Unmasking Vendor Registration Scams: Insights from Two Real-World BEC Cases

Quick Read:

• BEC Strategy: Vendor Impersonation & Fake Vendor Registration
• Tactics Observed:
  • Use of free email providers to evade SPF, DKIM, sender domain, and IP reputation checks.
  • Plain-text email: absence of URLs, images, and attachments.
  • Use of typosquatting and combosquatting to trick unsuspecting users.
  • Hiding intended recipients from plain sight using Bcc and/or leveraging SMTP envelope for delivery.
• Deployment: NACE deployed to analyze emails behind G-Suite.
• Detection Status: 
  • As of this writing, none of the 62 vendors on VirusTotal detected any of the samples.
  • 2 out of 96 vendors on VirusTotal detected exxonmobilvendor[.]com as Malicious or Spam.
  • 1 out of 96 vendors on VirusTotal detected larssentoubro[.]com as Phishing.
  • NACE detected both the emails.

Introduction

In the current digital landscape, scammers can easily impersonate legitimate vendors, deceiving unsuspecting businesses into disclosing sensitive information. These scams are often quite sophisticated and can be challenging to detect, yet they can lead to severe repercussions for businesses that become targets.

We have recently encountered two alarming cases of vendor scams in one of our deployments,  that highlight the growing threat of business email compromise (BEC) and vendor impersonation. In both cases, scammers used convincing emails in an attempt to impersonate legitimate vendors and deceive users into providing seemingly innocuous information, such as company profiles and past track records. While these requests may have seemed harmless, they were likely an initial attempt to establish a trust relationship and lay the groundwork for more malicious requests. 

Similar intent and identical techniques

Both emails share a common theme: they invite the recipient to explore a business opportunity, as illustrated in the following screenshots.

    Figure: 1 - ExxonMobil Impersonation

     Figure: 2 - Larsen & Toubro Impersonation

Techniques Used to Bypass Spam Filters:

• By utilizing free email service providers such as gmail.com and freemail.hu, attackers can effectively evade detection technologies that depend on SPF, DKIM, sender domain, and IP reputation checks.
• The absence of URLs, images, and attachments in the emails makes them appear harmless to traditional spam filters.

Moreover, many small and medium-sized enterprises legitimately use free email providers for their business communications. This makes it increasingly challenging to distinguish between a legitimate business utilizing a free email service and an attacker attempting to impersonate a legitimate entity.

NACE^TM Detection Approach:

Figure 3: ExxonMobil Fake Vendor Procurement Detection

By employing Generative and Predictive AI for semantic and thematic analysis, NACE derives intent from email body and headers, leveraging this information along with auxiliary data from domains found in the email to inform its expert system.

The AI models employed by NACE extract various semantic features irrespective if these are from threat actors or AI,  that serve as key indicators of intent and inform decision-making, including:

• Vendor name extraction: Utilizing Natural Language Processing (NLP), NACE accurately identifies vendor names within email headers and body.
• Theme identification: The AI system detects common themes in the emails, such as business opportunities or requests for sensitive information.
• Request for information analysis: Emails are analyzed to identify specific types of company data being requested, such as company profiles and previous track records.
• Call-to-action detection: Attackers' instructions to send requested information to specified email addresses are detected with high accuracy.
• Suspicious contact domain detection:  NACE identifies newly registered domains with look-alike characteristics, including one instance of typosquatting (larssentoubro.com vs. legit domain: larsentoubro.com) and another instance of combosquatting (exxonmobilvendor.com).
• Undisclosed recipient: The AI system detects attempts to hide the intended recipient from view.

Figure 4.0  Results from VirusTotal of exxonmobilvendor[.]com

At the time of writing the blog, only 1 out of 96 vendors in VirusTotal classified exxonmobilvendor[.]com as malicious, while another flagged it as SPAM.

Figure 5: Larsen & Toubro Fake Registration Detection

In both of the above scenarios, NACE successfully isolated and classified the Business Email Compromise (BEC) email as a "Vendor Impersonation" threat. This achievement was made possible by leveraging Generative and Predictive AI to extract critical features and their contextual relationships, enabling NACE to detect sophisticated BEC attempts that may evade traditional detection methods.

Figure 6.0  Results from VirusTotal of larssentoubro[.]com

At the time of writing the blog, only 1 out of 96 vendors in VirusTotal classified larssentourbo.com as malicious.

Conclusion:

These two cases highlight the evolving nature of business email compromise (BEC) threats and their ability to evade traditional detection methods. The sophistication of these scams is alarming, utilizing free email providers, plain-text emails, typosquatting, and combosquatting to deceive unsuspecting businesses into exploring seemingly legitimate business opportunities that are actually a ruse for more malicious activity. Moreover, the use of legitimate domains and the absence of URLs, images, and attachments make it increasingly challenging for traditional spam filters to detect such threats.

The fact that none of the vendors on VirusTotal detected any of the samples and so few detected domains suggests a significant gap in current detection capabilities. The reliance on SPF, DKIM, sender domain, and IP reputation checks is no longer sufficient to combat these sophisticated attacks. It is essential that businesses remain vigilant and implement robust security measures to safeguard against such threats.

Ultimately, the success of BEC scams underscores the need for more advanced detection techniques that can identify intent and contextual relationships within emails. By acknowledging the limitations of traditional technologies and embracing new approaches, we can work towards a safer digital landscape where businesses are protected from falling victim to these sophisticated attacks.