This post originally appeared on the Abnormal Security blog. This is the second RFQ-driven attack that Abnormal has seen recently – earlier this week the team published details of an attack involving the State of Texas.
In this attack, attackers are impersonating the United States Transportation Command Office of Small Business Programs, sending an RFQ in order to steal goods from their targets.
Quick Summary of Attack Target
Platform: Office 365 Email Security Bypassed: Proofpoint Mailboxes: 15,000 to 50,000 Payload: Attachment Technique: Impersonation
What was the attack?
Setup: Sending fraudulent purchase orders for goods/services is a common scam attackers use to receive free merchandise. The method of operation starts with the attacker emailing the vendor for a specific set of merchandise. After the vendor responds, an official looking purchase order is then delivered containing the logo, contact information and most importantly, the delivery information for where the goods are to be shipped. If successful, this concludes with the goods being shipped to an address that is unrelated to the party they are impersonating, and no payment is made for the goods in question. This attack features scammers sending a fraudulent purchase order, purporting to belong to the Office of Small Business Programs within a division of the government.
Email Attack: The email impersonates the United States Transportation Command Office of Small Business Programs. The official domain is “ustranscom.mil” but this email was sent from a “mall.mil” domain that does not have a public listed server. The reply-to domain “mil-mail.us” is different and is registered to a fake account just a day before the email was sent. Additionally, the sender is purported to be the point of contact for the Office of Small Business Programs, but the email and phone number provided does not match public records.
Payload: The email doesn’t address a specific person, but states the intent to procure a large order of a specific IT related product from the supplier, which are 27 HP Elitebook laptops. The order form has contact information on behalf to USTRANSCOM with a mismatched signature and a phone number for the items to be sent to by 9/21/2020. The area code (618) matches that of the city USTRANSCOM is based out of in Belleville, IL, but the number is not listed as the official number associated with this office.
Result: If recipients take the false purchase order seriously, attackers can easily establish trust with the prospective vendor, and disappear with the goods once they’ve been shipped.
Why is this attack effective?
Urgency: The purchase order form has a response due date of 9/21/2020, prompting the recipient to take action by that time.
Vendor Impersonation: The attacker sends an email that appears to be from USTRANSCOM and even has the official logo on the RFQ form to appear legitimate. The email domain the message was sent from was recently registered, and the registrant information is not consistent with the impersonated party.
Suspicious Reply-To Email: The domain is first hosted on “mall.mil” and then the reply-to domain “mil-mail.us” in order to mimic a “ustranscom.mil” domain. This is likely to instill a sense of confidence in the recipient that the request is originating from a government entity.