC group naming convention.)

Attacking targets across various regions and using multiple languages is nothing new. However, in the past, these attacks were perpetrated mainly by sophisticated organizations with large budgets and more advanced resources. For example, to effectively translate email text for more believable social engineering efforts, threat groups may hire native speakers.

But, as technology becomes more accessible and affordable, it lowers the barrier to entry. We’ve consistently observed BEC actors leveraging the same commercial online services that sales and marketing teams rely on to identify prospects and personalize communications. Using these resources, BEC actors tend to collect target contact information—referred to as “leads”—within a certain geographic area, usually a single country or state.

And thanks to the proliferation of automated translation tools like Google Translate, scammers can instantly translate emails into whatever language they need. For instance, a group might run a campaign in the Netherlands with text in Dutch while simultaneously running the same campaign in Spain with text in Spanish.

Using widely available marketing technology and highly accurate translation apps, attackers can rapidly scale their efforts, maximizing their reach and wreaking havoc across the globe. And because many translation tools now use machine learning to improve context, such as translating the meaning of a sentence rather than each word individually, they’re much easier to manipulate for nefarious purposes.

Why does this matter? We’ve taught our users to look for spelling mistakes and grammatical errors to better identify when they may have received an attack. When these are not present, there are fewer alarm bells to alert native speakers that something isn’t right.

The first group we’ll look at uses executive impersonation to deceive recipients into making payments for bogus services—usually by posing as a company’s CEO. As with other impersonation attacks, Midnight Hedgehog threat actors appear to thoroughly research their target’s responsibilities and relationship to the CEO and then create spoofed email accounts that mimic a real account. Like many payment fraud attacks, the group targets finance managers or other executives responsible for initiating the company’s financial transactions.

We’ve seen attacks from Midnight Hedgehog dating back to at least January 2021. Their attacks have been sent from accounts hosted on a variety of free webmail providers, including Gmail, Yandex, Earthlink, and Web.de, and domains created by the group registered with NameCheap or GoDaddy. Based on the intelligence we collected during our active defense engagements with the group, individuals associated with the group are likely located in multiple countries, including England, Canada, the United States, and Nigeria.

To date, we’ve observed two versions of Midnight Hedgehog’s initial emails written in 11 languages: Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish.

In one version, the Midnight Hedgehog actor impersonates a CEO to make an urgent request for the target to complete a payment to a company in England. In a second version, the impersonator asks the target to share the company’s current bank account balance and requests that they promptly complete a payment for a specified amount.

As a result of the active defense engagements we’ve conducted with Midnight Hedgehog actors, we’ve been able to get a glimpse at what a successful attack looks like.

The rest of the attack is similar to most other payment fraud BEC attacks. After a recipient responds to the group’s initial email, the attacker provides the details for a bank account where the requested payment should be sent. These payments have ranged from €16,000 to €42,000 (approximately $17,000 to $45,000).

Nearly all of the mule accounts we’ve collected linked to Midnight Hedgehog have been located in the United Kingdom, which supports the evidence that the group has a physical presence there. We’ve also seen the group use mule accounts located at banks in Portugal, Germany, France, and Italy.

Another group that uses a variety of languages in their attacks is Mandarin Capybara, which also impersonates company executives. However, instead of engaging in payment fraud, Mandarin Capybara targets human resources employees in payroll diversion attacks, asking them to change the executive’s direct deposit details to an account under the group’s control.

The earliest Mandarin Capybara attack we’ve observed dates back to February 2021. The group has consistently used Gmail accounts to send their attacks, updating the display name in each email to spoof the name of the executive that’s being impersonated.

Unlike Midnight Hedgehog, which we’ve only seen target companies in Europe with non-English messages, Mandarin Capybara has attacked companies around the world. We’ve observed the group target American and Australian companies in English, Canadian organizations in French, and European companies in eight languages: Dutch, French, German, Italian, Polish, Portuguese, Spanish, and Swedish.

Mandarin Capybara’s initial emails are similar to many other payroll diversion templates we see every day, with the attacker inquiring if they can update their payroll account to go into effect before the next payday. We’ve observed multiple instances where the group has launched a BEC campaign in one language, then initiated a second campaign from the same email account in a second language, targeting a different organization.

The intelligence we’ve gathered in our active defense engagements with Mandarin Capybara shows that, while the group commonly uses mule accounts in other countries, the types of accounts are similar to mule accounts used in payroll diversion attacks targeting US companies.

Unlike other types of payment fraud BEC attacks, a vast majority of payroll diversion attacks use non-traditional fintech accounts to receive fraudulent funds.

In the United States, the most common banks used by payroll diversion actors are Green Dot, GoBank, Sutton Bank, and MetaBank, which are all linked to either prepaid cards or mobile payment services like CashApp. Similarly, Mandarin Capybara has set up mule accounts at European fintech institutions like Revoilut, Saurus, Monese, Bunq, and SisalPay to receive funds from their payroll diversion attacks.

As email marketing and translation tools become more accurate, effective, and accessible, we will continue to see hackers exploiting them to scam companies with increasing success. Not only that, because these emails sound legitimate and rely on behavioral manipulation instead of malware-infected files, Midnight Hedgehog, Mandarin Capybara, and other similar BEC groups will be able to easily bypass legacy security systems and spam filters.

So what can be done? It’s important to put procedures in place to verify outgoing payments and payroll updates and keep your workforce vigilant with security awareness training. But the best way to prevent your employees from falling for these attacks is simply to ensure that they never receive them in the first place.

To do so, it is essential to implement behavioral-based security that uses machine learning and AI to understand identity and behavior. Solutions that baseline normal behavior can provide the context needed to determine when anomalous behavior is occurring—no matter in which language the attack is sent.

Discover how Abnormal helps protect organizations from BEC attacks and other emerging threats. Schedule a demo today.

Appendix A: Email Addresses Associated with Previous Midnight Hedgehog BEC Campaigns

Appendix B: Email Addresses Associated with Previous Mandarin Capybara BEC Campaigns