BEC Scam Targets Executives' Office 365 AccountsTrend Micro: 'Water Nue' Payment Fraud Campaign Has Targeted 1,000 Companies Since March
A recently uncovered business email compromise scam has targeted the Office 365 accounts of business executives at over 1,000 companies worldwide, collecting more than 800 sets of credentials in an attempt to commit payment fraud, according to the security firm Trend Micro.
The group behind the campaign, which Trend Micro researchers call "Water Nue," is not technically sophisticated, but the fraudsters appear extremely proficient. Since March, the gang apparently has targeted companies worldwide with spear-phishing attacks, according to the Trend Micro report.
The goal of this scam is to capture the Office 365 credentials of executives, especially those working in finance, and then create phony documents and invoices that are sent to lower-level employees, according to the report. Payments made for the fake invoices are transferred to the fraudsters' accounts, the researchers say.
"We first noticed the campaign from a large group of email domains used in phishing attempts. We found that most of the recipients hold high corporate positions, particularly in the finance department," the Trend Micro report notes.
The campaign is continuing, with the gang switching its infrastructure and domains if their phishing emails or websites are blacklisted, according to the report.
Over the last several years, BEC scams have become an increasingly lucrative way for criminal gangs and fraudsters to siphon money from organizations.
The FBI's Internet Crime Complaint Center’s annual cybercrime report, released in February, found that BEC schemes accounted for about $1.7 billion in losses in 2019, or an average of $72,000 each (see: FBI: BEC Losses Totaled $1.7 Billion in 2019).
Since the COVID-19 pandemic started, the FBI has warned of BEC scammers using the healthcare crisis as a lure to target victims (see: FBI: COVID-19-Themed Business Email Compromise Scams Surge).
Water Nue Tactics
The Trend Micro report notes that the Water Nue gang uses simple spear-phishing tactics and malicious domains to capture executives' credentials. The fraudsters do not use any other malware, such as backdoors or Trojans.
"It appears that their technical capabilities are limited despite being able to successfully target high-level employees globally," the report notes.
The researchers note, however, that the Water Nue fraudsters make extensive use of cloud-based services, such as SendGrid, to send out phishing emails and host their infrastructure, which helps obfuscate their operations and makes it more difficult to conduct a forensic analysis.
The phishing emails contain a message asking the recipient to click on a link to listen to a voicemail. If a victim clicks the link, it leads them to a fake Office 365 domain, where credentials are harvested through a simple PHP script, according to the report. The fraudsters apparently have collected over 800 sets of credentials so far, according to the report.
"Once the compromised credentials are used to successfully log in to accounts, fraudsters can identify themselves as executives. They will then send a fraudulent wire transfer request to trick recipients into wiring money into the criminals’ accounts," the report notes.
Although the Trend Micro report does not estimate how much money may have been stolen via the scam, the researchers found at least one fake invoice asking for a nearly $1 million payment, according to the report.
Other Sophisticated Scams
Some other recent BEC scams have grown more sophisticated.
In January, for example, security firm Agari found one gang stealing so-called "aging reports" from companies' financial and accounts receivable departments and then using these documents to expand their scams by posing as company officials trying to collect money from clients who have unpaid balances (see: BEC Fraudsters Targeting Financial Documents: Report).
In June, a one-time Nigerian entrepreneur pleaded guilty to scamming a U.K. affiliate of U.S. heavy equipment manufacturer Caterpillar out of $11 million in a sophisticated BEC scam, according to the U.S. Justice Department (see: Nigerian Entrepreneur Pleads Guilty in $11 Million BEC Scam).