From Deception to Detection: Unmasking a Highly Targeted BEC Attack

Quick Read:

• BEC Strategy: Brand Impersonation / Fake customer
  
  
• Tactics Observed:
  • Professional and Relevant Messaging: A well-written email with industry-specific content that matched the victim's business interests.
  • Proper SPF and DKIM records: the sender domain is configured with SPF and DKIM records, thus passing authentication checks.
  • Employee Impersonation: The scammer impersonated an employee from Dreistern Inc. (a legit company), using a company logo in the signature to enhance legitimacy.
  • Clever Typo-Squatting: A subtle typo-squatting attempt was made by adding an extra 's' to the sender domain (dreisterns[.]com), aiming to trick users into thinking it's the legitimate email. 

• Deployment: NACE deployed to analyze emails behind G-Suite.
  
  
• Detection Status: 0 out of 96 Anti-Virus vendors in Virus Total  were detecting the sender domain, only NACE detected at the time of writing this blog.

A Well-Crafted Deception

We recently observed a BEC impersonation email at one of our deployments. This BEC Attack Analysis details how the scammer went to great lengths to create an authentic and convincing message that resonated well with the target organization's industry.  Following is the screenshot of the email:

Figure: BEC email impersonating Dreistern

The recipient typically receives numerous legitimate Request For Quotation (RFQ) emails as part of routine business operations, making it challenging for them to distinguish between genuine and BEC impersonation attempts. In this case, the scammer crafted an email that closely resembled a standard RFQ request for a product directly relevant to the target's industry. Furthermore, in an attempt to build credibility, the attacker impersonated a legitimate employee, including their official title of 'Manager'. This added layer of deception made it more difficult for users to verify the sender's identity through LinkedIn or other business intelligence platforms like ZoomInfo.

Email Header Observations

A closer examination of the email header reveals several telling details about the scammer's tactics. The sender is impersonating an employee from Dreistern Inc., attempting to create a veneer of legitimacy.

Upon further investigation, we discovered that the email originated from a recently registered domain: 'dreisterns[.]com'. This domain was only 78 days old at the time of writing and is currently parked on Hostinger. Notably, it is a clear case of typo-squatting - an attempt to deceive users by mimicking Dreistern Inc.'s legitimate domain ('dreistern.com').

The email managed to pass SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks. As shown below:

These security measures are designed to verify the authenticity of emails, but in this case, the scammer properly configured the SPF and DKIM records for the look-alike domain which allowed them to pass email validation checks.

Email Body Analysis

A closer look at the email body reveals a well-crafted attempt to deceive the victim. The language is clear and concise, with no obvious grammatical mistakes that might raise suspicion. The scammer chose a familiar theme - an RFQ request - which is commonly seen in normal business communications for this company. They also included a relevant product from their industry, making it more likely to grab the attention of the victim.

Furthermore, the email includes a standard signature and features the company logo, designed to reinforce legitimacy and establish trust with the victim. Interestingly, there are no URLs or attachments in the email, which may have been deliberately avoided to minimize triggering spam filters. However, this restraint only serves as an initial lure - once the scammer has established a rapport with the victim, they can proceed to make more malicious requests.

NACE^TM Detection Approach:

Figure: NACE^TM Intent based approach

This email was flagged as malicious by InceptionCyber’s Neural Analysis and Correlation Engine (NACE^TM). By leveraging Generative and Predictive AI for semantic and thematic analysis, NACE extracts intent from email content and headers. The contextual relationship between intent and SMTP headers, such as the sender’s domain, enables accurate detection of this BEC email.

NACE's advanced AI models detected a combination of semantics commonly found in Business Email Compromise (BEC) emails, irrespective of whether the email is crafted by threat actor or AI.

The analysis revealed several key characteristics:

• Call to action - The sender requests the recipient to take action, specifically providing a quote for the requested product.
• Seeking response -  The sender expects a prompt email response from the victim.
• Sense of urgency - A swift response is emphasized with phrases like "Your prompt action and response in this regard would be highly appreciated."
• Brand identification - The email includes Dreistern's logo, identified as a known brand through our proprietary technology..

In addition to these semantic characteristics, further analysis revealed several features from the sender domain:

• Newly registered sender - The sender domain was detected as newly registered, just 78 days old at the time of writing.
• Domain Typo-squatting - NACE's advanced algorithms correlated the identified brand with Whois and SSL certificate information, detecting a possible typo-squatting attempt in the form of an extra 's' in dreisterns[.]com compared to the legitimate domain.

While semantic characteristics alone might not indicate malicious intent, when analyzed together with the sender domain features using NACE's proprietary technology, we can confidently conclude that this email is sent with malicious intentions.

Campaign Insights and Analysis

Based on our analysis, we can draw some insights into this BEC campaign.

• Sophisticated tactics: The scammer employed sophisticated tactics to create an authentic and convincing message that resonated well with the target organization's industry. This suggests a high level of expertise and resources available to the attacker.
• Use of typo-squatting: The use of typo-squatting (dreisterns[.]com instead of dreistern.com) is a common tactic used by scammers to trick unsuspecting users into thinking they are interacting with a legitimate organization. This indicates that the scammer was aware of the importance of creating a convincing sender domain.
• Legitimate branding: The inclusion of Dreistern's logo in the signature and the use of industry-relevant messaging suggests that the scammer had access to genuine brand materials.
• High level of personalization: The email was tailored to resonate with a specific target organization's business domain, indicating that the scammer had done research on the company and its employees. This personalized approach suggests a targeted attack rather than a mass phishing campaign.
• Authentication bypassed: Notably, the attacker made sure that the sender domain passed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks, which are security measures designed to prevent spoofing attacks. 

Campaign Goals

Based on our analysis, it appears that the primary goal of this campaign was to:

• Establish a trust relationship with the target organization.
• Gather sensitive information through social engineering tactics.
• Potentially deploy more malicious payloads or requests in subsequent emails.

In conclusion, this BEC campaign highlights the evolving landscape of advanced threats and the limitations of traditional security measures.

• Traditional technologies that rely solely on rule-based filtering or signature matching are likely to fail in detecting such sophisticated attacks, which use legitimate branding, authentication methods, and targeted social engineering tactics. 
  
• Traditional approaches, including fine-tuned AI models like DistilBERT, are also leveraged to detect BEC attacks. However, with Generative AI and low-cost models like DeepSeek, message variations can be generated at scale.If a fine-tuned neural network isn’t trained on all semantic variants, it may misclassify BEC attack variations as benign.
• The email targeted a customer-facing alias, designed to get emails from new or existing customers, rendering behavior-based profiling of the sender or recipient ineffective for detecting BEC, as there will always be the possibility that no historical pattern can exist to flag anomalies.

In contrast, NACE has been designed to detect BEC attacks, whether crafted by threat actors or Generative AI. It employs a robust multimodal, semantic-aware, zero-trust approach, leveraging multiple zero-shot analyses, to enhance resilience against semantic variations introduced by Generative AI, ensuring organizations stay ahead of evasive social engineering tactics, generated by threat actor or AI. 

Learn more about how Inception Cyber stops the Business Email Compromise attacks that other technology misses.