Employee Bonus Spoof Attack - Abnormal Security

Employee Bonus Spoof Attack

In this attack, an internal account was spoofed and used to send a link leading to malware disguised as an employee bonus.

Quick Summary

# Mailboxes: 500-1000
Email Security: Message Labs
Victims: Employees
Payload: Malware
Technique: Spoofed Impersonation

What was the attack?

Setup: As we reach the end of the year, many companies are kicking off their bonus processes. Employees receiving notifications of bonuses are likely eager to do whatever they need to in order to receive them, making the recipients of messages like this vulnerable to attacks.

Email Attack: This message spoofs the email domain of the recipient’s company. It mimics an internal notification, with a brief message body claiming that the recipient must verify the information in a “receipt” in order to claim a $1,500 bonus. The email contains a Google Doc link that is embedded with an attachment download that contains malware.

Payload: This is a very typical technique used in many attacks for credential theft.  

Result:  Should recipients fall victim to this attack, their work or personal devices would be infected with malware. This provides attackers an opportunity to hijack their victims devices and retrieve any compromising information for personal or monetary gain.

Why is this attack effective?

Spoofed Sender: The attacker spoofs an internal account of the organization.  Employees are more likely to engage with emails that appear to have come from within the organization.

Urgency: The attacker provides an end of day deadline to the recipient to confirm their information. This prompts the recipient to take action in order to receive the bonus.

This attack type has the potential to grow and affect businesses of all industries. We have seen a few similar attacks with the pretense of a bonus for one client, but we have seen lots of different attacks that are spoofed and impersonate an internal account. 

Related content