Category: Adversary Intelligence	Industry: Multiple	Motivation: Financial	Region: Middle East	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
Large-scale BEC campaign targeting Middle East-based companies and their vendors. Scam emails lure vendors under the pretext of vendor registration, contract bidding, etc. Use domain forwarding to the original domain to establish trust.	Loss of revenue and reputation. Deploy malware that can compromise the company’s data and infrastructure. Resilient to takedowns because threat actors recycle static web pages to set up websites after suspension.	Verify payment requests using secure internal workflows. Check email addresses and URLs for altered spellings. Awareness campaigns to educate employees. Real-time monitoring and takedowns. Attribution of threat actors to address the root of the issue.

Analysis and Attribution

Information from the Post

CloudSEK’s contextual AI digital risk platform has uncovered a large-scale ongoing BEC scam that is targeting vendors of Middle East-based organizations and individuals. Previously, CloudSEK researchers identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity and UAE-based government organizations. Now, CloudSEK has unearthed a cluster of phishing domains registered using similar naming schemes to target contractors in the UAE in the guise of vendor registration, contract bidding, etc. The threat actors behind this campaign are strategically buying/ registering domains with keywords similar to the victim domains and are targeting multiple industries, such as Travel and Tourism, Oil & Gas, Real Estate, and Investment across the Middle east. Some domains have only an email server enabled while others have set up websites to trick the users into thinking that they are legitimate businesses. Some scam domains redirect to legitimate domains to trick victims into trusting the phishing emails. The campaign is resilient to takedowns or hosting bans as it uses pre-stored static web pages with similar templates. These are uploaded from one domain to another in case of a ban. For example: There is a newly registered domain bids-snoc[.]com, impersonating Sharjah National Oil Corporation (SNOC), which will likely be used for future campaigns when the current fake domain is suspended.

Corporations	Estimated Revenue
Abu Dhabi National Oil Company (ADNOC)	$59 Billion
Sharjah National Oil Corporation (SNOC)	$84 Million
Emirates National Oil Company (ENOC)	$14 Billion

Of 35 phishing domains analyzed, over 90% of the look-alike domains targeting ADNOC, SNOC, and ENOC are hosted in North American. This preference is because there are several affordable providers in that region to choose from. Moreover, the service providers take time to process takedown requests. The majority of these domains belong to Tucows Domains, which is slow to respond to requests for the suspension of domains used for illegal activity. This is in contrast to other domain name service providers, many of whom have a one to three-day response to reports. BEC scams are popular among scammers because there is a high return on investment. For example, malware requires dedicated infrastructure. However, BEC scams only need a domain with an email server or a domain with a website and email server.

Domain with Email Server Only:

• DNS records show that some of the phishing domains have multiple MX records set up to send emails.
• The researchers have been able to obtain some of the emails sent by the scammers through OSINT (See Appendix). The emails appear to be properly formatted and grammatically correct. Hence, it can be inferred that these are not amateur campaigns. The threat actor appears to be veterans who have been targeting the region for a few years, with some of the domains dating back to 2020.
• There are also a variety of scams being used to lure users. Apart from vendor registration and contract bidding, they also use fake job offers and investment opportunities to hoodwink victims. (See Appendix).

[caption id="attachment_21710" align="alignnone" width="614"] A scam email from one of the fake domains abdul-sattar-abdul-tr[.]com[/caption]

• Zoho Mail is the preferred email service provider used by the threat actors behind this campaign. The reason is that using a third-party service removes the hassle of setting up email servers. Instead, the whole infrastructure is provided by a third party which includes services like DMARC to prevent email spoofing.
• One of the likely reasons to use Zoho by the threat actors is that it provides a 15-day free trial for the Mail Premium plan without a credit card. So, either the threat actor is using this offer or has a premium subscription to the service which is not expensive.

