Red Sky Alliance information sharing portal provided data about a member falling for a business email compromise (BEC). Attackers sent a payment request spoofing a well-known local contractor by changing TLD from .COM to .US. In total, 113 additional domains were registered by the same actors in August-November 2019.
On 26 November 2019, a Red Sky Alliance member shared a fraud report regarding a local construction company email which was spoofed. The attackers convinced the member’s procurement office to change a billing ACH to the suspect company, in order to process a, "past due invoice."
The attacker domain was registered to "anu blessed" and firstname.lastname@example.org. A total of 114 domains were then registered to the same attacker domain (see Table 1, and Indicators table).
Table 1. WHOIS for Djh35@mail.com-registered domain typosquatting Absher Construction Co.
1018 bentwood way
Most of those domains were also impersonating various construction companies throughout the US, and the attackers simply used the same domain name in the .US TLD. In some cases, likely when a domain was already used in the .US zone, they modified the domain. For example, legitimate construction/real estate company Al. Neyer, neyer.com was spoofed with typo-squatted domain alneyer.us.
Report Date: 11272019
Industries: Construction, Education, All
Prepared by: Yury Polozov
Red Sky Alliance clients: IOCs available in Blacklist channel and by querying Red Sky Alliance CTAC Kibana.