Red Sky Alliance information sharing portal provided data about a member falling for a business email compromise (BEC). Attackers sent a payment request spoofing a well-known local contractor by changing TLD from .COM to .US. In total, 113 additional domains were registered by the same actors in August-November 2019.
Details
On 26 November 2019, a Red Sky Alliance member shared a fraud report regarding a local construction company email which was spoofed. The attackers convinced the member’s procurement office to change a billing ACH to the suspect company, in order to process a, "past due invoice."
The attacker domain was registered to "anu blessed" and djh35@mail.com. A total of 114 domains were then registered to the same attacker domain (see Table 1, and Indicators table).
Table 1. WHOIS for Djh35@mail.com-registered domain typosquatting Absher Construction Co.
Domain Name: | absherco.us |
Registrar: | NameCheap, Inc. |
Creation Date: | 2019-09-05 |
Registrant Name: | anu blessed |
Registrant Address: | 1018 bentwood way atlanta GA 30350 US |
Registrant Phone: | +1.404776778 |
Registrant Email: | djh35@mail.com |
Most of those domains were also impersonating various construction companies throughout the US, and the attackers simply used the same domain name in the .US TLD. In some cases, likely when a domain was already used in the .US zone, they modified the domain. For example, legitimate construction/real estate company Al. Neyer, neyer.com was spoofed with typo-squatted domain alneyer.us.
Serial: TR-19-337-002
Report Date: 11272019
Country: US
Industries: Construction, Education, All
Prepared by: Yury Polozov
Red Sky Alliance clients: IOCs available in Blacklist channel and by querying Red Sky Alliance CTAC Kibana.
Comments