A large-scale, long-term business email compromise campaign has been targeting large industrial companies, including those in the energy, metals, and power sectors.
The campaign has been running for several years and has included a variety of tactics, namely compromises of corporate email systems, network exploitation, social engineering, and highly targeted phishing messages. Researchers at Kaspersky Lab have been following the campaign and said that it has involved more than 500 organizations in more than 50 countries since it began. The foundation of the attacks is the use of spear-phishing emails that are designed to look like purchase orders, wire transfer notices, or other important documents.
“The emails were sent on behalf of various companies that did business with potential victims: suppliers, customers, commercial organizations and delivery services. The emails asked recipients to check information in an invoice as soon as possible, clarify product pricing or receive goods specified in the delivery note attached,” the Kaspersky analysis says.
“The phishers clearly tried hard to make their fake messages look very convincing to the employees of targeted companies.
“All the emails had malicious attachments: RTF files with an exploit for the CVE-2015-1641 vulnerability, archives of different formats containing malicious executable files, as well as documents with macros and OLE objects designed to download malicious executable files.”
The business email compromise attack has been going on for several years now and has been remarkably successful. Attackers have used this technique to go after both small and large businesses and the losses have been considerable. Some victims have lost tens of millions of dollars, and Kaspersky’s researchers said the attackers are using a number of different tactics to hook their victims.
“Among other things, we have discovered messages sent using compromised email accounts of company employees, in which cybercriminals sent malicious attachments to corporate addresses at other companies,” Kaspersky said.
“After infecting a corporate computer, the attackers are able to make screenshots of the correspondence using malware or set up hidden redirection of messages from the attacked computer’s mailbox to their own mailbox. This enables them to track which transactions are being prepared in the company.”
This is an ingenious and highly effective attack technique and the group behind this campaign has used it to great effect. The Kaspersky researchers said that the attackers have been able to gather a huge volume of sensitive information from the campaign.
“The amount and contents of data obtained by Nigerian phishers is truly disturbing. Cybercriminals have gained access to information on industrial companies’ operations and main assets, including information on contracts and projects,” Kaspersky said.
“For example, screenshots found on malware command-and-control servers included various cost estimates and project plans for some of the current projects at victim enterprises.”