[caption id="attachment_21711" align="alignnone" width="928"] Threat actors operating with look-alike domains and mail servers[/caption]

Domains with Website and Email Servers:

In contrast to the domains with email servers only, the purpose of setting up websites is to establish legitimacy. Most of these domains masquerade as investment firms, hotels, and travel agencies. [caption id="attachment_21712" align="alignnone" width="1690"] Threat actor with a default website and a Zoho Mail server[/caption]

Domains with Domain Forwarding and Email Server:

Another tactic that we observed was fake domains forwarding traffic to the legitimate domain to establish trust. For instance, the fake domain rfq-taziz[.]com performs an HTTP 301 (moved) redirect to the domain taziz[.]com, which is a chemicals company in UAE. [caption id="attachment_21713" align="alignnone" width="943"] Threat actors set up domain forwarding and email server for operation[/caption]

Resilience to Takedowns and Suspensions

[caption id="attachment_21714" align="alignnone" width="971"] Threat actors clone websites using HTTrack for easy set up on look-alike domains[/caption]

• Automatic creation of multiple static pages: The pages of fake websites have content generated using some software as the content seems to be copied from the web. For instance, duramtravels[.]com copies from altdubai[.]com and even has fake documents on it regarding the company (see Appendix). Moreover, a similar theme was used across multiple such fake websites.
• Recycling of the pages: Backups of the fake websites are kept cloned via HTTrack software (see Appendix) whose signature was present in the source code. If one hosting provider blacklists them, the threat actors simply transfer the pages to another hosting service and the website is up again! The directory listing is enabled for some fake websites that show the entire image folders that can be shifted (see Appendix).
• Similar Domain Names: When the domain is blacklisted, the threat actor obtains another look-alike domain and reuploads the static pages there. For example, the domain shh-hotel[.]com which was active earlier is now shh-hotels[.]com.

Prediction

• It can be stated confidently that the threat actor will target SNOC again from a new domain bids-snoc[.]com which has been newly created on 17 Aug 2022 using the email hr.kashifgroup@gmail[.]com. The domain has no A records as of now but will be used in future attacks on SNOC once the email servers are set up.
• The same email has also been used to register another new domain guarantfinancial[.]com on the same day. This domain has a fake finance website setup. So, it is likely that the threat actor will be sending emails related to fake investment opportunities using the website.

Conclusion

The cost-to-benefit ratio of a BEC is high as there is no need for a complex infrastructure like in the case of a malware campaign. Just a domain name with an email server and that too from a third party is sufficient to conduct these attacks. The threat actor then sends fake emails to the employees of the firms being targeted. These emails often contain fake pending payments, investment options, job offers, etc. To support this operation, these threat actors seems to have set up an entire network of such fake domains related to the finance, tourism, and travel sector. Which deploy a variety of techniques such as domain forwarding to establish the user trust and are quite resilient to takedowns. Pursuing these attackers legally can limit their operations. However, this would be a challenging task given the structure of the internet wherein some domain name providers may be in another country while mail servers are in another. Thus, the best solution would be to take preventive measures to avoid them from happening in the first place. Like training the employees regarding BEC scams and making multi-level authentication and identification mechanism for payments.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• https://fraud-reports.fandom.com/wiki/Tucows#Actual_Behavior
• https://www.whoxy.com

Appendix

Domains registered with hr.kashifgroup@gmail[.]com, chai.mkopelmd@gmail[.]com, caywoodethanusarmy@gmail[.]com:

Phishing Domains Targeting ADNOC	contact-adnocae[.]com adnoc-vendor[.]com bid-adnoc[.]com tender-adnoc[.]com tenders-adnoc[.]com contracts-adnoc[.]com contractors-adnoc[.]com registration-adnoc[.]com registrations-adnoc[.]com

Phishing Domains Targeting SNOC	snocprojectae[.]com snocprojectuae[.]com snocproject-ae[.]com snoc-projectae[.]com snoc-projectuae[.]com contract-snoc[.]com ae-snocproject[.]com uae-snocproject[.]com ae-snoctenders[.]com uae-snoctenders[.]com

