Hybrid Executive and Vendor Impersonation Attack Uses Fake Email Chain and Fake Invoices
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
For the seventh year in a row, the FBI IC3 Internet Crime Report singled out business email compromise (BEC) as the cause of the most financial loss, costing organizations nearly $2.4 billion in 2021. As we approach a decade of battling this attack, many are reflecting on the fraud landscape and how it compares to its early days, particularly as we see a shift in threat actor tactics.
Far from the urgent CEO requests that preyed on many early victims, an increasingly popular scam over the last few years has been vendor impersonations that lead to financial supply chain compromise. The most recent attack uncovered by Abnormal is no different. What makes it unique is the methodology, particularly the number of different impersonated parties used.
Not only does it use two methods—vendor impersonation and executive impersonation—to run the scam, but the actors also exploited the identities of several real individuals linked to their targets.
Low-Profile Invoice Fraud Campaign
On March 14, 2022, we identified one of the most recent incidents in a combined executive and vendor impersonation attack that first became active in June 2021.
Since then, we’ve collected more than 20 additional email campaigns wherein the actor attempts to solicit payment for a supposedly overdue invoice in the amount of $78,010.00. Attached to the email is a PDF of the fake invoice, which includes bank account information for payment.
In these attacks, the threat actors impersonate both a company executive and a vendor, creating a fake email chain with four actual identities (two real people and two real businesses) to make the request appear more credible. By impersonating a company executive and “forwarding” the message from the vendor, the actors create a fairly convincing cover for themselves.
To impersonate the businesses, the actors used two different methods:
Registering a spoofed domain using a misspelled version of the vendor name.
Compromising the mailbox of another business to use as the company executive.
Breaking Down Combined Executive and Vendor Impersonation
The first component of the attack is the message from the impersonated executive to the target. In this email, the executive (highlighted in red) informs the recipient that the vendor (highlighted in blue) is requesting payment for an overdue invoice and directs the recipient to process the payment that day.
Highlighted in pink is the third false identity included in the attack and is a separate small business, whose compromised email acts as another layer of protection to hide the actor’s identity. The business may have become a target due to the simple fact that its invoices remain online following past public works projects. The fourth and final identity (highlighted in green) belongs to an individual employee of the vendor.
Although all four identities highlighted above are real, the actor intends for the target to notice only three, using the additional identities to increase the semblance of legitimacy.
The second component of the attack is the “original” message between the executive and the vendor.
The forwarded email is sent from the misspelled spoofed domain evershad-sutharland[.]com, altered from the original by changing “e’s” to other vowels and omitting an “s.” Notice that the recipient field contains a name, but no email address.
The messages from the vendor each contain a complex-looking invoice code in an attempt to make the documents appear more legitimate. Invoices are a favorite financial document used by fraudsters to bolster their authenticity. After all, an invoice is likely the easiest legal document to forge that can result in the largest possible payout.
Finally, we get to the overdue invoice, helpfully provided as a PDF attachment.
Although the current redaction obscures this detail, the name of the financial institution the actor was attempting to use was also misspelled.
Behind the Fake Emails and Fraudulent Invoices
All of the emails found to be to this actor were sent from two addresses: one that appears to be the subject of a single email box compromise and ipad[@]myipadapp[.]com, which was registered on May 2, 2021.
Each of the email “pairs” identified as part of this campaign follow the exact same pattern without variation, changing the identities of both impersonated parties and providing accounts alternatively at three different large financial institutions in the fraudulent invoices provided for payment.
Usually detailed as payment for legal services, the invoices use various misspellings of the vendor’s lengthy two-word firm name or a business described as a subsidiary of the main business. The legal entity’s American branch of the international business specifically is the main vendor identity used by the actor. The spoofed domain targeting the vendor, evershad-sutharland[.]com, was registered using the email address yungog007[@]gmail[.]com
The email address yungog007[@]gmail[.]com was located in WHOIS information and passive DNS records for six domains. These domains share the same registration information—namely an address in Dakar, Senegal, and the phone number 221709210652.
What Makes This Attack So Effective?
In this case, the fraudsters use the combination of the forwarded past conversation, urgency of the overdue payment, and stress of being tasked by an executive in an attempt to coerce the payment of a fraudulent invoice.
To further strengthen the perception of integrity in their email and facilitate their fraud, the threat actors add elements that make the message appear legitimate, such as the forwarded email chain and attached PDF invoice.
The only emails sent during the campaign came from the likely-compromised executive mailbox and none were sent from the spoofed domains. Because of this, a security solution that focuses on the email headers alone may not detect the subtle attack information in the email body.
After all, the email appears to come from a trusted individual and contains a benign PDF attachment. Only the misspelled vendor name in the spoofed domain sticks out; the rest appears pretty convincing.
Keeping Your Company Safe From Invoice and Payment Fraud
Payment diversion email attacks in general can be remarkably difficult for the average employee to detect. And when it comes to an invoice fraud attack as subtle as the one above, the probability of the threat actor's success increases considerably.
Unfortunately, a traditional secure email gateway (SEG) is unlikely to stop an attack with this level of sophistication, as there are no traditional indicators of compromise to uncover. In contrast, Abnormal detected this attack due to the combination of usual email usage by a VIP, a financial request detected in the email body, and PDFs being an uncommon attachment type for the two sending domains.
Indicators of Compromise (IOCs)