By Marshall Chen, Loseway Lu, Yorkbing Yap, and Fyodor Yarochkin (Trend Micro Research)
A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of over 1,000 companies across the world since March 2020. The recent campaigns target senior positions in the United States and Canada.
The fraudsters, whom we named “Water Nue,” primarily target accounts of financial executives to obtain credentials for further financial fraud. The phishing emails redirect users to fake Office 365 login pages. Once the credentials are obtained and accounts are successfully compromised, emails containing invoice documents with tampered banking information are sent to subordinates in an attempt to siphon money through fund transfer requests.
Tracking Water Nue’s activities
The threat actor behind this campaign is interesting for several reasons. It appears that their technical capabilities are limited despite being able to successfully target high-level employees globally. While their phishing tools are basic (i.e., no backdoors, trojans, and other malware), they made use of public cloud services to conduct their operations. The use of cloud services allowed them to obfuscate their operations by hosting infrastructures in the services themselves, making their activities tougher to spot for forensics. This tactic has become more commonplace among cybercriminals.
We first noticed the campaign from a large group of email domains used in phishing attempts. We found that most of the recipients hold high corporate positions, particularly in the finance department. In one of the first cases we encountered, the senior financial officer of a bank located in Africa purportedly sent a PDF invoice to a colleague, specifying a bank account in Hon ..
Support the originator by clicking the read the rest link below.