Phishing Domains Targeting ENOC	bid-enoc[.]com biding-enoc[.]com bidders-enoc[.]com administrator-enoc[.]com registrations-enoc[.]com registration-ae-enoc[.]com proposal-enoc[.]com proposal-ae-enoc[.]com proposals-ae-enoc[.]com biddings-enoc[.]com consultant-enoc[.]com consultant-ae-enoc[.]com consultants-ae-enoc[.]com contractor-enoc[.]com vendor-enocbid[.]com

  Multiple industries being targeted:

Domains Registered using hr.kashifgroup@gmail.com Targeting Multiple Industries

investinadio[.]com adio-gov[.]com salacomimmigration[.]com alfujairah-ae[.]com abbrossgeneralhospital[.]com gulfins-ae[.]com enacopetroleum[.]com safetravel-services[.]com hamraoilgroup[.]com alhmodzinoilfildservices[.]com rakpetrolae[.]com aiischools[.]com llhhospitals[.]com dahilalcapitalinvest[.]com duramtravelagency[.]com snocuae[.]com diligencefinconsultants[.]com emarataljabrisolicitors[.]com emsclikoil[.]com zbavitae[.]com rambolloil[.]com enocbids[.]com stabluk[.]com mohregov-ae[.]com harvesttravelagency[.]com dibfinancialservice-uae[.]com tenders-adio[.]com tenders-aisschools[.]com hpschooluae[.]com rfq-taziz[.]com ahaliahospitalae[.]com abienceinvestments-fze[.]com sheikhmouradoil[.]com qatarenergys[.]com kilimondoilgas-dubai[.]com camschooluae[.]com gulfmarineoilservices[.]com quickcitytravel[.]com globalhospae[.]com westernmedicalspecialisthosp[.]com bid-taqa[.]com adbntogo[.]com atenaeps[.]com dubaiferryae[.]com adnoc-vendor[.]com easternbaytravels[.]com siemenoilandgas[.]com fenczyflyemiratetravels[.]com nipmse[.]com builds-emaar[.]com specgulfae[.]com zirvaenergy[.]com eaglestravels-ae[.]com stalinschoolintlacademy[.]com nowmcopetroleum[.]com flywaytravelandtourism[.]com alzarafatravellsae[.]com gulfcoastoilngas-ae[.]com emspgenerahospae[.]com

  Websites associated with the Google Analytics ID, UA-6175655:

Other Phishing Domains Identified using the Same Google Analytics Id: UA-6175655	oceanicflyimmigration[.]com iconiqueimmigration[.]com arabianmigration[.]com abdul-sattar-abdul-tr[.]com alfayhaatravels[.]com flylinkimmigration[.]com horsespeedtravel[.]com toursolutions4u[.]com

    [caption id="attachment_21716" align="alignnone" width="1136"] Website using a mobile number that has been flagged as “Fake Recruiters”[/caption]     [caption id="attachment_21717" align="alignnone" width="708"] One of the fake websites’ phone numbers is blacklisted as a scam[/caption]   [caption id="attachment_21718" align="alignnone" width="414"] A scam email from one of the fake domain abienceinvestments-fze[.]com[/caption]  [caption id="attachment_21719" align="alignnone" width="1024"] Source Code of a malicious domain showing the use of HTTrack software[/caption] [caption id="attachment_21720" align="alignnone" width="703"] HTTrack software is used by the threat actor to keep clones of websites[/caption]   [caption id="attachment_21721" align="alignnone" width="729"] Directory listing enabled for duramtravels[.]com that contains documents from Alt Dubai on the server[/caption] 

Schedule a CloudSEK demo

At CloudSEK, we predict cyber threats.

Our solutions have relevant use cases for several industries including BFSI. At CloudSEK, we combine the power of Cyber Intelligence, Brand Monitoring, Attack Surface monitoring, Infrastructure Monitoring and Supply chain to give visibility and context to our customer's Initial Attack Vectors. Interested to know more? Let our CloudSEK experts give you a detailed walkthrough of our platform’s capabilities.