RFQ Scam - Abnormal Security

RFQ Scam

In this attack, attackers disguise harmful malware as a “request for quote” (RFQ) to encourage recipients to download dangerous files.

Quick Summary of Attack

Platform: G Suite
Mailboxes: 500 – 1,000
Victims: Employees
Payload: Malicious Link
Technique: Impersonation

What was the attack?

This attack is an impersonation of a “request for quote” (RFQ) from a legitimate, outside organization. The attack originates from the throwaway address “info@req-allparts.com”, with the reply-to address “glennmauldin@zidnei.com”. 

By using urgent language, the attacker attempts to coax the recipient to click on the link “Rfq 507890.pdf” without examining it for malicious content. Clicking on the link does not download a PDF or bring the recipient to an external website, but rather forces a malware download.

The downloaded file from the malicious link is a compressed .GZ file, which enables it to circumvent certain malware detectors. Within the compressed file is a text file full of malicious code, including spyware such as a keylogger. If the recipient allows this code to run, the attacker could record everything that the recipient enters into his or her computer or possibly even take complete control of the recipient’s device.

Why might this attack bypass existing email security?

Many security systems can only detect malware if it is attached to an email in an uncompressed form. Putting malware into a .ZIP folder or a .GZ archive can easily circumvent these security measures. Abnormal Security prevented this attack by recognizing a number of signals that, when combined, flagged the email as malicious. Some of these signals are contained in the message body, such as the presence of suspicious wording. Others are contained in the message headers, such as the fact that the reply-to address for this email did not match the sender address or any of the links in the email. It is much more difficult for an attacker to hide these kinds of signals than it is to hide the malware.

Related content