IRVING, Texas–Credit unions and their IT teams will want to be on alert as a series of ongoing business email compromise (BEC) campaigns that use spear-phishing schemes on Office 365 accounts has been seen targeting business executives of more 1,000 companies since March 2020.
The recent campaigns target senior positions in the United States and Canada, according to Trend Micro’s Security Intelligence blog.
The fraudsters, whom the company has named “Water Nue,” primarily target accounts of financial executives to obtain credentials for further financial fraud, Trend Micro reported. The phishing emails redirect users to fake Office 365 login pages. Once the credentials are obtained and accounts are successfully compromised, emails containing invoice documents with tampered banking information are sent to subordinates in an attempt to siphon money through fund transfer requests, Trend Micro said.
According to its analysis, the “threat actor behind this campaign is interesting for several reasons. It appears that their technical capabilities are limited despite being able to successfully target high-level employees globally. While their phishing tools are basic (i.e., no backdoors, trojans, and other malware), they made use of public cloud services to conduct their operations,” Trend Micro reported on its blog. “The use of cloud services allowed them to obfuscate their operations by hosting infrastructures in the services themselves, making their activities tougher to spot for forensics. This tactic has become more commonplace among cybercriminals.”
‘High Corporate Positions’
Trend Micro said it first noticed the campaign from a large group of email domains used in phishing attempts.
“We found that most of the recipients hold high corporate positions, particularly in the finance department,” the blog states. “In one of the first cases we encountered, the senior financial officer of a bank located in Africa purportedly sent a PDF invoice to a colleague, specifying a bank account in Hong Kong. The email was sent from an IP address recorded on one of the phishing sites that the attacker tested its functionality on. The campaign is ongoing, with the threat actor switching to new infrastructures when used domain names get reported or blacklisted in systems.”
Trend Micro said the attackers use cloud-based email distribution services such as SendGrid to deliver emails with a clickable link that redirects targets to a fake Office 365 page, and noted that when the target user attempts to log in, credentials are recorded through a simple PHP script.
Techniques Not New, But…
“While the techniques aren’t new, the attack attempts appear to be successful, collecting over 800 credentials from company executives at the time of writing,” Trend Micro reported.
Trend Micro further found “Swiftme” appears in the phishing email headers and is accompanied by account names with forged company email domains. The displayed email header “from” and subject also pretend as a voicemail service. “Swiftme” is possibly a nod to electronic or wire transfers and reveals the campaign’s purpose after harvesting credentials, Trend Micro said.
For additional details, go here.