In our recent research, Piercing the HawkEye, we uncovered various ways cybercriminals were able to exploit information they gathered from monitoring victims’ mailboxes in order to steal money from businesses. One of the examples we shared, the “change of supplier” fraud, was one of the most notable, as this type of scheme has been known to earn cybercriminals millions of dollars of stolen money. In this post, we will flesh out the details of this particular scheme, and what makes it a big threat to small businesses and users alike.
Our monitoring of this kind of scheme reveals that it is more targeted and goes far longer than the average attack. Cybercriminals often do the “shotgun approach” when deploying out their attack — sending out their crafted emails to email lists that were probably bought from other cybercriminals. It was quite different in the case we monitored, as the cybercriminals specifically targeted the publicly-available email addresses of small businesses. Our data reveals that these are the “official” company email addresses, usually formatted as firstname.lastname@example.org or email@example.com.
We found this to be an interesting strategy because official company email addresses are often positioned to receive possibly unsolicited emails from unknown senders, which creates an advantage for the cybercriminals. If the team managing the email account are not savvy enough to be able to identify socially-engineered emails, they will most likely open those sent by cybercriminals.
How cybercriminals made initial contact with their targets in this scheme is also quite different from those frequently seen. The cybercriminals did not immediately send their malicious payload, instead they sent actual emails meant to engage with the target.
We called this technique “The Long Con” in our research since it resembles the real-life example — the attacker approaches the target coming off as a harmless entity, and attempts to achieve the target’s trust. Once that is achieved, the attacker will then send the malicious file (in this case, HawkEye) to the target under the guise of a file related to their ongoing conversation. In the scheme that we monitored, the cybercriminal even used the holidays as part of the lure to raise the urgency of the request.
Once the victim is infected with HawkEye, the cybercriminal is then able to monitor the target’s activities and check for information he can leverage to run scams. As we’ve previously shared, the target of the attacker here is to get access to the victim’s company email account. This is done to monitor any ongoing transactions that they can hijack to conduct “change of supplier” fraud.
What happens is that the cybercriminal looks for ongoing conversations where payment is being discussed, then intercept the conversation to give false account information to the customer. Below is a screenshot of such an email, captured in monitoring of similar cases executed with the use of Predator Pain, HawkEye’s predecessor:
In successful attacks, the customer sends the payment to the account owned by the cybercriminal instead of the actual vendor.
Although this scam looks less sophisticated in a technical sense, since it requires mostly taking advantage of the victim’s information, it doesn’t make it less dangerous for businesses. IC3’s advisory on similar scams last year has revealed that the average loss for this kind of scheme is $55,000, with some victims even losing as much as $800,000. If, for example, the cybercriminal is able to attack multiple targets at any given time, it’s easy to assume that they’ve earned millions from running this kind of scheme.
For our full analysis of this scheme and the tools cybercriminals used to execute it, check our research paper,
Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs.