BEC groups are using Google Translate to target high value victims

Abnormal Security has identified two groups that are using executive impersonation to execute business email compromise (BEC) attacks on companies worldwide. 

The first group, Midnight Hedgehog, engages in payment fraud, while the second group, Mandarin Capybara, executes payroll diversion attacks. Both groups have launched BEC campaigns in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish, the researchers noted.

While attacking targets across various regions and using multiple languages is not new, in the past, these attacks were perpetrated mainly by sophisticated organizations with bigger budgets and more advanced resources, Crane Hassold, director of Threat Intelligence at Abnormal Security, wrote in his research. 

As technology becomes more accessible and affordable, it has lowered the entry barrier, making it easier for threat actors to carry out BEC attacks. The scammers behind the attacks use the same commercial online services that sales and marketing teams rely on to identify prospects and personalize communications. They also use automated translation tools, including Google Translate, to instantly translate their malicious emails into whatever language they need.

Midnight Hedgehog payment fraud

Midnight Hedgehog uses executive impersonation, typically posing as a company CEO, to deceive recipients into making payments for bogus services. 

The threat actors extensively research their target’s responsibilities and relationship with the CEO and create spoofed email accounts that look like the real ones. Usually, the group targets finance managers or executives who are responsible for initiating the company’s financial transactions, Abnormal Security said.

The attacks from this group have been observed dating back to January 2021, and have been sent from accounts hosted on a variety of free webmail providers such as Gmail, Yandex, Earthlink, and Web.de, as well as domains created by the group registered with NameCheap or GoDaddy.

The researchers noted that the individuals in the group are likely located in countries such as England, Canada, the US, and Nigeria. Midnight Hedgehog uses two versions of initial emails in their campaigns, which are written in 11 languages including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish.

In the first version of the email, the actor impersonates a CEO who makes an urgent request for the target to complete a payment to a company in England. In the second version, the impersonator asks the target to share the company’s current bank account balance and requests that they promptly complete a payment for a specified amount. Once a recipient responds to the group’s initial email, the attacker provides the details for a bank account where the requested payment should be sent.

The payments for these bogus services have ranged from €16,000 to €42,000 (approximately $17,000 to $45,000), according to the researcher. Most of the mule accounts linked to Midnight Hedgehog are located in the UK, which supports the evidence that the group has a physical presence there. “We’ve also seen the group use mule accounts located at banks in Portugal, Germany, France, and Italy,” Hassold wrote.

Mandarin Capybara’s payroll diversion 

Mandarin Capybara targets human resources employees in payroll diversion attacks, asking them to change the executive’s direct deposit details to another account under the group’s control. The earliest attack by the group can be traced back to February 2021. The group uses Gmail accounts to carry out their attacks, updating the display name in each email to spoof the name of the executive who’s being impersonated.

Mandarin Capybara has targeted companies in North America, Australia, and Europe. “We’ve observed the group target American and Australian companies in English, Canadian organizations in French, and European companies in six languages, including Dutch, French, German, Italian, Portuguese, and Spanish,” Abnormal Security noted. 

In the initial email, the attacker asks if they can update the employee’s payroll account. “We’ve observed multiple instances where the group has launched a BEC campaign in one language, then initiated a second campaign from the same email account in a second language,” the researcher noted. 

In the US, the most common banks used by payroll diversion actors are Green Dot, GoBank, Sutton Bank, and MetaBank, which are all linked to either prepaid cards or mobile payment services. Mandarin Capybara has set up mule accounts at European fintech institutions, including Revoilut, Saurus, Monese, Bunq, and SisalPay, to receive funds from their payroll diversion attacks.  

BEC scams continue to be a growing threat

BEC attacks represent the most expensive threat currently facing organizations internationally. Since 2016, BEC attacks have consistently ranked at the top of the FBI’s list of costliest cybercrimes. 

BEC attacks accounted for more than one-third of all financial losses from cyberattacks in 2021, totaling nearly $2.4 billion in damage for the year. Between July and December 2022, there was an 81% increase in BEC attacks.