Security researchers have warned organizations that unsolicited blank emails could be a warning sign they are being actively targeted by BEC scammers.
Agari has been tracking professional BEC gangs such as London Blue, Scarlet Widow and Curious Orca for over a year.
Crane Hassold, senior director at the Agari Cyber Intelligence Division (ACID), explained in a new blog post that “lead validation and processing” is a crucial part of the attack chain in which gang members take raw leads and validate, add info to and organize them.
While some use commercial lead generation services to identify and validate targets, others might manually send “probing” emails to check the legitimacy of raw target data. These typically blank messages might contain the subject “i” and are only designed to see if they delivered successfully.
They’re usually sent in non-work hours when they’re more likely to be missed, Hassold said.
“If no bounce notification is received, the target’s email address is assumed to be valid and operational. In the case of Curious Orca, once this contact information has been validated, their name, email address, and title are added to one of the hundreds of consolidated text files containing verified targets,” he continued.
“In many cases, this file includes supplemental information about the CEO at the target company who will be impersonated in the BEC attack.”
Sometimes, even if the address is invalid, the scammer may try other variations, possibly using legitimate marketing tools to suggest new combinations.
The sheer time and effort required to do all of this manually shows the increasing professionalization of BEC campaigns, Hassold claimed.
“A single Curious Orca associate has sent blank reconnaissance emails to more than 7800 email addresses at over 3200 companies in at least 12 countries including Australia, Canada, Denmark, Hong Kong, Israel, Italy, the Netherlands, Papua New Guinea, Singapore, Sweden, the UK and the US since August 2018,” he revealed.
“The validated contact information collected by this actor has contributed to a master targeting database that contains more than 35,000 financial controllers and accountants at 28,000 companies around the world.”
To regain the initiative against BEC attackers, IT teams could configure their email settings to raise the alarm when individuals receive blank messages, or even disable email bounce messages to external senders, disrupting their reconnaissance work, Agari said.