Double-check demand payment emails from law firms: Convincing fakes surface

2022-11-04 18:30

The cybercrime gang's business email compromise campaign is targeting marks in the US, Europe, Australia, and the Middle East using blind third-party impersonation tactics, via email addresses hosted on domains that closely resemble the firms' real domains, and sending emails that include the actual address and VAT number of the impersonated companies.

The emails look real and if the targets were to search Google for the lawyers' or law firms' names, they would seem legitimate.

If a targeted employee questions the invoice, the threat group at times will send another bogus email supposedly from an executive at the employee's company clarifying the legitimacy of the invoice.

In one example from Crimson Kingsnake's campaign, a company received an email from a lawyer from Simon and Cromwell, a New York-based international law firm, with "Unpaid invoice" in the subject line.

If a target responds to the email, the threat group sends a fake PDF invoice that includes payment account information, a false account of services given, the total amount due, and the law firm's logo.

While the email from the impersonated executive is sent from a domain controlled by Crimson Kingsnake, the name displayed includes the executive's email in parentheses, giving the impression that it's from a legitimate source.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/11/04/crimson_kingsnake_bec_scam/

#email #payment