Targeted BEC Scam

    17 December 2024

    By Mimecast Threat Research team

    Key Points

    What you'll learn in this notification

    Threat actors deploy deepfake using voice in sophisticated law firm impersonation campaign

    • Sophisticated Business Email Compromise (BEC) campaign exploiting DocuSign and Adobe Sign
    • Attackers utilize deepfakes to add credibility to their scams
    • Primarily targeting Banking, Financial Services and Insurance

    Campaign Flow

    Targeted-BEC-Campaign-flow.jpg

    Mimecast threat researchers have discovered a highly targeted Business Email Compromise campaign. Our analysis reveals increasingly sophisticated techniques being used to make BEC emails appear legitimate.

    Initial email

    The campaign begins with an email sent via trusted services, such as DocuSign and Adobe Sign, falsely claiming to be from a law firm. The email requests that the recipient sign a document and call a provided phone number, which is not associated with the law firm.

    Targeted-BEC-Scam-img1.webp

    This campaign appears to be highly targeted, and the law firm details in these initial emails indicate the threat actor may have prior knowledge of a working relationship with the target business. Once the victim calls the number, they will speak with the threat actor impersonating someone from this law firm.

    The victim is then instructed to email an address with a domain resembling the legitimate law firm's domain, creating an email relationship with this suspicious address. This address will then be used for further communication as a trusted sender for this user.

    The domains used in the initial email, along with similar domains linked to law firms, predominantly rely on Eranet International Limited for hosting and Hostinger for their name servers. Both providers have a history of extensive abuse by threat actors and play a crucial role in the current infrastructure of this threat actor.

    Follow up communication

    Once the connection is established, the threat actor uses the suspicious address to send a fraudulent invoice requiring payment. To give further legitimacy to this campaign, the victim will receive a deepfake phone call in some cases using WhatsApp impersonating a CEO or someone who is authorized to approve the transfer. The amounts requested are likely to be significant and should be treated with extreme caution.

    Targeted-BEC-Scam-img2.webp

    The files shared with the target company appear to also have some pattern 

    Mimecast Protection

    We have identified several attributes in the campaigns which have been added to our detection capabilities. View the Advanced BEC Protection page to learn more about how our advanced AI and Natural Language Processing capabilities to aid in detections of evolving threats.

    Targeting:

    Primarily US and UK, across Banking, Financial Services and Insurance.
    Detections outside of those regions and verticals have been detected as well.

    IOC’s

    Initial Reply-To Domain

    mail-sign[.]com
    n4a-doc[.]com
    doc-sign[.]net
    ds-sign[.]net
    mail-doc[.]net
    n4a-doc[.]net
    en1-docusign[.]net
    6-docusign[.]com
    en10-docusign[.]net
    sign-en1[.]com
    doc-docusign[.]com
    a-docusign[.]com
    7-docusign[.]com
    en2-docusign[.]com
    2-docusign[.]com
    en-docusign[.]com
    sign-doc[.]net
    sign-mail[.]com
    sign-acrobat[.]com
    doc-docusign[.]net
    8-docusign[.]com
    dse-sign[.]com
    dse-doc[.]net
    sign-n4a[.]net
    n4a-dse[.]net
    dse-n4a[.]net
    n4a-ds[.]com
    n2a-dse[.]com
    dse-n2a[.]net
    n2a-dse[.]net
    dse-n2a[.]com
    b-docusign[.]com
    ds-n4a[.]com
    sign-en3[.]com
    sign-en2[.]com
    n4a-sign[.]net
    mail-sign[.]net
    doctosign[.]tech


    Recommendations

    • Conduct awareness sessions for employees about BEC tactics and how to identify phishing attempts.
    • Educate end users around the continued trend of legitimate tools being used in malicious campaigns.
    • Implement verification protocols for any unexpected or suspicious emails purportedly from Law firms using Docusign and Adobe Sign, especially those requesting sensitive information or financial transactions.
    • Always report any phishing or BEC scam email to Mimecast or your email security provider.

    Scam Reporting

    Mimecast is actively working with services such as Docusign to help tackle the misuse of these trusted services.

    Back to Top