Microsoft discovered a large-scale business email compromise (BEC) program that attacked over 120 organizations and used typo-squatted domains that were registered only days before the attacks began. Cybercriminals continue to harass companies in order to deceive recipients into accepting fees, exchanging money, or, in this case, buying gift cards. This kind of email attack is known as business email compromise (BEC), which is a dangerous type of phishing aimed at gaining access to sensitive business data or extorting money via email-based fraud.
In this operation, Microsoft discovered that attackers used typo-squatted domains to make emails appear to come from legitimate senders in the consumer products, process manufacturing, and agriculture, real estate, distinct manufacturing, and professional services industries.
BEC emails are purposefully crafted to look like regular emails as if they were sent from someone the intended client already knows, but these campaigns are much more complicated than they seem. They necessitate planning, staging, and behind-the-scenes activities.
"We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began," the Microsoft 365 Defender Threat Intelligence Team said.
Despite the scammers' best efforts, Microsoft found that "the registered domains did not always comply with the company being impersonated in the email." The attackers' surveillance capabilities are evident when they called the targeted workers by their first names, despite their methodology being faulty at times.
To give authenticity to the phishing emails, scammers used common phishing tactics including bogus responses (improved by also spoofing In-Reply-To and References headers), according to Microsoft.
"Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user," Microsoft added. "This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email."
Though the tactics used by these BEC scammers seem crude, and their phishing messages seem to be clearly malicious, BEC attacks have resulted in record-breaking financial losses per year since 2018. The FBI formed a Recovery Asset Team in 2018 intending to retrieve money that can still be traced and freezing accounts used by fraudsters for illegal BEC transactions.