A cruel business email compromise (BEC) gang is hacking people’s email accounts and sending messages to their contacts claiming the account owner needs to send a gift to an unwell friend in an attempt to manipulate people into sending online gift cards.
Detailed by cybersecurity researchers at Abnormal Security, an organized cyber criminal group — dubbed Lilac Wolverine — has fine-tuned techniques which pull on people’s heartstrings.
They include false claims that the gift cards are meant for people who’ve been diagnosed with or lost relatives to serious illnesses, with the claim that they can’t buy because their bank card is missing, or because they’re out of the country.
Gift cards are requested from familiar brands like Apple, Amazon and Google Play, with amounts ranging from $100 to $500.
In what researchers describe as an “extremely high attack volume” and “one of the most prolific” BEC campaigns today, one of the elements which make it look more realistic to victims — and therefore potentially more successful for the scammers — is hacking into real email accounts.
According to researchers, this is likely achieved with phishing attacks, using passwords leaked in an earlier an data breach or simply because the password securing the account is common or re-used.
But once an email address is successfully compromised, the attackers don’t use the account itself to send out BEC campaigns.
Instead they copy the victim’s address book and set up a lookalike account, using the same name and username, or if that isn’t available, making very subtle, often unnoticeable changes. The attackers use free webmail services to set up these accounts.
It’s these newly generated email accounts which are used to send out BEC phishing lures to the first victim’s contacts — they’re designed to look the real account and they do come from the real address, but the reply address is to the newly created account used by the scammers.
Setting up one of these accounts sounds elaborate, but it means there’s less chance of the victim of the initial account hack will notice something is wrong.
“They likely use a separate, lookalike account so the owner of the compromised account doesn’t get alerted if and when someone responds to an email they didn’t send. Instead, any responses go to the lookalike account controlled by the attacker,” Crane Hassold, director of threat intelligence at Abnormal Security told ZDNET.
Ultimately, by making the BEC email look like it comes from someone the targets know, rather than a stranger or a vague contact address, it makes it more likely that the attackers will succeed in scamming victims.
This is also achieved by not bringing up the idea of needing a gift card in the initial email, which look innocuous enough, asking the receivers if they want to catch up, asking for a favor or asking where they do their online shopping.
It’s only if the victim responds to the initial spoofed email that the scammers will send an additional message requesting a gift card.
It’s here they attempt to emotionally manipulate victims, using claims of bank cards not working and needing to urgently buy a gift for someone dealing with serious illnesses.
“The pretexts the group uses in their BEC campaigns are meant to elicit an emotional response that they hope would persuade a target to comply with their request,” said Hassold.
“Like other gift card BEC attacks, since the target population is substantially larger than other types of attacks, their success rate doesn’t need to be that high to get a good return on investment on their campaigns,” Hassold said.
It’s believed that the campaign is still active and that people should be made aware of telltale signs of BEC gift card scams. These include unexpected urgent requests — particularly if they’re trying to use emotional subjects requiring swift action — and messages which don’t sound like they come from who they say they come from.
If you’re unsure if the message is real, if possible, you should check with the person sending it by calling them on the phone or checking with them in person.
MORE ON CYBERSECURITY