A business email compromise campaign emanating out of Western Africa is targeting companies in a wide swathe of industries, bucking a trend of these scams focusing on wire fraud and targeting CEOs.
The criminals are using phishing emails with links redirecting victims to sites designed to harvest corporate email credentials.
Researchers at Flashpoint said it’s likely one individual or a small group working together on each phase of the attacks, which date back likely to before March and were still active as of Aug. 8. The researchers saw emails targeting large retail organizations, universities, software and tech companies, engineering, real estate companies and churches.
“These waves of emails are customized per organization, which is why we think it’s one individual or a small group because of the way the file structure is set up and the overlapping domains,” said Ronnie Tokazowski, senior malware analyst at Flashpoint.
He added that so far, the attackers have sent 73 PDFs with redirect links, and of those 73, Flashpoint was able to identify 70 unique URIs and 29 domains involved.
“We’re thinking it was email credentials they were targeting,” Tokazowksi said. Once the attackers have access to a victim’s email, they’re able to send additional phishing emails to contacts and target other organizations, Tokazowksi said.
Like most BEC campaigns, this one is fairly low-tech, relying instead on convincing social engineering to achieve its goals. While these attacks overall are progressing in sophistication, most still opt not to use malware or exploits for example, meaning the attacks avoid detection by antimalware and intrusion detection systems.
