Two Business Email Compromise (BEC) groups have been observed using executive impersonation to attack companies around the world.
The findings come from security researchers at Abnormal Security, a threat actor dubbed “Midnight Hedgehog,” who specializes in payment fraud, and “Mandarin Capybara,” which focuses on executing payroll fraud attacks.
“Together, we will run the BEC campaign in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish and Swedish. It has started.” I have written Crane Hassold, director of threat intelligence at Abnormal, said:
More specifically, the Midnight Hedgehog threat actors researched the target’s responsibilities and relationship with certain CEOs and created a spoofed email account that mimics the real one. In January 2021, an attack targeting a global company was confirmed.
“Like many payment fraud attacks, this group targets financial managers and other executives responsible for initiating financial transactions for companies,” Hassold said.
Regarding the Mandarin Capybara group, Hassold said the group has been targeting businesses with Gmail accounts since at least February 2021.
“Midnight Hedgehog has only been observed targeting companies in Europe with non-English messages, while Mandarin Capybara is attacking companies around the world,” explains the security researcher.
“We want this group to have American and Australian companies in English, Canadian organizations in French, European companies in Dutch, French, German, Italian, Polish, Portuguese, Spanish and Swedish. We observed targeting in eight languages.”
Furthermore, Hassold added that while the group typically used mule accounts in other countries, they were similar to the accounts used in payroll diversion attacks targeting US companies.
“Unlike other types of payment fraud BEC attacks, the majority of payroll diversion attacks use non-traditional fintech accounts to receive illicit funds,” wrote security experts.
“Mandarin Capybara set up mule accounts with European fintech institutions including Revolut, Saurus, Monese, Bunq and SisalPay to receive funds from payroll diversion attacks.”
To protect against such attacks, Abnormal urged companies to implement behavior-based security that uses machine learning and artificial intelligence to understand the concept of identity.
“A solution that baselines normal behavior can provide the context needed to determine when anomalous behavior occurs, regardless of what language the attack was transmitted in.”
The unusual recommendation comes days after another report from the group suggested an increase 81% or more Globally, the rate of BEC attacks will increase in 2022, increasing by 175% over the past two years.
