Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • IBM has uncovered a sophisticated business email compromise phishing campaign that largely used social engineering techniques to steal millions from companies.
  • Social engineering is a common technique in phishing attacks, and as criminals realize it can be done online with little to no tech expertise it’s likely to become more widespread. Make sure users are trained to recognize social engineering attacks and take security measures to eliminate potential ingress points for con artists.

Security researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) have discovered an incredibly sophisticated phishing campaign that has managed to make off with millions of dollars from companies around the world.

The phishing campaign appears (based on IP addresses) to be based in Nigeria and has been using a technique known as business email compromise (BEC) to accomplish the bulk of its work.

What’s even more frightening about this BEC campaign is that it hasn’t involved any malware or hacker intrusions into networks: just social engineering, phishing, fake login pages, and shell corporations to receive stolen money.

A BEC campaign like all others

At first glance there’s nothing unique about this BEC campaign to set it apart from other phishing attacks on businesses. Using previously compromised business email addresses, attackers sent fake attachments to others inside the business in the hopes that they’d click on them.

In this case there was no malware or malicious code in the attachment: It was simply a link to a fake DocuSign login page that was used to harvest credentials, of which over 100 were found in the course of IBM’s research.

The large amount of spoofed DocuSign login portals led IBM to conclude that the group (or groups) involved in the campaign consist of multiple people engaged in widespread phishing campaigns.

In short, this is a huge phishing campaign that’s active around the globe. It’s also not discriminating against targets: IBM has found targets in retail, healthcare, financial and professional services, and the Fortune 500, which crosses into a variety of other industries.

Harvesting credentials is just scratching the surface of this phishing campaign–it’s after the attackers have gained access to corporate accounts that the really impressive work begins.

Deviously sophisticated social engineering

The attackers in this BEC campaign have very specific targets: accounts payable. The ultimate goal is to get victims to simply send money to a business bank account, which IBM found were commonly linked to shell corporations located in Hong Kong or China.

In order to get from intrusion to payout, the attackers used some intensely sophisticated social engineering.

Attackers would use the knowledge they gained about their target company to find out who major vendors were, who was in charge of approving major changes, and what documents they may need to spoof to fake approvals.

When internal communication was appropriate, attackers would send emails directly from compromised accounts, creating filters to hide their activity from the legitimate account user, whose access they left otherwise undisturbed.

For cases when communication with external entities, like a vendor, was necessary the attackers would create a domain with a similar name and send correspondence from there.

This got so sophisticated that In one case “attackers registered a new domain to send fake approval messages impersonating different levels of the supervisory chain, including copying email signatures of the relevant business executives.”

The ultimate objective was to fool accounts payable into believing that the vendor had changed its bank account information to that of the attacker-owned shell company. Once the changes were made the attackers just had to let cash roll in.

How to cyber attack, no coding necessary

With the exception of the know-how of configuring spoof domains and DocuSign portals and setting up email filters, these BEC attacks were done largely hack-free. The attackers are just as likely to be con artists adapting to the internet age as they are to be actual skilled hackers, and that’s what makes this attack so dangerous.

SEE: Incident response policy (Tech Pro Research)

It’s easy to think that phishing campaigns only fool other people or that they’re transparently easy to spot due to poor grammar, but this proves that simply isn’t the case. What it boils down to is that computers are tough things to fool, and people aren’t, a fact that is likely to drive more offline criminals to take to the web to find victims through old-fashioned fraud.

That doesn’t mean you can’t protect against sophisticated phishing attacks that use a lot of social engineering to achieve their objective. IBM recommends several strategies for minimizing risks:

  • Use two-factor authentication. The initial network compromise that led to these attacks was due to stolen passwords. With 2FA an attacker will be stuck without the verification code they need to break in.
  • Flag outside emails. Fake approvals from higher ups that were an integral part of this process didn’t come from inside the target company: They were spoofed using an outside server. Corporate email solutions can flag emails that come from outsider servers–if you have that option enable it.
  • Educate users. All users should know how to recognize the hallmarks of a social engineering attack, and that goes double for finance employees. Train your accounting team to recognize BEC wire scam indicators, especially how to recognize overseas bank accounts.
  • Verify with vendors. Don’t take an email as proof that a vendor has changed their bank account. Call them to verify that everything is legitimate.

Also see