Researchers at PhishLabs say retail organizations are being targeted by a scam that banks on the companies owing money.
According to PhishLabs, the attackers send emails to executives that masquerade as a message from another company. The email is disguised to look like a message from an actual reseller or distributor with a previous relationship with the organization. The message calls for the target to pay any new or outstanding invoices via wire transfer to a new bank account, and includes a PDF document containing the account number and transfer instructions.
"We’ve seen many organizations targeted, including large or mid-sized retail companies," said Don Jackson, director of threat intelligence at PhishLabs. "The attackers appear to be selecting targets based on who they think will have a high volume of invoicing activity with suppliers/resellers/distributors."
The PDF does not contain any malware or exploits; instead it is just another prop in a social engineering trick, Jackson explained.
"The attack relies on the target accepting the pretext – which is why the attackers are going through significant effort to build a convincing pretext that has a good chance of fooling a busy executive," he said.
Interestingly, the body of the email usually includes a fake "original message" designed to make it appear that someone in the same organization as the person being targeted has already been contacted and given their approval. In the faked message, the scammers use the impersonated sender's actual domain name, and the message is back-dated, giving the appearance the conversation is several days old.
It is clear the attackers are researching their targets, and according to Jackson, they may be leveraging professional networking sites to do so. What is unknown however is what additional resources they may be using, he added.
"Sometimes they don’t request a specific dollar amount, relying on the fact that the target organization likely has multiple large dollar invoices from the spoofed supplier that are pending payment," Jackson said. "They’ll just request that all the invoice payments be paid up via wire transfer to the attacker’s account."
"When we have seen a specific dollar value requested, it has ranged between $90K (90,000) and $500K (500,000)," he added. "The amount requested appears to correlate with the size of the target company and how much business they do with third party suppliers, distributors, and other vendors. It is unclear if they are basing these amounts on hard data they’ve obtained, or if they are just making a best guess of the max amount they can safely request without raising eyebrows at the target company."
Helpful Webroot Links: