The Gist:

Recently, cybersecurity researchers at Group-IB discovered a phishing operation targeting the associates and employees of 30 companies in 12 industries globally.  The targeted industries include energy, fashion, aerospace, manufacturing, telecommunications, finance, and government. Of these, the three most attacked were manufacturing (19.4%), aerospace (16.1%), and finance (12.9%).

According to their findings, over 200 malicious links have been distributed across these sectors, with the ultimate goal of stealing login credentials. What made this campaign even more dangerous and pervasive than your run-of-the-mill phishing attack was the use of advanced techniques that allowed perpetrators to bypass secure email gateways (SEGs) by design and  enabled them to evade detection.

This campaign utilized three core techniques to achieve this. They were:

●      Document Platform Impersonation

●      Trusted Domain Abuse

●      Dynamic Company Branding

Document Platform Impersonation:

Incidents involving document platforms are on the rise.  A recent report revealed a 98% increase in DocuSign-related attacks last month alone, as cybercriminals began to abuse DocuSign’s Envelopes API to create fraudulent documents through genuine accounts, shifting away from the tactic of exploiting vulnerabilities and towards exploiting application trust.Believing that these documents are legitimate and time-sensitive, employees access them, granting fraudsters the information they’re after.

Trusted Domain Abuse:

In this scenario, attackers implant malicious URLs into legitimate platforms such as Google AMP and Adobe.com, making it extremely difficult for security tools to flag them. This phishing campaign leverages Adobe notifications to trick employees into clicking their stealing links.

‍

Dynamic Company Branding:

With this tactic, cybercriminals create dedicated phishing pages, which display legitimate company branding and logos, creating a false sense of security and legitimacy for the potential victim.This has been a common tactic used to carry out the increasing amount of DocuSign attacks.

When one of these links is clicked, the victims are directed to login pages that are already filled with their email addresses. Once their information is entered, attackers are granted real-time access to their information through Telegram bots or Command-and-control servers.

Trustmi’s Take:

This global phishing campaign targeting 12 industries isa clear signal that we need to constantly revisit our approach to cybersecurity.

The reality is that these threats won’t disappear, but instead evolve and become more pervasive over time. While cutting-edge AI solutions are important, they're just part of the puzzle. We need to create a work environment where everyone is cyber-savvy and a bit skeptical – in a good way.

With attackers gunning for big players in manufacturing, aerospace, and finance, it's obvious they're after some serious payoffs. This means cybersecurity isn't just an IT problem anymore – it's a major business concern. This necessitates the implementation of a comprehensive and proactive approach to business payments and email security. This can be achieved by deploying AI-powered payments and email security that grants end-to-end payment process visibility.

To learn more about the financial consequences and broader implications of BEC attacks, check out this blog post.

‍