Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Open-source intelligence and flattery at the heart of a clever business email compromise operation

Business email compromise attacks date back a decade, and they are certainly not going away. But the methods of attack are definitely evolving. Where once, threat actors would impersonate an executive to run their scams, now, they’re turning to financial supply chain compromise tactics.

user icon David Hollingworth
Thu, 02 Feb 2023
Open-source intelligence and flattery at the heart of a clever business email compromise operation
expand image

Researchers at Abnormal Security have been monitoring one such BEC operator and tracking its methods. The group — dubbed Firebrick Ostrich by Abnormal Security — has been seen executing third-party reconnaissance attacks, impersonating vendors that already have a business relationship with the target company.

Since 2021, the group has engaged in more than 350 BEC campaigns and impersonated 151 different companies alongside 212 fake domains. Operations peaked in August 2022, with 50 separate operations in that month alone.

Most targets have been in the US, as have most of the companies Firebrick Ostrich has impersonated. The group, however, does not focus on any one industry.

The group’s BEC attacks begin with a research phase, which is often pretty simple. Google searches may reveal relationships between two companies, while some links are even easier to discover. Many companies list their business partners on their own websites or other publicly available sources. With this open-source intelligence (OSINT), the group can then begin setting up its false identity.

Firebrick Ostrich then typically begins registering fake domains that look like they belong to a legitimate vendor, or they may simply spoof the legitimate email of a vendor’s accounts team.

At this point, traditional BEC attacks would normally make a specific claim for payment, such as an overdue invoice being forwarded to a target’s accounts department. What Firebrick Ostrich does is more subtle — they send an email that asks for a vendor’s bank details to be updated, and direct that all future payments be made into the new, fake account.

“These attackers are playing a longer game, hoping that a simple request now will result in a payment to their redirected account with the next payment,” said Crane Hassold, Abnormal Security director of threat intelligence, in a blog post.

The emails are all very friendly, too, thanking the target for being a “valued customer” and thanking targeted employees for their assistance. Firebrick Ostrich also states that the “vendor” can’t process cheques at this time, or that there is an issue accessing previous payments that may not have been confirmed.

“In one email, Firebrick Ostrich provided more details,” Hassold said, “stating that the account team is ‘not able to get onto the server or into Oracle to review accounts or post payments that may have been received’.”

“The manufactured pretext of a technical issue is a common excuse used in many of the third-party reconnaissance attacks we see to explain why a vendor isn’t able to access their own inventory of invoices, but the flattery shown here seems to be unique to this BEC group.”

Firebrick Ostrich goes the extra yard to convince its targets that everything is above board by also copying in other fake email accounts, making it look like the payment requests are being seen by executive-level employees at the vendor in question.

Combined with the use of official logos and other set-dressing, Firebrick Ostrich’s operations are hard for many targets to see through without third-party assistance.

“What makes this group fairly unique is that they have seen massive success even without the need to compromise accounts or do in-depth research on the vendor-customer relationship,” Hassold concludes.

“By using fairly obvious social engineering tactics, they can discover everything they need in order to run a successful BEC campaign — without investing any significant time or resources into the initial research.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.