Israeli threat group uses fake company acquisitions in CEO fraud schemes

A group of cybercriminals based in Israel has launched more than 350 business email compromise (BEC) campaigns over the past two years, targeting large multinational companies from around the world. The group stands out with some of the techniques it uses, including email display name spoofing and multiple fake personas in the email chains, and through the abnormally large sums of money it attempts to extract from organizations.

“Like most other threat actors that focus on business email compromise, this group is fairly industry agnostic in their targets,” researchers from cloud email security firm Abnormal Security said in a report. “They target multiple industries simultaneously, including manufacturing, financial services, technology, retail, healthcare, energy, and media.”

The targeted organizations had headquarters in 15 countries, but since they are multinational corporations, employees of these companies from offices in 61 different countries were targeted. The reason the group is focused on large enterprises is revealed in the lure they chose to justify the very large transfers they’re after: company acquisitions. It’s not unusual for such multinational companies to acquire smaller companies in various local markets.

CEO impersonation is followed by lawyer impersonation

In many BEC scams, attackers target employees from the finance or accounting departments that have access to the organization’s accounts. However, this group targets company executives and other senior leaders.

The first email appears to come from the company’s CEO and informs the recipient that the organization is in the process of acquiring a new company, but that the transaction is supervised by financial market authorities and needs to remain confidential until a public announcement is made to avoid any insider trading.

This initial email looks to obtain a promise of confidentiality, mentioning that the transaction might fail if information is leaked but includes other hints such as that the acquisition will not be performed from headquarters for tax reasons because the acquired company is in another country where the organization looks to expand its operations. This also helps add credibility if the targeted employee is a local executive in a certain country rather than someone from HQ.

“​​First, members of the executive team are likely to send and receive legitimate communications with the CEO on a regular basis, which means an email from the head of the organization may not seem abnormal,” the researchers said. “Second, based on the stated importance of the supposed acquisition project, it’s reasonable for a senior leader at the company to be entrusted to help. And finally, because of their seniority within the organization, there is presumably less red tape that would need to be cut through in order for them to authorize a large financial transaction.”

If the recipient agrees to assist, the follow-up email provides more information about the acquisition, such as the location of the company and the need to make an “installment” payment to ensure the acquisition before competitors might get wind of it. This is also where the targeted employee is handed off to a second persona by being told to contact an attorney who specializes in acquisitions. In many cases, solicitors from professional services and financial consulting firm KPMG are being impersonated in this second stage of the scam and the KPMG logo is used in the email signature.

When this second attorney persona is contacted, the attackers respond with the bank account information and the amount that needs to be transferred. The communication in this second part of the scam is not always done by email and in some cases the fake attorney asked to speak over a WhatsApp voice call. The researchers went along with one of the scams and called the number and spoke with someone with a French accent who reiterated the need for urgency and secrecy and excused his poor English communication skills saying he’s based in Paris.

“An analysis of potential financial impact data across all payment fraud attacks shows the average amount requested is $65,000,” the researchers said. “In contrast, this group requests an average of $712,000—more than 10 times the average. Because the main theme of these attacks is the acquisition of a company and large sums of money are commonly exchanged in that type of transaction, the amount may not raise any red flags.”

Email spoofing techniques

In BEC scams it’s not unusual for attackers to compromise the real email account of a company employee and then launch their attack from there. However, since this group uses a specific lure that requires impersonation of the CEO to be credible, the attackers rely on email spoofing instead.

First, they establish if the organization’s email domain has a DMARC policy enabled. This is a protocol for email communication that is aimed at preventing spoofing. If a DMARC policy is absent or is misconfigured and ineffective, then attackers spoof the email address directly. However, if such a policy exists they employ another technique known as display name spoofing.

Many email clients will just display the name of the sender in the email header in the default compact view. Some clients will add the email address as well after the name in a format “Name ” or the recipient will have to click to expand the email header to see the email address as well. To trick victims the attackers configure their display name to be not just the CEO’s full name but their email address as well in the form: “Fake Name ” so when the target sees it they might confuse it with the email their email client displays addresses in expanded view.

“Even the most security-conscious employees could be tricked by socially engineered lures like these, particularly due to the legitimacy given by the phone calls,” the researchers said. “And unfortunately, legacy security tools are unlikely to block the initial attacks since they are sent from legitimate domains without suspicious links, malicious attachments, or other traditional indicators of compromise.”

Security awareness training for spotting these types of scams is essential, as well as having clearly defined internal procedures in place for verifying and authorizing transfer requests from the company’s bank accounts, which could include always confirming a request made via email with a follow-up phone call to the person who made it, of course by using the phone number listed in the company’s internal contacts directory and not the one listed in the email.

Unfortunately, these scams are low effort and high reward, since the attackers don’t need a large number of targets to fall for them to be successful. “Just one successful attack each month means that these threat actors could be set for life, which is perhaps why they appear to only work a few months each year,” the researchers said.