Category:
Adversary Intelligence |
Industry:
Multiple |
Motivation:
Financial |
Region:
Middle East |
Source*:
A1 |
---|
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
CloudSEK’s contextual AI digital risk platform has uncovered a large-scale ongoing BEC scam that is targeting vendors of Middle East-based organizations and individuals.
Previously, CloudSEK researchers identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity and UAE-based government organizations. Now, CloudSEK has unearthed a cluster of phishing domains registered using similar naming schemes to target contractors in the UAE in the guise of vendor registration, contract bidding, etc.
The threat actors behind this campaign are strategically buying/ registering domains with keywords similar to the victim domains and are targeting multiple industries, such as Travel and Tourism, Oil & Gas, Real Estate, and Investment across the Middle east.
Some domains have only an email server enabled while others have set up websites to trick the users into thinking that they are legitimate businesses.
Some scam domains redirect to legitimate domains to trick victims into trusting the phishing emails.
The campaign is resilient to takedowns or hosting bans as it uses pre-stored static web pages with similar templates. These are uploaded from one domain to another in case of a ban.
For example: There is a newly registered domain bids-snoc[.]com, impersonating Sharjah National Oil Corporation (SNOC), which will likely be used for future campaigns when the current fake domain is suspended.
Corporations | Estimated Revenue |
---|---|
Abu Dhabi National Oil Company (ADNOC) | $59 Billion |
Sharjah National Oil Corporation (SNOC) | $84 Million |
Emirates National Oil Company (ENOC) | $14 Billion |
Of 35 phishing domains analyzed, over 90% of the look-alike domains targeting ADNOC, SNOC, and ENOC are hosted in North American. This preference is because there are several affordable providers in that region to choose from. Moreover, the service providers take time to process takedown requests.
The majority of these domains belong to Tucows Domains, which is slow to respond to requests for the suspension of domains used for illegal activity. This is in contrast to other domain name service providers, many of whom have a one to three-day response to reports.
BEC scams are popular among scammers because there is a high return on investment. For example, malware requires dedicated infrastructure. However, BEC scams only need a domain with an email server or a domain with a website and email server.
In contrast to the domains with email servers only, the purpose of setting up websites is to establish legitimacy. Most of these domains masquerade as investment firms, hotels, and travel agencies.
Another tactic that we observed was fake domains forwarding traffic to the legitimate domain to establish trust. For instance, the fake domain rfq-taziz[.]com performs an HTTP 301 (moved) redirect to the domain taziz[.]com, which is a chemicals company in UAE.
The cost-to-benefit ratio of a BEC is high as there is no need for a complex infrastructure like in the case of a malware campaign. Just a domain name with an email server and that too from a third party is sufficient to conduct these attacks. The threat actor then sends fake emails to the employees of the firms being targeted. These emails often contain fake pending payments, investment options, job offers, etc. To support this operation, these threat actors seems to have set up an entire network of such fake domains related to the finance, tourism, and travel sector. Which deploy a variety of techniques such as domain forwarding to establish the user trust and are quite resilient to takedowns.
Pursuing these attackers legally can limit their operations. However, this would be a challenging task given the structure of the internet wherein some domain name providers may be in another country while mail servers are in another. Thus, the best solution would be to take preventive measures to avoid them from happening in the first place. Like training the employees regarding BEC scams and making multi-level authentication and identification mechanism for payments.
Domains registered with hr.kashifgroup@gmail[.]com, chai.mkopelmd@gmail[.]com, caywoodethanusarmy@gmail[.]com:
Phishing Domains Targeting ADNOC | contact-adnocae[.]com
adnoc-vendor[.]com bid-adnoc[.]com tender-adnoc[.]com tenders-adnoc[.]com contracts-adnoc[.]com contractors-adnoc[.]com registration-adnoc[.]com registrations-adnoc[.]com |
---|
Phishing Domains Targeting SNOC | snocprojectae[.]com
snocprojectuae[.]com snocproject-ae[.]com snoc-projectae[.]com snoc-projectuae[.]com contract-snoc[.]com ae-snocproject[.]com uae-snocproject[.]com ae-snoctenders[.]com uae-snoctenders[.]com |
---|
Phishing Domains Targeting ENOC | bid-enoc[.]com
biding-enoc[.]com bidders-enoc[.]com administrator-enoc[.]com registrations-enoc[.]com registration-ae-enoc[.]com proposal-enoc[.]com proposal-ae-enoc[.]com proposals-ae-enoc[.]com biddings-enoc[.]com consultant-enoc[.]com consultant-ae-enoc[.]com consultants-ae-enoc[.]com contractor-enoc[.]com vendor-enocbid[.]com |
---|
Multiple industries being targeted:
Domains Registered using hr.kashifgroup@gmail.com Targeting Multiple Industries | investinadio[.]com
adio-gov[.]com salacomimmigration[.]com alfujairah-ae[.]com abbrossgeneralhospital[.]com gulfins-ae[.]com enacopetroleum[.]com safetravel-services[.]com hamraoilgroup[.]com alhmodzinoilfildservices[.]com rakpetrolae[.]com aiischools[.]com llhhospitals[.]com dahilalcapitalinvest[.]com duramtravelagency[.]com snocuae[.]com diligencefinconsultants[.]com emarataljabrisolicitors[.]com emsclikoil[.]com zbavitae[.]com rambolloil[.]com enocbids[.]com stabluk[.]com mohregov-ae[.]com harvesttravelagency[.]com dibfinancialservice-uae[.]com tenders-adio[.]com tenders-aisschools[.]com hpschooluae[.]com rfq-taziz[.]com ahaliahospitalae[.]com abienceinvestments-fze[.]com sheikhmouradoil[.]com qatarenergys[.]com kilimondoilgas-dubai[.]com camschooluae[.]com gulfmarineoilservices[.]com quickcitytravel[.]com globalhospae[.]com westernmedicalspecialisthosp[.]com bid-taqa[.]com adbntogo[.]com atenaeps[.]com dubaiferryae[.]com adnoc-vendor[.]com easternbaytravels[.]com siemenoilandgas[.]com fenczyflyemiratetravels[.]com nipmse[.]com builds-emaar[.]com specgulfae[.]com zirvaenergy[.]com eaglestravels-ae[.]com stalinschoolintlacademy[.]com nowmcopetroleum[.]com flywaytravelandtourism[.]com alzarafatravellsae[.]com gulfcoastoilngas-ae[.]com emspgenerahospae[.]com |
---|
Websites associated with the Google Analytics ID, UA-6175655:
Other Phishing Domains Identified using the Same Google Analytics Id: UA-6175655 | oceanicflyimmigration[.]com
iconiqueimmigration[.]com arabianmigration[.]com abdul-sattar-abdul-tr[.]com alfayhaatravels[.]com flylinkimmigration[.]com horsespeedtravel[.]com toursolutions4u[.]com |
---|
Our solutions have relevant use cases for several industries including BFSI. At CloudSEK, we combine the power of Cyber Intelligence, Brand Monitoring, Attack Surface monitoring, Infrastructure Monitoring and Supply chain to give visibility and context to our customer’s Initial Attack Vectors.
Interested to know more? Let our CloudSEK experts give you a detailed walkthrough of our platform’s capabilities.