Targeted BEC Scam

    17 December 2024

    Key Points

    What you'll learn in this notification

    Threat actors deploy deepfake using voice in sophisticated law firm impersonation campaign

    • Sophisticated Business Email Compromise (BEC) campaign exploiting DocuSign and Adobe Sign
    • Attackers appear to have knowledge of business relationships and utilize deepfakes to add credibility to their scams
    • Primarily targeting Banking, Financial Services and Insurance

    Mimecast threat researchers have discovered a highly targeted Business Email Compromise campaign. Our analysis reveals increasingly sophisticated techniques being used to make BEC emails appear legitimate.


    Initial email

    The campaign begins with an email sent via trusted services, such as DocuSign and Adobe Sign, falsely claiming to be from a law firm. The email requests that the recipient sign a document and call a provided phone number, which is not associated with the law firm.



    Targeted-BEC-Scam-img1.webp


    This campaign appears to be highly targeted, and the law firm details in these initial emails indicate the threat actor may have prior knowledge of a working relationship with the target business. Once the victim calls the number, they will speak with the threat actor impersonating someone from this law firm.

    The victim is then instructed to email an address with a domain resembling the legitimate law firm's domain, creating an email relationship with this suspicious address. This address will then be used for further communication as a trusted sender for this user.


    Follow up communication

    Once the connection is established, the threat actor uses the suspicious address to send a fraudulent invoice requiring payment. To give further legitimacy to this campaign, the victim will receive a deepfake phone call impersonating a CEO or someone who is authorized to approve the transfer.

    The amounts requested are likely to be significant and should be treated with extreme caution.


    Targeted-BEC-Scam-img2.webp

    Mimecast Protection

    We have identified several attributes in the campaigns which have been added to our detection capabilities. View the Advanced BEC Protection page to learn more about how our advanced AI and Natural Language Processing capabilities to aid in detections of evolving threats.



    Targeting:

    Primarily US and UK, across Banking, Financial Services and Insurance. Detections outside of those regions and verticals have been detected as well.



    IOC’s

    Initial Reply-To Domain

    ds-n4a[.]com
    sign-en[.]com
    www.sign-en[.]com
    sign-en1[.]com
    sign-en3[.]com
    sign-en2[.]com
    www.sign-en1[.]com
    www.sign-en3[.]com
    www.sign-en2[.]com
    n4a-sign[.]net
    www.ds-sign[.]net
    www.n4a-sign[.]net
    n4a-docusign[.]com
    www.n4a-docusign[.]com
    mail-sign[.]net
    www.mail-sign[.]net
    www.mail-sign[.]com
    n4a-doc[.]net
    www.n4a-doc[.]net
    mail-doc[.]net
    www.mail-doc[.]net
    mail-sign[.]com
    ds-sign[.]net
    doc-sign[.]net
    n4a-doc[.]com
    doctosign[.]tech
    b-docusign.com



    Recommendations

    • Conduct awareness sessions for employees about BEC tactics and how to identify phishing attempts.
    • Educate end users around the continued trend of legitimate tools being used in malicious campaigns.
    • Implement verification protocols for any unexpected or suspicious emails purportedly from Law firms using Docusign and Adobe Sign, especially those requesting sensitive information or financial transactions.
    • Always report any phishing or BEC scam email to Mimecast or your email security provider.

    Mimecast is actively working with services such as Docusign to help tackle the misuse of these trusted services.


    Report DocuSign scam information through their official reporting page at https://www.docusign.com/trust/security/incident-reporting, providing as much detail as possible about the suspicious activity, including any emails, links, or documents you have received.

    Zurück zum Anfang