Multiple types of security threats exist today including cryptojacking, malware, ransomware, phishing and more. Many of them use emails as attack vectors to lure in targets into sharing personal information or tricking them into installing malicious software on their devices. Today, Microsoft has issued an advisory against a widespread gift card scam that is targeting organizations.
Attackers are utilizing business email compromise (BEC), which is a phishing technique to get access to business information or to steal money. In this particular campaign, attackers are targeting various industries including real estate, consumer goods, agriculture, and more by using typosquatted domains to trick recipients into thinking that they legitimately come from people they know.
Microsoft has outlined a classical example of a BEC gift card scam where an executive assistant receives an email from their boss saying that they want to reward their employees for their efforts during the pandemic, so the executive should immediately buy some gift cards and respond to the email with the codes so they can be shared among the team. The assistant does so, and eventually finds out that their boss never sent the email in the first place.
That said, Microsoft notes that the attack mechanism is not as simple as it appears. Attackers typically conduct detailed reconnaissance activities about the person they are impersonating, their target, and the company in general. Message headers occasionally contain a false "Re:" to indicate a prior conversation as well as typosquatted domains in reference headers that appear legitimate at first glance. Meanwhile, message bodies sometimes directly address the target with demands, and at other times they begin with small talk with a hint that they have a task for the target - the task being purchasing gift cards or making wire transfers for whatever reason. An example can be seen below:
Microsoft noted that after a successful attack, impersonators typically visit websites which allow them to convert gift card codes to cryptocurrencies or other foreign currencies untraceably. The chances that this is part of a coordinated campaign is high considering that Microsoft observed impersonation of 120 organizations using typosquatted domains which were registered just a few days prior to attacks. The company went on to say that:
We noted that these domains did not have domain privacy enabled, nor were they under the EU’s GDPR protections. Each domain used a unique registrant name and email. The registrant names appeared to be autogenerated random first names and last names, and the registrant contact email used a free email service such as Gmail or mail.com with accounts that were often simply .@gmail.com or similar. Each name was used to register just one domain used in the campaign, which made pivoting to related domains more challenging.
Another observation about this campaign is that the registered domains did not always align with the organization being impersonated in the email. This could have been a mistake on the actor’s part, as BEC domains are typically designed to closely mimic the impersonated organization. For example, an actor may register microsoft.xyz or micrrosoft.com, both of which would normally be used to send emails pretending to originate from Microsoft. In this campaign, those types of homoglyphed and typo-squatted domains were used to send emails pretending to originate from a variety of organizations.
As usual, Microsoft has recommended that organizations use Microsoft Defender for Office 365 which can detect potential attacks, identify user and domain impersonation, and increase aware among employees, among other things.