Business Email Compromise (BEC) , Email Security & Protection , Email Threat Protection

BEC Scam Targets Executives' Office 365 Accounts

Trend Micro: 'Water Nue' Payment Fraud Campaign Has Targeted 1,000 Companies Since March
BEC Scam Targets Executives' Office 365 Accounts
This illustration shows how the Water Nue BEC scam targets Office 365 credentials. (Source: Trend Micro)

A recently uncovered business email compromise scam has targeted the Office 365 accounts of business executives at over 1,000 companies worldwide, collecting more than 800 sets of credentials in an attempt to commit payment fraud, according to the security firm Trend Micro.

See Also: Email Authentication: The Key to Email Deliverability

The group behind the campaign, which Trend Micro researchers call "Water Nue," is not technically sophisticated, but the fraudsters appear extremely proficient. Since March, the gang apparently has targeted companies worldwide with spear-phishing attacks, according to the Trend Micro report.

The goal of this scam is to capture the Office 365 credentials of executives, especially those working in finance, and then create phony documents and invoices that are sent to lower-level employees, according to the report. Payments made for the fake invoices are transferred to the fraudsters' accounts, the researchers say.

"We first noticed the campaign from a large group of email domains used in phishing attempts. We found that most of the recipients hold high corporate positions, particularly in the finance department," the Trend Micro report notes.

The campaign is continuing, with the gang switching its infrastructure and domains if their phishing emails or websites are blacklisted, according to the report.

Lucrative Scams

Over the last several years, BEC scams have become an increasingly lucrative way for criminal gangs and fraudsters to siphon money from organizations.

The FBI's Internet Crime Complaint Center’s annual cybercrime report, released in February, found that BEC schemes accounted for about $1.7 billion in losses in 2019, or an average of $72,000 each (see: FBI: BEC Losses Totaled $1.7 Billion in 2019).

Since the COVID-19 pandemic started, the FBI has warned of BEC scammers using the healthcare crisis as a lure to target victims (see: FBI: COVID-19-Themed Business Email Compromise Scams Surge).

Water Nue Tactics

The Trend Micro report notes that the Water Nue gang uses simple spear-phishing tactics and malicious domains to capture executives' credentials. The fraudsters do not use any other malware, such as backdoors or Trojans.

Fake invoice associated with Water Nue BEC fraudsters (Source: Trend Micro)

"It appears that their technical capabilities are limited despite being able to successfully target high-level employees globally," the report notes.

The researchers note, however, that the Water Nue fraudsters make extensive use of cloud-based services, such as SendGrid, to send out phishing emails and host their infrastructure, which helps obfuscate their operations and makes it more difficult to conduct a forensic analysis.

The phishing emails contain a message asking the recipient to click on a link to listen to a voicemail. If a victim clicks the link, it leads them to a fake Office 365 domain, where credentials are harvested through a simple PHP script, according to the report. The fraudsters apparently have collected over 800 sets of credentials so far, according to the report.

"Once the compromised credentials are used to successfully log in to accounts, fraudsters can identify themselves as executives. They will then send a fraudulent wire transfer request to trick recipients into wiring money into the criminals’ accounts," the report notes.

Although the Trend Micro report does not estimate how much money may have been stolen via the scam, the researchers found at least one fake invoice asking for a nearly $1 million payment, according to the report.

Other Sophisticated Scams

Some other recent BEC scams have grown more sophisticated.

In January, for example, security firm Agari found one gang stealing so-called "aging reports" from companies' financial and accounts receivable departments and then using these documents to expand their scams by posing as company officials trying to collect money from clients who have unpaid balances (see: BEC Fraudsters Targeting Financial Documents: Report).

In June, a one-time Nigerian entrepreneur pleaded guilty to scamming a U.K. affiliate of U.S. heavy equipment manufacturer Caterpillar out of $11 million in a sophisticated BEC scam, according to the U.S. Justice Department (see: Nigerian Entrepreneur Pleads Guilty in $11 Million BEC Scam).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.