Change of Supplier Fraud: How Cybercriminals Earned Millions Using a $35 Malware

In our recent research, Piercing the HawkEye, we uncovered various ways cybercriminals were able to exploit information they gathered from monitoring victims’ mailboxes in order to steal money from businesses. One of the examples we shared, the “change of supplier” fraud, was one of the most notable, as this type of scheme has been known to earn cybercriminals millions of dollars of stolen money. In this post, we will flesh out the details of this particular scheme, and what makes it a big threat to small businesses and users alike.

Choosing targets

Our monitoring of this kind of scheme reveals that it is more targeted and goes far longer than the average attack. Cybercriminals often do the “shotgun approach” when deploying out their attack — sending out their crafted emails to email lists that were probably bought from other cybercriminals. It was quite different in the case we monitored, as the cybercriminals specifically targeted the publicly-available email addresses of small businesses. Our data reveals that these are the “official” company email addresses, usually formatted as or

Figure 1. Breakdown of email address types targeted

We found this to be an interesting strategy because official company email addresses are often positioned to receive possibly unsolicited emails from unknown senders, which creates an advantage for the cybercriminals. If the team managing the email account are not savvy enough to be able to identify socially-engineered emails, they will most likely open those sent by cybercriminals.

Making contact

How cybercriminals made initial contact with their targets in this scheme is also quite different from those frequently seen. The cybercriminals did not immediately send their malicious payload, instead they sent actual emails meant to engage with the target.

Figure 2. Sample of initial email sent by cybercriminals to their target

We called this technique “The Long Con” in our research since it resembles the real-life example — the attacker approaches the target coming off as a harmless entity, and attempts to achieve the target’s trust. Once that is achieved, the attacker will then send the malicious file (in this case, HawkEye) to the target under the guise of a file related to their ongoing conversation. In the scheme that we monitored, the cybercriminal even used the holidays as part of the lure to raise the urgency of the request.

Figure 3. Sample of email with malicious payload sent by cybercriminals to their target

Timely interception

Once the victim is infected with HawkEye, the cybercriminal is then able to monitor the target’s activities and check for information he can leverage to run scams. As we’ve previously shared, the target of the attacker here is to get access to the victim’s company email account. This is done to monitor any ongoing transactions that they can hijack to conduct “change of supplier” fraud.

What happens is that the cybercriminal looks for ongoing conversations where payment is being discussed, then intercept the conversation to give false account information to the customer. Below is a screenshot of such an email, captured in monitoring of similar cases executed with the use of Predator Pain, HawkEye’s predecessor:

Figure 4. Sample of email where the attacker diverts the payment to their own account

In successful attacks, the customer sends the payment to the account owned by the cybercriminal instead of the actual vendor.

Big payout

Although this scam looks less sophisticated in a technical sense, since it requires mostly taking advantage of the victim’s information, it doesn’t make it less dangerous for businesses. IC3’s advisory on similar scams last year has revealed that the average loss for this kind of scheme is $55,000, with some victims even losing as much as $800,000. If, for example, the cybercriminal is able to attack multiple targets at any given time, it’s easy to assume that they’ve earned millions from running this kind of scheme.

For our full analysis of this scheme and the tools cybercriminals used to execute it, check our research paper,
Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Change of Supplier Fraud: How Cybercriminals Earned Millions Using a $35 Malware

Read more: Change of Supplier Fraud: How Cybercriminals Earned Millions Using a $35 Malware

Story added 25. June 2015, content source with full text you can find at link above.