A cruel business email compromise (BEC) gang called Lilac Wolverine is hacking people's email accounts and sending messages to their contacts claiming the account owner needs to send a gift to an unwell friend to manipulate people into sending online gift cards. Detailed by cybersecurity researchers, this organized cybercriminal group has fine-tuned techniques pulling on people's heartstrings.
They include false claims that the gift cards are meant for people diagnosed with serious illnesses or a recent accident, with the claim that they cannot buy gifts because their bank card is missing or because they are out of the country. Gift cards are requested from familiar brands like Apple, Amazon, and Google Play, with amounts ranging from $100 to $500.
In what researchers describe as an "extremely high attack volume" and "one of the most prolific" BEC campaigns today, one of the elements which make it look more realistic to victims and, therefore, potentially more successful for the scammers is hacking into real email accounts.
This is likely achieved with phishing attacks, using passwords leaked in an earlier data breach, or simply because the password securing the account is common or re-used. But once an email address is successfully compromised, the attackers do not use the account itself to send out BEC campaigns. Instead, they copy the victim's address book and set up a lookalike account, using the same name and username, or if that isn't available, making very subtle, often unnoticeable changes. The attackers use free webmail services to set up these accounts.
These newly generated email accounts, which are used to send out BEC phishing lures to the first victim's contacts, are designed to look like the real account, and they do come from the real address, but the reply address is to the newly created account used by the scammers.
Setting up one of these accounts sounds elaborate, but it means there is less chance that the victim of the initial account hack will notice something is wrong. They likely use a separate, lookalike account so the owner of the compromised account does not get alerted when someone responds to an email they did not send. Instead, any responses go to the lookalike account controlled by the attacker.
Ultimately, making the BEC email look like it comes from someone the targets know, rather than a stranger or a vague contact address, makes it more likely that the attackers will succeed in scamming victims. This is also achieved by not bringing up the idea of needing a gift card in the initial email, which look innocuous enough, asking the receivers if they want to catch up, asking for a favor or asking where they do their online shopping.
If the victim responds to the initial spoofed email, the scammers will send an additional message requesting a gift card. It is here they attempt to emotionally manipulate victims, using claims of bank cards not working and needing to buy a gift for someone dealing with serious illnesses urgently. The pretexts the group uses in their BEC campaigns are meant to elicit an emotional response that they hope would persuade a target to comply with their request. Like other gift card BEC attacks, since the target population is substantially larger than other types of attacks, their success rate does not need to be that high to get a good return on investment on their campaigns.
It is suspected that the campaign is still active and that people should be made aware of telltale signs of BEC gift card scams. With the Christmas holiday and gift-giving season only a couple of weeks away, these attacks are likely to increase. These include unexpected urgent requests, particularly if they are trying to use emotional subjects requiring swift action and messages which do not sound like they come from who they say they come from.
If you are unsure if the message is real, you should check with the person sending it by calling them on the phone or checking with them in person. To prevent your email from being abused to send out BEC scams to your contacts, cyber threat professionals recommend that you use a strong password and multi-factor authentication to help protect your account.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We recommend that if you want to provide charity during these holiday times, use tried and truly charitable organizations. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments