Abstract Yellow Logo Closeup

Hybrid Executive and Vendor Impersonation Attack Uses Fake Email Chain and Fake Invoices

See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.

May 19, 2022

For the seventh year in a row, the FBI IC3 Internet Crime Report singled out business email compromise (BEC) as the cause of the most financial loss, costing organizations nearly $2.4 billion in 2021. As we approach a decade of battling this attack, many are reflecting on the fraud landscape and how it compares to its early days, particularly as we see a shift in threat actor tactics.

Far from the urgent CEO requests that preyed on many early victims, an increasingly popular scam over the last few years has been vendor impersonations that lead to financial supply chain compromise. The most recent attack uncovered by Abnormal is no different. What makes it unique is the methodology, particularly the number of different impersonated parties used.

Not only does it use two methods—vendor impersonation and executive impersonation—to run the scam, but the actors also exploited the identities of several real individuals linked to their targets.

Low-Profile Invoice Fraud Campaign

On March 14, 2022, we identified one of the most recent incidents in a combined executive and vendor impersonation campaign that first became active in June 2021.

Since then, we’ve collected more than 20 additional email campaigns wherein the actor attempts to solicit payment for a supposedly overdue invoice in the amount of $78,010.00. Attached to the email is a PDF of the fake invoice, which includes bank account information for payment.

In these attacks, the threat actors impersonate both a company executive and a vendor, creating a fake email chain with four actual identities (two real people and two real businesses) to make the request appear more credible. By impersonating a company executive and “forwarding” the message from the vendor, the actors create a fairly convincing cover for themselves.

To impersonate the businesses, the actors used two different methods:

  1. Registering a spoofed domain using a misspelled version of the vendor name.

  2. Compromising the mailbox of another business to use as the company executive.

Breaking Down Combined Executive and Vendor Impersonation

The first component of the attack is the message from the impersonated executive to the target. In this email, the executive (highlighted in red) informs the recipient that the vendor (highlighted in blue) is requesting payment for an overdue invoice and directs the recipient to process the payment that day.

Hybrid Impersonation Forwarded Fraud

Message from executive referencing overdue invoice (impersonated parties color-coded)

Highlighted in pink is the third false identity included in the attack and is a separate small business, whose compromised email acts as another layer of protection to hide the actor’s identity. The business may have become a target due to the simple fact that its invoices remain online following past public works projects. The fourth and final identity (highlighted in green) belongs to an individual employee of the vendor.

Although all four identities highlighted above are real, the actor intends for the target to notice only three, using the additional identities to increase the semblance of legitimacy.

The second component of the attack is the “original” message between the executive and the vendor.

Hybrid Impersonation Fake Original Email

“Original” message between two impersonated parties agreeing to pay the invoice

The forwarded email is sent from the misspelled spoofed domain evershad-sutharland[.]com, altered from the original by changing “e’s” to other vowels and omitting an “s.” Notice that the recipient field contains a name, but no email address.

The messages from the vendor each contain a complex-looking invoice code in an attempt to make the documents appear more legitimate. Invoices are a favorite financial document used by fraudsters to bolster their authenticity. After all, an invoice is likely the easiest legal document to forge that can result in the largest possible payout.

Finally, we get to the overdue invoice, helpfully provided as a PDF attachment.

Hybrid Impersonation Invoice

Impersonated vendor invoice requesting payment to specific bank account

Although the current redaction obscures this detail, the name of the financial institution the actor was attempting to use was also misspelled.

Behind the Fake Emails and Fraudulent Invoices

All of the emails found to be to this actor were sent from two addresses: one that appears to be the subject of a single email box compromise and ipad[@]myipadapp[.]com, which was registered on May 2, 2021.

Each of the email “pairs” identified as part of this campaign follow the exact same pattern without variation, changing the identities of both impersonated parties and providing accounts alternatively at three different large financial institutions in the fraudulent invoices provided for payment.

Usually detailed as payment for legal services, the invoices use various misspellings of the vendor’s lengthy two-word firm name or a business described as a subsidiary of the main business. The legal entity’s American branch of the international business specifically is the main vendor identity used by the actor. The spoofed domain targeting the vendor, evershad-sutharland[.]com, was registered using the email address yungog007[@]gmail[.]com

The email address yungog007[@]gmail[.]com was located in WHOIS information and passive DNS records for six domains. These domains share the same registration information—namely an address in Dakar, Senegal, and the phone number 221709210652.

What Makes This Attack So Effective?

In this case, the fraudsters use the combination of the forwarded past conversation, urgency of the overdue payment, and stress of being tasked by an executive in an attempt to coerce the payment of a fraudulent invoice.

To further strengthen the perception of integrity in their email and facilitate their fraud, the threat actors add elements that make the message appear legitimate, such as the forwarded email chain and attached PDF invoice.

The only emails sent during the campaign came from the likely-compromised executive mailbox and none were sent from the spoofed domains. Because of this, a security solution that focuses on the email headers alone may not detect the subtle attack information in the email body.

After all, the email appears to come from a trusted individual and contains a benign PDF attachment. Only the misspelled vendor name in the spoofed domain sticks out; the rest appears pretty convincing.

Keeping Your Company Safe From Invoice and Payment Fraud

Payment diversion email attacks in general can be remarkably difficult for the average employee to detect. And when it comes to an invoice fraud attack as subtle as the one above, the probability of the threat actor's success increases considerably.

Unfortunately, a traditional secure email gateway (SEG) is unlikely to stop an attack with this level of sophistication, as there are no traditional indicators of compromise to uncover. In contrast, Abnormal detected this attack due to the combination of usual email usage by a VIP, a financial request detected in the email body, and PDFs being an uncommon attachment type for the two sending domains.

Learn how Abnormal stops advanced email attacks in their tracks by requesting a demo.

Indicators of Compromise (IOCs)

ipad[@]myipadapp[.]com

email

yungog007[@]gmail[.]com

email

myipadapp[.]com

domain

ciccarelli[.]com

domain

evershad-sutherland[.]com

domain

evershad-sutharland[.]com

domain

jaidahholdings[.]us

domain

metal-c0pper[.]com

domain

neon-orlent[.]com

domain

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More