The threat actors extensively research their target’s responsibilities and relationship with the CEO and create spoofed email accounts that look like real ones. Abnormal Security has identified two groups that are using executive impersonation to execute business email compromise (BEC) attacks on companies worldwide. The first group, Midnight Hedgehog, engages in payment fraud, while the second group, Mandarin Capybara, executes payroll diversion attacks. Both groups have launched BEC campaigns in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish, the researchers noted.While attacking targets across various regions and using multiple languages is not new, in the past, these attacks were perpetrated mainly by sophisticated organizations with bigger budgets and more advanced resources, Crane Hassold, director of Threat Intelligence at Abnormal Security, wrote in his research. As technology becomes more accessible and affordable, it has lowered the entry barrier, making it easier for threat actors to carry out BEC attacks. The scammers behind the attacks use the same commercial online services that sales and marketing teams rely on to identify prospects and personalize communications. They also use automated translation tools, including Google Translate, to instantly translate their malicious emails into whatever language they need. Midnight Hedgehog payment fraudMidnight Hedgehog uses executive impersonation, typically posing as a company CEO, to deceive recipients into making payments for bogus services. The threat actors extensively research their target’s responsibilities and relationship with the CEO and create spoofed email accounts that look like the real ones. Usually, the group targets finance managers or executives who are responsible for initiating the company’s financial transactions, Abnormal Security said. The attacks from this group have been observed dating back to January 2021, and have been sent from accounts hosted on a variety of free webmail providers such as Gmail, Yandex, Earthlink, and Web.de, as well as domains created by the group registered with NameCheap or GoDaddy.The researchers noted that the individuals in the group are likely located in countries such as England, Canada, the US, and Nigeria. Midnight Hedgehog uses two versions of initial emails in their campaigns, which are written in 11 languages including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish.In the first version of the email, the actor impersonates a CEO who makes an urgent request for the target to complete a payment to a company in England. In the second version, the impersonator asks the target to share the company’s current bank account balance and requests that they promptly complete a payment for a specified amount. Once a recipient responds to the group’s initial email, the attacker provides the details for a bank account where the requested payment should be sent.The payments for these bogus services have ranged from €16,000 to €42,000 (approximately $17,000 to $45,000), according to the researcher. Most of the mule accounts linked to Midnight Hedgehog are located in the UK, which supports the evidence that the group has a physical presence there. “We’ve also seen the group use mule accounts located at banks in Portugal, Germany, France, and Italy,” Hassold wrote.Mandarin Capybara’s payroll diversion Mandarin Capybara targets human resources employees in payroll diversion attacks, asking them to change the executive’s direct deposit details to another account under the group’s control. The earliest attack by the group can be traced back to February 2021. The group uses Gmail accounts to carry out their attacks, updating the display name in each email to spoof the name of the executive who’s being impersonated.Mandarin Capybara has targeted companies in North America, Australia, and Europe. “We’ve observed the group target American and Australian companies in English, Canadian organizations in French, and European companies in six languages, including Dutch, French, German, Italian, Portuguese, and Spanish,” Abnormal Security noted. In the initial email, the attacker asks if they can update the employee’s payroll account. “We’ve observed multiple instances where the group has launched a BEC campaign in one language, then initiated a second campaign from the same email account in a second language,” the researcher noted. In the US, the most common banks used by payroll diversion actors are Green Dot, GoBank, Sutton Bank, and MetaBank, which are all linked to either prepaid cards or mobile payment services. Mandarin Capybara has set up mule accounts at European fintech institutions, including Revoilut, Saurus, Monese, Bunq, and SisalPay, to receive funds from their payroll diversion attacks. BEC scams continue to be a growing threatBEC attacks represent the most expensive threat currently facing organizations internationally. Since 2016, BEC attacks have consistently ranked at the top of the FBI’s list of costliest cybercrimes. BEC attacks accounted for more than one-third of all financial losses from cyberattacks in 2021, totaling nearly $2.4 billion in damage for the year. Between July and December 2022, there was an 81% increase in BEC attacks. Related content news Okta launches Cybersecurity Workforce Development Initiative New philanthropic and educational grants aim to advance inclusive pathways into cybersecurity and technology careers. By Michael Hill Oct 04, 2023 3 mins IT Skills IT Skills IT Skills news New critical AI vulnerabilities in TorchServe put thousands of AI models at risk The vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. By Shweta Sharma Oct 04, 2023 4 mins Vulnerabilities news ChatGPT “not a reliable” tool for detecting vulnerabilities in developed code NCC Group report claims machine learning models show strong promise in detecting novel zero-day attacks. By Michael Hill Oct 04, 2023 3 mins DevSecOps Generative AI Vulnerabilities news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe