In a variation of the standard gift card scam, attackers in this scenario use the element of surprise and ownership to encourage a response to the attack. To succeed, the attacker first sets up a personal Gmail address and the display name is changed to one associated with an executive inside the organization. Using LinkedIn or a similar service, the attacker determines who within the organization would be most likely to reply to the email, and then sends the attack, hoping that the target will see an opportunity to do good for the employees and respond with ideas. From there, the attacker is likely to encourage them to buy gift cards and send the codes directly to him. 

Status Bar Dots
62bf4df17204d042850d7522 1949929297

Why It Bypassed Traditional Security

Attackers often use Gmail to run their scams because there is no bad domain reputation to fight, and organizations simply cannot add Gmail to a global blocklist to prevent delivery. In addition, because there are no links and no attachments, there is little for a traditional solution to uncover about the malicious nature of the message. 

Detecting the Attack

Content analysis is required to detect the presence of appreciation-based requests, which can indicate when an email should undergo additional scrutiny. Once that has been flagged, integration with the Microsoft API allows an email security solution to use ActiveDirectory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

Risk to Organization

While the full extent of this attack is unknown, it’s likely that should the target reply, she’d be asked to buy gift cards for the staff appreciation event. Depending on her willingness to comply, this can cost the organization thousands or even tens of thousands of dollars. 

Analysis Overview

Vector

Text-based

Goal

Gift Card Request

Tactic

Free Webmail Account
Spoofed Display Name

Theme

Employee Incentive

Impersonated Party

Employee - Executive