Abnormal Attack Stories: Vendor Impersonation Fraud

In this attack, the attacker is impersonating a known vendor in order to receive payment for a fraudulent invoice.

Quick Summary

• Platform: Office 365
• Mailboxes: 15,000 to 50,000
• Email Gateway: Proofpoint
• Victims: Employees
• Payload: Malicious Link
• Technique: Impersonation

What was the Attack?

• Setup: This organization communicates often with a vendor. Recently, an employee from the accounting department received a message from what appeared to be this known vendor. In this message, they were notified them of an overdue invoice. In fact, the attacker had registered a domain similar to that of the real vendor, but changed the name slightly (for example, the real vendor might have been at acmehomes.com, but the attacker registered acmehome.com, omitting the “s”).
• Email Attack: The attacker sent an email impersonating the Assistant Controller / HR Administrator from this known vendor claiming there is an unpaid invoice which must be paid to an updated bank account. The attacker alleges that their financial institution has changed as a result of the current pandemic. The suspicious sender then states they will send over the updated bank information once the recipient replies.
• Result: Should the recipient have fallen victim to this attack and made payment, the organization would have had a significant financial loss and potentially opened themselves up to more fraudulent exchanges in the future from the same attacker. Additionally, as corporations are already feeling the economic impact caused by the current pandemic, falling victim to this attack would give another financial blow to this company.

Why is this attack effective?

• COVID-19: This attack leverages the COVID-19 pandemic as an excuse for the fraudulent payment update. The attacker injects urgency into the message by claiming there is an issue of a late unpaid invoice. Especially as companies are hard-hit by the current economic effects of the virus, corporations are hyper aware of their financial obligations.
• Targeted Impersonation and Recipients: The attack impersonates a high level accounting employee, who asks the recipient for payment for late invoices via a new payment method that they allege was set up due to COVID-19. This attack targets payroll and accounting employees who expect legitimate invoices and are less likely to scrutinize the sender information and attached invoices.
• Vendor Impersonation: The attacker’s email came from a domain that looked like the domain of the real company. The email domain the message was sent from was recently registered by the attackers with a slight difference (an omitted “s” at the end of the company name). Further, the registrant information was not consistent with the real vendor, though anyone receiving the email would have had to spend a good deal of time digging into this information to discover it.
• Convincing Invoice: The invoice attached to the email looked like a real invoice from the legitimate vendor, including their logo, their real address, and other real information.