Threat Spotlight: Invoice Impersonation Attack
While Halloween has come and gone, impersonation still seems to be a popular trend around certain circles. For example, cybercriminals love it and as we’ve discussed in past, will go to great lengths to pull off a convincing impersonation attempt. This is mainly because impersonation is a proven tactic that criminals are regularly using to attract victims into believing that they are acting on an important message, when that couldn’t be further from the truth.
The impersonation trend continues in our most recent Threat Spotlight, where we’ve been seeing a wave of messages sent by attackers who are requesting status updates for invoices. Here’s what we’ve found:
Invoice Impersonation Attack — email attack that attempts to persuade recipients to act on an impersonated invoice.
In this first example, the message is requesting a response about the payment status of an invoice, while also referencing an invoice number with a link. Additionally, the sender’s name is carefully chosen by the attackers to be someone that the recipient knows and trusts.
If the link actually gets clicked, it would typically download a doc. file (the so-called invoice), which would be an advanced threat of some type that could trigger ransomware or steal the recipients’ credentials from their browser.
Here’s another example of a similar attempt that is still using an invoice as an excuse to warrant a reply — just with a different subject that claims to be an address update notification.
As we continue to see these attempts grow in popularity, it’s important to be aware of the warning signs in the messages. Both of these examples include a payment request and a link, which are two major concerns. You should always tread carefully around payment requests via email, and if there’s ever a doubt, any suspicions should be sorted out before ever acting on the request. Secondly, it’s important to remember that any link you click could be malicious, so if you aren’t certain that a particular link is safe — don’t click on it.
To recap, the techniques used in this attack are:
Impersonation – Attackers impersonate someone the recipient knows and trusts.
Urgency – Attackers send emails that request an action be taken on an important invoice.
User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. Always check the domains on emails asking for things from you, including clicking and inputting information.
Layering employee training with an email security solution that offers sandboxing and advanced threat protection should block malware before it ever reaches the corporate mail server. Additionally, you can deploy anti-phishing protection with Link Protection to look for links to websites that contain malicious code. Links to compromised websites are blocked, even if those links are buried within the contents of a document.
Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is a cloud service that utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time and identifies the most high-risk individuals inside the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.
Threat Spotlight: Email Malware Impersonates Secure Bank Messages
Threat Spotlight: Office 365 Account Takeover — the New “Insider Threat”
Threat Spotlight: Spear Phishing for Mortgages — Hooking a Big One
Threat Spotlight: Real-World Spear Phishing
Lior Gavish is Vice President of Engineering, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. He is responsible for creating and developing machine learning algorithms designed to identify and thwart spear phishing, business email compromise (BEC), impersonation attempts, and other forms of cyber fraud. Lior was previously VP of Engineering and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he led several startup engineering teams building machine learning, web and mobile technologies. Lior holds an MBA from Stanford, as well as a BSc and MSc in Computer Science from Tel-Aviv University.