These devious cybercriminals impersonate law firms to steal your data

A laptop showing lots of email notifications
(Image credit: Shutterstock)

Cybersecurity researchers have spotted crooks impersonating major law firm powerhouses to try and trick people into making payments for bogus work. 

Experts from Abnormal Security uncovered a brand new Business Email Compromise (BEC) attack, conducted by a threat actor dubbed Crimson Kingsnake.

In the attack, the threat actors would send out an email, pretending to be one of a number of large American law firms, requesting payment for work that was allegedly done months ago. 

Talking to themselves

The targets are most likely chosen at random, in what researchers describe as “blind BEC attacks” - so in other words, the attackers would cast a wide net and see what sticks.

The email itself is quite meticulously crafted, using big names such as Kirkland & Ellis, Sullivan & Cromwell, and Deloitte. Obviously, it’s typosquatted (the email address is almost identical to the authentic email belonging to the impersonated law firm, but not quite identical), but the body holds all the right logos and letterheads. It’s also punctual, which is not a feature we usually see in BEC and phishing attacks.

It gets even more interesting when the victim challenges the attacker. Should they question the work, the payment, or anything else of the sorts, the attackers would add in a third persona, a fake executive from the target firm, who would then “confirm” the authenticity of the request, and “approve” the payment.

"When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company," the report reads. 

“When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we've observed instances where the attacker sends a new email with a display name mimicking a company executive. In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and “authorizes” the employee to proceed with the payment."

Despite everyone’s best efforts, phishing emails and business email compromise attacks are still one of the most popular ways for cybercriminals to conduct their raids. Employees on the receiving end of these emails are often reckless, overworked, or distracted, doing things they wouldn’t normally do, including making wire transfers, downloading attachments, signing into services through links provided in the email, etc. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.