Deep Dive: NACE Combats BEC Customer Impersonation Employing Combosquatting

Quick Read:

• BEC Strategy: Customer and Brand Impersonation
• Tactics Observed:
  • Sender’s domain used combosquatting to impersonate a real brand.
  • Hiding intended recipients by leveraging SMTP Received Header: for delivery.
  • Combosquatted sender domain leveraged HTTP 302 Status Code for redirecting to the legitimate brand. 
• Deployment: NACE™ deployed to analyze emails behind G-Suite.
• Detection Status: 
  • As of this writing, 1 out of 96 AntiVirus Vendors on VirusTotal were classifying the sender domain as SPAM.

Introduction 

Cybercriminals continuously evolve their tactics, and one common technique they use is combosquatting—registering domains that closely resemble legitimate businesses by adding common terms like "ltd," "secure," or "support." Recently, we encountered a Business Email Compromise (BEC) attack where threat actors leveraged combosquatting to impersonate a well-known energy company and deceive victims into engaging with fraudulent emails. 

As part of normal workflow processes, the recipient typically receives numerous legitimate emails related to routine business operations, making it challenging to distinguish between genuine inquiries and BEC impersonation attempts. In this case, the threat actor crafted an email that closely resembled a standard request for product details. Furthermore, to build credibility, the attacker impersonated a legitimate brand.

BEC Email Impersonating Customer and Features extracted from NACE™ 

The sender's domain, axpoltd[.]com, was crafted using a combo-squatting technique to impersonate axpo[.]com. In addition to combo-squatting, axpoltd[.]com also used an HTTP 302 Found response to redirect to a legitimate brand. A 302 response indicates that the requested resource has been temporarily moved to a different URL. The Location header in the response specifies the new URL, prompting the web browser to automatically follow the redirect and request the new URL instead. As a result, the client browser follows the redirect and makes a new request to http[:]//www[.]axpo[.]com/, leading to the legitimate website and building trust.

DNS Redirection to a Legitimate Brand. 

At the time of writing blog, only one out of 96 Anti Virus vendors in VT were classifying the domain axpoltd.com as SPAM.

Virus Total result for the Sender Domain axpoltd[.]com

NACE™  Leveraging Intent as Feature for detection:

By employing Generative and Predictive AI for semantic and thematic analysis, NACE™derives intent from email body. Contextual relationship between SMTP headers, and intent of body aided to determine BEC customer impersonation. 

Some of the features which aided in classification are:

• Intent identification: Semantic and thematic analysis detected business opportunities intent in the emails.
• Call-to-action detection:The email contains a call to action, which is a request to the recipient to perform a specific task, in this case, forwarding an updated catalog for urgent review. 
• Suspicious Sender domain detection: NACE identifies sender’s domain as newly registered along with including characteristics of combosquatting. 
• Undisclosed recipient: Attempts to hide the intended recipient from view.
• Sense-of-Urgency: Language in the email denoted a sense of urgency which is a characteristic employed by the threat actors.

Campaign Goals

Based on our analysis, it appears that the primary goal of the BEC was to:

• Establish a trust relationship with the target organization.
• Gather sensitive information through social engineering tactics to impersonate business.
• Potentially deploy more malicious payloads or requests in subsequent emails.
• Potentially send fraudulent orders with fake proof of payment, leading to lost goods and money.

In conclusion, this BEC campaign highlights the evolving landscape of advanced threats and limitations of traditional security methods. 

• Traditional approaches, including fine-tuned AI models like DistilBERT, are also leveraged to detect BEC attacks. However, with Generative AI and low-cost models like DeepSeek, message variations can be generated at scale.If a fine-tuned neural network isn’t trained on all semantic variants, it may misclassify BEC attack variations as benign.
• The email targeted a customer-facing alias, designed to get emails from new or existing customers, rendering behavior-based profiling of the sender or recipient ineffective for detecting BEC, as there will always be the possibility that no historical pattern can exist to flag anomalies.

In contrast, NACE has been designed to detect BEC attacks, whether crafted by threat actors or Generative AI. It employs a robust multimodal, semantic-aware, zero-trust approach, leveraging multiple zero-shot analyses, to enhance resilience against semantic variations introduced by Generative AI, ensuring organizations stay ahead of evasive social engineering tactics, generated by threat actor or AI.