BEC Fraud Research: 92 Domains Spoofing International Law Firms

A business email compromise (BEC) group named 'Crimson Kingsnake' has recently emerged, impersonating well-known international law firms to trick recipients into approving overdue invoice payments.

92 malicious domains have been identified and linked to the threat actor, all similar to genuine law firm sites.

Sean McNee, DomainTools

Sean McNee, CTO, DomainTools weighed in on the discovery: “BEC attacks remain a lucrative business, and unfortunately, impersonating third party vendors is the newest trend. Criminals are hijacking the external relationships businesses have with their suppliers, particularly those that share highly sensitive data and invoice large amounts. Attackers start by conducting detailed reconnaissance on their victims to understand who they do business with, how they communicate, and the type of information they share. Then they set up lookalike domains and email accounts in order to trick people into sending them funds. Since law firms, construction firms and other such suppliers are considered trusted vendors, employees are less likely to verify their transaction requests or catch a spoofed domain. Here are 3 steps businesses can take to protect against BEC attacks and domain spoofing:

  1. Conduct awareness training and teach employees to verify domains and look for other malicious techniques that attackers use

  2. Establish processes that require employees to verify all transactions and partner details before initiating transfers over a certain amount

  3. Use security tools that look for intentional typos and other keyword variations, as well as tools that explore DNS data to find connected infrastructure (for example, shared IP address hosting, shared name servers, shared registration details, etc).

BEC attacks that spoof third party domains are becoming a major concern for businesses today, but with the correct tools, training and processes, organizations can remain one step ahead of attackers.”


###