Experienced fraudsters made off with $15 million from a U.S. company after carefully running an email compromise that took about two months to complete.
The cybercriminal executed their plan with surgical precision after gaining access to email conversations about a commercial transaction. They inserted themselves in the exchange to divert the payment and were able to keep the theft hidden long enough to get the money.
Although researchers investigated events at a single victim, they found clues indicating that dozens of businesses in construction, retail, finance, and legal sectors are on their list of targets.
After the actor decided on a target, they spent about two weeks trying to access email accounts. Once in, they devoted another week collecting information from the victim’s mailbox and identifying an opportunity.
Ariel Parnes, Chief Engineering Officer at Mitiga, the company investigating the incident told BleepingComputer that their researchers did not find malware on the victim systems, pointing to email login compromise.
Email access was not enough, though, Parnes told us. Since the actor could lose that at any moment, they created email forwarding rules to get the messages from the monitored email inbox.
By also using the Microsoft Office 365 email service for domains impersonating the two parties involved in the transaction, the cybercriminals would be able to continue the attack.
Mitiga says that the threat actor delivered emails using an Office 365 account to reduce suspicion and evade detection. They also registered domains via a GoDaddy registrar (Wild West Domains) that were similar to those used by legitimate businesses (many of them in the U.S.).
These details allowed Mitiga to establish a pattern and discover more than 150 of these rogue domains, revealing the larger activity of the cybercriminal group.
Full article on https://www.bleepingcomputer.com/news/security/the-anatomy-of-a-15-million-cyber-heist-on-a-us-company/
#cyber #attack #heist #US #mindyourdata #yokdata #blog