There has been an increase in the number of threats that are being posed by a newly formed threat group called Crimson Kingsnake. This threat group is impersonating law companies and debt recovery services to intimidate businesses into paying bogus overdue invoices.
Business email compromise (BEC) is a cybercrime campaign that aims to harm businesses in the United States, Europe, Australia, and the Middle East by impersonating companies on websites hosted on domains that are very similar to the actual domains of the firms that it is impersonating, sending emails that include a company's actual address and VAT number, in addition to blind third-party impersonation techniques.
Researchers from Abnormal Security, a company that provides cloud-based email security services, point out that all of this reinforces the legitimacy of the messages. Even though those emails look like forged emails, if the targets were to search for the names of lawyers or law firms on Google, they would not turn up anything suspicious.
Since March, researchers from Abnormal Security noted in a report that they had discovered 92 domains that were associated with Crimson Kingsnake in their investigation. These domains are impersonating the domains of 19 legal eagles and debt collection agencies in the US, UK, and Australia.
According to a report by Abnormal Security, 92 domains linked to Crimson Kingsnake have been detected since March. 19 domains are impersonating 19 legal eagles and debt collection agencies in the US, UK, and Australia as well as two domains that are impersonating 19. Firms are composed of many international, multinational practices with an international presence, according to the authors.
A growing number of organizations and individuals are becoming aware of the threat posed by the Crimson Kingsnake campaign. According to a report by Abnormal Security, a company that specializes in detecting email threats, the number of BEC attacks increased 84 percent year over year in the first half of the year. It is emphasized, however, that despite the low volume of BEC scams that occur, almost $2.4 billion in losses are expected to be caused by them in 2021. As compared to other forms of scams, which occur at a rate of less than one per 1,000 mailboxes.
There were almost 20,000 victims of British Ebola, a number that matches the FBI's report released earlier this year adding that the number of victims continued to rise.
According to Abnormal Security, blind third-party impersonation attacks are a subset of BEC attacks, which are different from those that involve internal employees. According to Abnormal Security, blind third-party impersonation attacks accounted for more than half of all breaches during the first half of 2022.
It is stated by the researchers that blind third-party impersonation attacks have no direct insight into vendor-customer relationships and financial transactions, whereas other forms of financial supply chain compromise do. Rather, the researchers say that they rely on the effectiveness of pure social engineering to succeed.
In mobile spoofing campaigns, scammers are exploiting the fact that, like so many of the other types of social engineering attacks that have gained popularity in recent years, there are a lot of targets who are not paying close attention to emails they receive and simply comply with the email requests.
Aside from that, these attackers often back up their claims with fake invoices that look authentic. These invoices contain bank account information and genuine details of the organization they are impersonating, on the front page of the invoice. They even go so far as to make fake email chains that have the names and addresses of the victim's associates so they can spread the word to them.
A company was contacted through Crimson Kingsnake's campaign when, as an example, it received an email from an attorney at the international law firm Simon and Cromwell with the subject of "unpaid invoice," which is typical of advertising campaigns from such companies. Specifically, the message explained that the lawyer was representing a client and was seeking to collect payment on an unpaid invoice that was issued to your company. In addition, he stated that he had been advised to contact you about this matter and hoped that we could resolve it as soon as possible.
A fake PDF invoice will be sent to the target if they reply to the email. During the creation of the fake PDF invoice, details regarding the target's account details for payment will be included. A false statement about the nature of the services rendered and the amount due to the law firm is contained in this document. There are several details about the bill, such as the invoice number, the account reference number, the bank account details, and the VAT (value-added tax) ID that represents the business's actual VAT number, which is a unique number for each taxable and non-taxable entity. Almost all regions of the world, including the UK, Europe, Australia, and some parts of Asia, use VAT numbers as well.
According to the researchers, the invoices include information about whom to contact with any questions as well as a notification of rights. Given the complexity and details of the invoices, Crimson Kingsnake may be using altered versions of the legitimate invoices submitted by the impersonated firms.
The US experts stressed that part of their information about the threat group indicates that at least some of its members may live in or around the UK. This is based on the information they have collected.
Occasionally, when an employee is questioned about the invoice sent by the threat group, the threat group will send another bogus email through his/her company's internal mail service. This email appears to be coming from an executive. A confirmation email is used to confirm the legitimacy of the invoice - sometimes referring to an action that should have taken place months before - and to authorize the payment.
Even though the email from the impersonated executive is sent from a domain controlled by Crimson Kingsnake, its name displayed includes the executive's email address in parentheses. This is in parentheses. The fact that the source appears to be genuine makes the message appear more credible.
A user-friendly and contextual email security platform, like Abnormal Security's, can help corporations reduce the threat of such BEC scams by offering behavior-based and context-aware security so that the platform can detect identities as well as context. Additionally, they should have a set of strong procedures for outgoing payments, especially when invoices concern a significant amount of money.
Cybersecurity awareness training for employees is a crucial part of combating any social engineering attack, as it is with any social engineering attack.