- While investigating phishing cases of various customers, CloudSEKs’ analysts identified a spear phishing campaign targeting multiple corporations.
- In this scam, the scammer pretends to be the CEO of the company and sends out a Whatsapp message to employees (mostly top-level executives) on their personal phone numbers.
- This report explains the TTPs (Tactics, Techniques and Procedures) used by these fraudsters including the misuse of business information tools and recommendations on future prevention.
Highlight: Recent investigations that displayed impersonation of the CEO’s publicly available pictures as Whatsapp Profile Pictures as a social engineering tactic to convince the victim.
Figure 1: Whatsapp message received by employees
Modus Operandi of the Scam
While investigating the incident for the modus operandi and likely Tactics, Techniques and Procedures we discovered the following:
- The scam starts with employees receiving an SMS-based message from an unknown based number allegedly impersonating a top-ranking executive from the organization. The reason for impersonating the top-ranking executive is to instill urgency and panic.
- If the receiver of the SMS acknowledges the scammer with a response, the threat actor/scammer would request to complete a quick task. The quick tasks commonly include:
- purchasing gift cards for a client or employee and/or
- wiring funds to another business.
- In some cases, the scammer may ask employees to send personal information (like PINs and passwords) to third parties, often providing a plausible reason to carry out the request.
Based on our experience in investigating similar incidents, we observed following:
- Threat actors often use commanding and persuasive language to convince the email victim to respond.
- The timeline to execute this action will also be short and the task urgent and in some cases, they will send multiple messages asking when the request will be completed and stress the importance of this action.
- Similar to the "phishing" scams seen over email, this version relies on texts that lure potential victims into disclosing information or clicking on a link.
How was information likely gained by scammers?
Information on Senior And Management level executives
Senior employees of the organization can be looked up from Linkedin. Threat actors then use popular Sales Intelligence or Lead Generation tools such as Signalhire, Zoominfo, Rocket Reach to gather PII information like emails, phone numbers, and more. These online databases of businesses have their methodologies for obtaining, verifying, and then selling the employees’ contact details of an entity.
Common techniques to extract information
SignalHire LinkedIn email extractor is a software built to help navigate through LinkedIn profiles and collect contact information of all people relevant to your business. The following are some examples of how senior employees' personal contact details can be extracted from Linkedin using SignalHire:
Figure 2: SignalHire information extraction from LinkedIn
Information from open source and cybercrime forum
CloudSEK’s flagship digital risk monitoring platform XVigil contains a module called “Underground Intelligence” which provides information about the latest Adversary, Malware, and Vulnerability Intelligence, gathered from a wide range of sources, across the surface web, deep web, and dark web.
While triaging the discussions on TOR-based (Dark Web) and surface web cybercrime forums/marketplace, our threat researchers discovered multiple posts related to the sale of databases of companies like signalhire that allegedly contain personal phone numbers of employees of various corporations.
Figure 3: Threat actors' posts on the cybercrime forum
The Conti ransomware first appeared as a sophisticated Ransomware-as-a-Service (RaaS) in 2019. The group uses multiple methods to distribute its ransomware. The most common one is phishing which includes spear-phishing campaigns and social engineering techniques to induce victims to submit more information or access credentials.
One of the tools used by the Conti group is gathering information from business information services like Zoominfo and Signalhire.
Figure 4:Source: INFOSECURITY MAGAZINE
Mitigation & Future Prevention
- Cyber security awareness programs must be organized for all employees to educate employees about the ongoing cyberattacks.
- Any payment requests with new or amended bank details received by email, letter or phone should be independently verified.
- Be cautious of how much information you reveal about your company and key officials via social media platforms and over the internet.
- B2B directories provide contact details for business purposes; hence, most of them also provide a “removal request” feature in their platform so the targeted entity will be allowed to contact them in order to remove their own data from the B2B Directory platform.
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- Phishing Takeaways from the Conti Ransomware Leaks - Infosecurity Magazine