* All names and identities are fictitious and have been changed.
Digital4nx was recently retained in a post-incident response investigation of a highly targeted spear-phishing email attack. Based upon the available evidence and confirmation with LifeScienceCo (“LSC”), the attack began on or around January 25, 2022. The victims targeted were the LSC’s Assistant Controller and the accounting supervisor of their Client.
The attack succeeded in having the Client divert an approximate $730,000 payment of legitimate invoices to a fraudulent bank account. The attacker appeared to have used a common BEC – Business Email Compromise technique possibly executing a carefully planned man-in-the-middle (MITM) attack.
The attacker’s use of the lookalike domains technique presents a severe threat. Not only to the originally attacked organization but also to the third parties with whom they communicated using the lookalike domain. Typically, the attack scheme works by sending phishing emails to high-profile individuals in the target organization to gain control of the account and carry out extensive reconnaissance to understand the nature of the business and the key roles inside the company.
As in this case, the attacker sent one mail each from the spoofed domains to the counterparty, thus inserting itself into the conversation and deceiving the recipient into thinking that the source of the email is legitimate.
The attacker sent one mail each from the spoofed domains to the counterparty, thus inserting itself into the conversation and deceiving the recipient into thinking that the source of the email is legitimate.
In essence, the attacker poked each victim in the chest a little…knowing the attempted scam was being executed.
The emails that we examined point to the fact that the attacker behind the domains was in possession of information regarding possible financial transactions between our Client and Their Client. The examination of our LSC’s servers and involved computers did not reveal any compromises, malware, or intrusions. Additionally, there was nothing to suggest that data was exfiltrated from LSC’s network.
The attack began communicating with their client several days before engaging with LSC, and the fact that LSC did not share any banking information leads us to conclude that it is more likely than not, that LSC’s Client’s network systems were compromised and caused LSC’s Client to wire money to the intruders’ account.
In this case, Not only did LSC incur costs to provide the posture that Digital4nx, conducted an independent investigation and provided an opinion to support LCS in their claims against their Client who not only has still not paid our Client the $700K, but their Client was negligent and out $1.4M.
### END ###
Disclaimer: The information contained in this case study is educational only. This is not intended to fully cover everything related to the investigation or constitute expert advice, legal advice or otherwise. You should always seek the advice and counsel of an attorney while proceeding with these matters. Results may vary as each case is unique and the types of artifacts may not exist depending on many variables. Contact us for a confidential initial consultation.
© Copyright 2022, Digital4nx Group, Ltd. All Rights Reserved.
