chat
expand_more

Hybrid Executive and Vendor Impersonation Attack Uses Fake Email Chain and Fake Invoices

See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
May 19, 2022

For the seventh year in a row, the FBI IC3 Internet Crime Report singled out business email compromise (BEC) as the cause of the most financial loss, costing organizations nearly $2.4 billion in 2021. As we approach a decade of battling this attack, many are reflecting on the fraud landscape and how it compares to its early days, particularly as we see a shift in threat actor tactics.

Far from the urgent CEO requests that preyed on many early victims, an increasingly popular scam over the last few years has been vendor impersonations that lead to financial supply chain compromise. The most recent attack uncovered by Abnormal is no different. What makes it unique is the methodology, particularly the number of different impersonated parties used.

Not only does it use two methods—vendor impersonation and executive impersonation—to run the scam, but the actors also exploited the identities of several real individuals linked to their targets.

Low-Profile Invoice Fraud Campaign

On March 14, 2022, we identified one of the most recent incidents in a combined executive and vendor impersonation attack that first became active in June 2021.

Since then, we’ve collected more than 20 additional email campaigns wherein the actor attempts to solicit payment for a supposedly overdue invoice in the amount of $78,010.00. Attached to the email is a PDF of the fake invoice, which includes bank account information for payment.

In these attacks, the threat actors impersonate both a company executive and a vendor, creating a fake email chain with four actual identities (two real people and two real businesses) to make the request appear more credible. By impersonating a company executive and “forwarding” the message from the vendor, the actors create a fairly convincing cover for themselves.

To impersonate the businesses, the actors used two different methods:

  1. Registering a spoofed domain using a misspelled version of the vendor name.

  2. Compromising the mailbox of another business to use as the company executive.

Breaking Down Combined Executive and Vendor Impersonation

The first component of the attack is the message from the impersonated executive to the target. In this email, the executive (highlighted in red) informs the recipient that the vendor (highlighted in blue) is requesting payment for an overdue invoice and directs the recipient to process the payment that day.

Hybrid Impersonation Forwarded Fraud

Message from executive referencing overdue invoice (impersonated parties color-coded)

Highlighted in pink is the third false identity included in the attack and is a separate small business, whose compromised email acts as another layer of protection to hide the actor’s identity. The business may have become a target due to the simple fact that its invoices remain online following past public works projects. The fourth and final identity (highlighted in green) belongs to an individual employee of the vendor.

Although all four identities highlighted above are real, the actor intends for the target to notice only three, using the additional identities to increase the semblance of legitimacy.

The second component of the attack is the “original” message between the executive and the vendor.

Hybrid Impersonation Fake Original Email

“Original” message between two impersonated parties agreeing to pay the invoice

The forwarded email is sent from the misspelled spoofed domain evershad-sutharland[.]com, altered from the original by changing “e’s” to other vowels and omitting an “s.” Notice that the recipient field contains a name, but no email address.

The messages from the vendor each contain a complex-looking invoice code in an attempt to make the documents appear more legitimate. Invoices are a favorite financial document used by fraudsters to bolster their authenticity. After all, an invoice is likely the easiest legal document to forge that can result in the largest possible payout.

Finally, we get to the overdue invoice, helpfully provided as a PDF attachment.

Hybrid Impersonation Invoice

Impersonated vendor invoice requesting payment to specific bank account

Although the current redaction obscures this detail, the name of the financial institution the actor was attempting to use was also misspelled.

Behind the Fake Emails and Fraudulent Invoices

All of the emails found to be to this actor were sent from two addresses: one that appears to be the subject of a single email box compromise and ipad[@]myipadapp[.]com, which was registered on May 2, 2021.

Each of the email “pairs” identified as part of this campaign follow the exact same pattern without variation, changing the identities of both impersonated parties and providing accounts alternatively at three different large financial institutions in the fraudulent invoices provided for payment.

Usually detailed as payment for legal services, the invoices use various misspellings of the vendor’s lengthy two-word firm name or a business described as a subsidiary of the main business. The legal entity’s American branch of the international business specifically is the main vendor identity used by the actor. The spoofed domain targeting the vendor, evershad-sutharland[.]com, was registered using the email address yungog007[@]gmail[.]com

The email address yungog007[@]gmail[.]com was located in WHOIS information and passive DNS records for six domains. These domains share the same registration information—namely an address in Dakar, Senegal, and the phone number 221709210652.

What Makes This Attack So Effective?

In this case, the fraudsters use the combination of the forwarded past conversation, urgency of the overdue payment, and stress of being tasked by an executive in an attempt to coerce the payment of a fraudulent invoice.

To further strengthen the perception of integrity in their email and facilitate their fraud, the threat actors add elements that make the message appear legitimate, such as the forwarded email chain and attached PDF invoice.

The only emails sent during the campaign came from the likely-compromised executive mailbox and none were sent from the spoofed domains. Because of this, a security solution that focuses on the email headers alone may not detect the subtle attack information in the email body.

After all, the email appears to come from a trusted individual and contains a benign PDF attachment. Only the misspelled vendor name in the spoofed domain sticks out; the rest appears pretty convincing.

Keeping Your Company Safe From Invoice and Payment Fraud

Payment diversion email attacks in general can be remarkably difficult for the average employee to detect. And when it comes to an invoice fraud attack as subtle as the one above, the probability of the threat actor's success increases considerably.

Unfortunately, a traditional secure email gateway (SEG) is unlikely to stop an attack with this level of sophistication, as there are no traditional indicators of compromise to uncover. In contrast, Abnormal detected this attack due to the combination of usual email usage by a VIP, a financial request detected in the email body, and PDFs being an uncommon attachment type for the two sending domains.

Indicators of Compromise (IOCs)

ipad[@]myipadapp[.]com

email

yungog007[@]gmail[.]com

email

myipadapp[.]com

domain

ciccarelli[.]com

domain

evershad-sutherland[.]com

domain

evershad-sutharland[.]com

domain

jaidahholdings[.]us

domain

metal-c0pper[.]com

domain

neon-orlent[.]com

domain

Hybrid Executive and Vendor Impersonation Attack Uses Fake Email Chain and Fake Invoices

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Most Interesting Attacks Q1 2024
Take a look at five of the most unique and sophisticated email attacks recently detected and stopped by Abnormal.
Read More
B MKT499 Images for Customer Blog Series
Discover key industry trends and insights from cybersecurity leader Michael Marassa, CTO of New Trier Township High School District 203.
Read More
B Construction Professional Services QR Code Attacks
Abnormal data shows construction firms and professional service providers are up to 19.2 times and 18.5 times, respectively, more likely to receive QR code attacks than organizations in other industries.
Read More
B 1500x1500 Evolving Abnormal R2
From the beginning, we created Abnormal Security to be a generational company that protects people from cybercrime. Here’s how we’re doing it.
Read More
Blog Cover 1500x1500 Images for SOC Time Blog
Discover the critical tasks that occupy SOC analysts’ schedules beyond mere inbox management, and discover insights into optimizing efficiency in cybersecurity operations.
Read More
B 1500x1500 MKT494 Top Women in Cybersecurity
In honor of Women's History Month, we're spotlighting 10 women leaders who are making invaluable contributions to cybersecurity.
Read More