Microsoft secured court order to take down domains used in BEC campaign

Microsoft has seized 17 malicious homoglyph domains used by crooks in a business email compromise (BEC) campaign targeting its users.

Microsoft’s Digital Crimes Unit (DCU) has seized 17 domains that were used by scammers in a business email compromise (BEC) campaign aimed at its customers.

The IT giant secured a court order that allowed it to take down “homoglyph” domains used by scammers to impersonate Office 365 customers in fraudulent activities. 

The term “homoglyph” is used to refer to domains created with names similar to legitimate ones, for example using characters with shapes that appear identical or very similar to the characters of a legitimate domain, such as the capital letter “O” and the number “0” (e.g. MICROSOFT.COM vs. MICR0S0FT.COM) or an uppercase “I” and a lowercase “l” (e.g. MICROSOFT.COM vs. MlCROSOFT.COM). 

Most of the victims are small businesses operating in North America across multiple industries, according to Microsoft crooks behind this campaign are part of an extensive network that appears to be based out of West Africa.

“In this instance, the criminals identified a legitimate email communication from the compromised account of an Office 365 customer referencing payment issues and asking for advice on processing payments. The criminals capitalized on this information and sent an impersonation email from a homoglyph domain using the same sender name and nearly identical domain. The only difference between the genuine communication and the imposter communication was a single letter changed in the mail exchange domain, done to escape notice of the recipient and deceive them into believing the email was a legitimate communication from a known trusted source.” reads the post published by Microsoft.

The defendants domains used in this campaign were registered via NameSilo LLC and KS Domains Ltd./Key-Systems GmbH domain registrars. They used the homoglyph domains along with stolen customer credentials to access customer accounts, monitor customer email traffic, gather intelligence on pending financial transactions, and impersonate O365 customers, to trick victims into transferring funds to bank accounts under their control.

Attackers use multiple attack techniques to compromise business email accounts, such as social engineering phishing campaigns.

“In this BEC attack, these fraudulent domains, together with stolen customer credentials, were used by cybercriminals to unlawfully access and monitor accounts. The group proceeded to gather intelligence to impersonate these customers in an attempt to trick victims into transferring funds to the cybercriminals.” continues the post. “Once the criminals gained access to a network, they imitated customer employees and targeted their trusted networks, vendors, contractors and agents in an effort to deceive them into sending or approving fraudulent financial payments.”

A judge in the Eastern District of Virginia issued a court order that required domain registrars to shut down the malicious domains.

This isn’t the first time Microsoft secured a court order to curb such kind of attacks, last year, a court allowed the company to seize and take over malicious domains used in a large-scale COVID19-themed campaign targeting victims in tens of countries across the world.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BEC)

[adrotate banner=”5″]

[adrotate banner=”13″]