Two business email compromise (BEC) groups have been observed using executive impersonation to conduct attacks on companies worldwide.
The findings come from security researchers at Abnormal Security, who have dubbed the threat actors "Midnight Hedgehog," specializing in payment fraud, and "Mandarin Capybara," who is focused on executing payroll diversion attacks.
“Combined, they have launched BEC campaigns in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish,” wrote Crane Hassold, the director of threat intelligence at Abnormal.
More specifically, Midnight Hedgehog threat actors researched their target’s responsibilities and relationship to a specific CEO and then created spoofed email accounts to mimic a real account. They were observed targeting global firms as early as January 2021.
“Like many payment fraud attacks, the group targets finance managers or other executives responsible for initiating the company’s financial transactions," said Hassold.
As for the Mandarin Capybara group, Hassold said the group had been targeting firms using Gmail accounts since at least February 2021.
“Unlike Midnight Hedgehog, which we’ve only seen target companies in Europe with non-English messages, Mandarin Capybara has attacked companies around the world,” the security researcher explained.
“We’ve observed the group target American and Australian companies in English, Canadian organizations in French, and European companies in eight languages: Dutch, French, German, Italian, Polish, Portuguese, Spanish, and Swedish.”
Further, Hassold added that while the group typically used mule accounts in other countries, those were similar to accounts used in payroll diversion attacks targeting US companies.
“Unlike other types of payment fraud BEC attacks, a vast majority of payroll diversion attacks use non-traditional fintech accounts to receive fraudulent funds,” the security expert wrote.
“Mandarin Capybara has set up mule accounts at European fintech institutions like Revolut, Saurus, Monese, Bunq, and SisalPay to receive funds from their payroll diversion attacks.”
To protect against attacks like these, Abnormal urged companies to implement behavioral-based security that uses machine learning and artificial intelligence to understand identity concepts.
“Solutions that baseline normal behavior can provide the context needed to determine when anomalous behavior is occurring—no matter in which language the attack is sent.”
The Abnormal advisory comes days after a separate report from the group suggested an increase of more than 81% of BEC attacks worldwide during 2022 and by 175% over the past two years.