Cybersecurity experts are warning of a new, widespread business email compromise (BEC) campaign, which seeks to reroute large money transactions to bank accounts belonging to the attackers.
The idea is simple in theory: the attackers would first compromise a business email (opens in new tab) account through the use of phishing. Then, they’ll land into the inbox and lurk there, monitoring various email chains and threads, until they identify one where a wire transfer is being planned. Then, when the planning is done, and just before the victim sends the funds, the attacker will reply to the email chain asking for the funds to be sent elsewhere, saying the original bank account was frozen due to a financial audit.
The attackers are reportedly stealing “several million dollars” per incident, and also use typosquatting domains to further trick the victims.
Abusing DocuSign
The campaign was spotted by researchers from Mitiga who were investigating an incident response case.
It all starts with a phishing attack on the victim’s business email. Mitiga has found that this email is designed to look as if it’s coming from DocuSign, and that it usually carries a button saying “Review Document”. Targets that press the button will be redirected to a phishing page built to mimic a Windows domain login page. Then, with the assistance of a tool called evilginx2, the attackers are able to steal session cookies and thus bypass multi-factor authentication (MFA).
Stealing session cookies to bypass MFA is not a novel practice, and businesses have started countering it by having the sessions last shorter. It’s safer, but not as convenient, as users are required to re-authenticate more often on their endpoints (opens in new tab). To solve this challenge, threat actors have started registering additional MFA devices to the compromised accounts, as this move doesn’t trigger any notifications.
However, MFA changes on user accounts can be tracked through the Azure Active Directory Audit Logs, the researchers concluded.
Via: BleepingComputer (opens in new tab)
