Threat Spotlight: Invoice Impersonation Attack

Print Friendly, PDF & Email

While Halloween has come and gone, impersonation still seems to be a popular trend around certain circles. For example, cybercriminals love it and as we’ve discussed in past, will go to great lengths to pull off a convincing impersonation attempt. This is mainly because impersonation is a proven tactic that criminals are regularly using to attract victims into believing that they are acting on an important message, when that couldn’t be further from the truth.

The impersonation trend continues in our most recent Threat Spotlight, where we’ve been seeing a wave of messages sent by attackers who are requesting status updates for invoices. Here’s what we’ve found:

Highlighted Threat:
Invoice Impersonation Attack — email attack that attempts to persuade recipients to act on an impersonated invoice.

The Details:

In this first example, the message is requesting a response about the payment status of an invoice, while also referencing an invoice number with a link. Additionally, the sender’s name is carefully chosen by the attackers to be someone that the recipient knows and trusts.

The message itself doesn’t seem out of the ordinary, but the included link should raise a red flag. The entire goal for this attempt is to get the recipient to click on the link, and the criminals have done a decent job of subtly placing the link within the message.

If the link actually gets clicked, it would typically download a doc. file (the so-called invoice), which would be an advanced threat of some type that could trigger ransomware or steal the recipients’ credentials from their browser.

Here’s another example of a similar attempt that is still using an invoice as an excuse to warrant a reply — just with a different subject that claims to be an address update notification.

As you can see, there’s nothing too unusual with this message, but the same warning signs are present as with the first example. We’re still seeing a link in the body of the email that could be malicious, and it’s still asking about an invoice. Lastly, the link in this attempt would most likely have the same results — a malware download or credential theft that could lead to an account takeover.

As we continue to see these attempts grow in popularity, it’s important to be aware of the warning signs in the messages. Both of these examples include a payment request and a link, which are two major concerns. You should always tread carefully around payment requests via email, and if there’s ever a doubt, any suspicions should be sorted out before ever acting on the request. Secondly, it’s important to remember that any link you click could be malicious, so if you aren’t certain that a particular link is safe — don’t click on it.

To recap, the techniques used in this attack are:

Impersonation – Attackers impersonate someone the recipient knows and trusts.

Urgency – Attackers send emails that request an action be taken on an important invoice.

Take Action:

User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. Always check the domains on emails asking for things from you, including clicking and inputting information.

Layering employee training with an email security solution that offers sandboxing and advanced threat protection should block malware before it ever reaches the corporate mail server. Additionally, you can deploy anti-phishing protection with Link Protection to look for links to websites that contain malicious code. Links to compromised websites are blocked, even if those links are buried within the contents of a document.

Real-Time Spear Phishing and Cyber Fraud DefenseBarracuda Sentinel is a cloud service that utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time and identifies the most high-risk individuals inside the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.

Related Posts:

Threat Spotlight: Email Malware Impersonates Secure Bank Messages
Threat Spotlight: Office 365 Account Takeover — the New “Insider Threat”
Threat Spotlight: Spear Phishing for Mortgages — Hooking a Big One
Threat Spotlight: Real-World Spear Phishing

 


Lior Gavish is Vice President of Engineering, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. He is responsible for creating and developing machine learning algorithms designed to identify and thwart spear phishing, business email compromise (BEC), impersonation attempts, and other forms of cyber fraud. Lior was previously VP of Engineering and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he led several startup engineering teams building machine learning, web and mobile technologies. Lior holds an MBA from Stanford, as well as a BSc and MSc in Computer Science from Tel-Aviv University. 

 

Scroll to top
Tweet
Share
Share