Microsoft warns of a large-scale BEC campaign to make gift card scam

Microsoft is warning of a large-scale BEC campaign that targeted hundreds of organizations leveraging typo-squatted domains registered days before the attacks.

Business email compromise (BEC) attacks represent a serious threat for organizations worldwide, according to the annual report released by FBI’s Internet Crime Complaint Center, the 2020 Internet Crime Report, in 2020, the IC3 received 19,369 Business Email Compromise (BEC)/Email Account Compromise (EAC) complaints. The reports states that BEC/EAC crimes caused $1.8 billion in losses.

Now Microsoft is warning of a large-scale BEC campaign that targeted more than 120 organizations with gift card scam.

The attackers targeted organizations in multiple industries, including the consumer goods, process manufacturing and agriculture, real estate, discrete manufacturing, and professional services sectors. The threat actors leverage typo-squatted domains to trick the recipients into believing that the emails were originating from valid senders.

The emails, that pretend to be sent by managers of employees working in various organizations, requesting to purchase gift cards to give to the team as an incentive for their hard work during the pandemic.

“In the middle of the workday, you get an email appearing to come from your boss, requesting that you purchase gift cards to give to the team as an incentive for their hard work during the pandemic. The request seems a little strange, you think. Maybe it was a spur-of-the-moment initiative. But you’re a rock star assistant and decide to go ahead and purchase the gift cards using department funds.” states a blog post published by Microsoft. “You reply to your boss’s email with the gift card codes. After a while of not hearing back, you finally ping them on chat to make sure they received them. Your boss expresses their confusion in response to your chat message–they never requested gift cards for the team.”

The emails employed in this campaign starts with a vague request, such as “I need you to do a task for me” or “Let me know if you’re available.”

In the following message, the attacker claims to be “Steve,” which is the name of an executive at this targeted organization.

Upon replying to the email, the attacker will demand for a gift card. In some cases, attackers directly requested a gift card to the recipient.

“We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began,” continues Microsoft. “the registered domains did not always align with the organization being impersonated in the email. This could have been a mistake on the actor’s part, as BEC domains are typically designed to closely mimic the impersonated organization. For example, an actor may register microsoft.xyz or micrrosoft.com, both of which would normally be used to send emails pretending to originate from Microsoft. In this campaign, those types of homoglyphed and typo-squatted domains were used to send emails pretending to originate from a variety of organizations.”

Experts pointed out that attackers show high reconnaissance skills that were used to gather intelligence on the targets and target the rights employees within the organizations.

Attackers are also faking the In-Reply-To and References headers to add an extra air of legitimacy to the email. 

“Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user,” continues Microsoft. “This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BEC)

[adrotate banner=”5″]

[adrotate banner=”13″]