Invoice Based BEC Threats

    18 November 2024

    Key Points

    What you'll learn in this notification

    Prevent the payment of fraudulent ZipRecruiter and TeamViewer invoices.

    • Targeting predominantly the Real Estate and legal Industry
    • Attackers create fraudulent emails that appear to originate from TeamViewer, ZipRecruiter and other brands, often using similar domain names or slight variations
    • The goal is to facilitate unauthorized monetary transfers.

    Mimecast Threat Researchers have detected a surge in Business Email Compromise (BEC) attacks specifically targeting the real estate sector globally. Threat actors are impersonating ZipRecruiter, TeamViewer, Zoom and other products to deceive organizations into paying invoices for services, potentially leading to financial losses. In most cases the emails originate from a compromised account but with a newly observed domain in the reply-to address.



    Psychological tricks used

    • Long thread with approval from someone senior (appears to be going to the legitimate email address) which can fool the employee to make the payment without double checking
    • Sense of urgency added as the thread has been going on for some time and the invoice has been chased
    • A well formulated invoice attached


    Common Techniques

    • Sending emails from compromised accounts ensures authentication checks such as SPF and DKIM pass.
    • New domain reply to are used usually to group and manage the replies to campaigns.
    • Email headers containing 'From' and 'Reply-to' fields can include display names that mask suspicious sender addresses, as recipients typically only see the display name when viewing emails on mobile devices.


    TeamViewer BEC Example

    TeamViewer-BEC-Example.webp
    BEC threat language visibility is available through Mimecast Advanced BEC Protection

    In the two most prevalent examples the accounts processing teams are targeted with an invoice request from a lookalike domain. The invoice amount of is referenced in the email body and the attached invoice includes the attackers bank account details. The same bank account information is across both invoices. The invoice appears to be based on a legitimate TeamViewer invoice which can easily be found through Google.



    TeamViewer Invoice

    TeamViewer-Invoice.webp

    In the second example the threat actor impersonates a legitimate recruitment company, sending the email from a compromised legitimate domain (unrelated to ZipRecruiter).



    ZipRecruiter BEC Example

    ZipRecruiter-BEC-Example.webp

    BEC threat language visibility is available through Mimecast Advanced BEC Protection



    ZipRecruiter Invoice

    ZipRecruiter Invoice.webp


    Mimecast Protection

    We have identified several attributes in the campaigns which have been added to our detection capabilities. View the Advanced BEC Protection page to learn more about how our advanced AI and Natural Language Processing capabilities to aid in detections of evolving threats.

    Targeting:

    Global, Predominantly Real Estate and legal Industry



    IOCs:



    Sender Domains:

    teamviewing-dashboard[.]com
    collections-zoominfo[.]com



    Reply-to Domains:

    reply-ms-suite[.]online
    accounting-zip-recruiting[.]com
    usazoominfo[.]com
    ar-pitchbook[.]com
    zoominfo[.]app



    Subjects:

    unpaid-bill-inv1912701
    request-for-correction-of-double-charge
    payment-advice-notification
    re-invoice-12862843-for-ziprecruiter-subscription



    Recommendations

    • Conduct awareness sessions for employees about BEC tactics and how to identify phishing attempts.
    • Educate end users around the continued trend of legitimate tools being used in malicious campaigns.
    • Implement verification protocols for any unexpected or suspicious emails purportedly from ZipRecruiter and the other brands in this notification, especially those requesting sensitive information or financial transactions.
    • Always report any phishing or BEC scam email to Mimecast or your email security provider.


    Scam Reporting

    TeamViewer Germany GmbH is a legitimate software development company. Unfortunately, as is sometimes the case for long-standing and successful companies, the software or the brand is occasionally targeted or misused by bad actors. TeamViewer takes the security of his customers very seriously and has implemented robust measures to protect against scams and fraudulent activities. If you have experienced or suspect a case of malicious use of TeamViewer, please contact TeamViewer privacy team via the 'Report a Scam' form on this page: https://www.teamviewer.com/en/report-a-scam/



    Mimecast is collaborating with TeamViewer to share intelligence and technical indicators related to the Business Email Compromise campaign that is actively exploiting their brand identity.
    Back to Top