Phishing
7
mins read

Spear Phishing Scams: The CEO Impersonation Fraud Threatening IT Companies

While investigating phishing cases of various customers, CloudSEKs’ analysts identified a spear phishing campaign targeting multiple corporations.

Aarushi Koolwal
February 6, 2023
Green Alert
Last Update posted on
February 3, 2024
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Deepanjli Paulraj

Category:

Adversary Intelligence

**Type:

**Spear phishing

Industry:

IT

Region:

India

Executive Summary

  • While investigating phishing cases of various customers, CloudSEKs’ analysts identified a spear phishing campaign targeting multiple corporations.
  • In this scam, the scammer pretends to be the CEO of the company and sends out a Whatsapp message to employees (mostly top-level executives) on their personal phone numbers.
  • This report explains the TTPs (Tactics, Techniques and Procedures) used by these fraudsters including the misuse of business information tools and recommendations on future prevention.

Highlight: Recent investigations that displayed impersonation of the CEO’s publicly available pictures as Whatsapp Profile Pictures as a social engineering tactic to convince the victim.

Figure 1: Whatsapp message received by employees

Modus Operandi of the Scam

While investigating the incident for the modus operandi and likely Tactics, Techniques and Procedures we discovered the following:

  1. The scam starts with employees receiving an SMS-based message from an unknown based number allegedly impersonating a top-ranking executive from the organization. The reason for impersonating the top-ranking executive is to instill urgency and panic.
  2. If the receiver of the SMS acknowledges the scammer with a response, the threat actor/scammer would request to complete a quick task. The quick tasks commonly include:
  3. purchasing gift cards for a client or employee and/or
  4. wiring funds to another business.
  5. In some cases, the scammer may ask employees to send personal information (like PINs and passwords) to third parties, often providing a plausible reason to carry out the request.

Based on our experience in investigating similar incidents, we observed following:

  • Threat actors often use commanding and persuasive language to convince the email victim to respond.
  • The timeline to execute this action will also be short and the task urgent and in some cases, they will send multiple messages asking when the request will be completed and stress the importance of this action.
  • Similar to the "phishing" scams seen over email, this version relies on texts that lure potential victims into disclosing information or clicking on a link.

How was information likely gained by scammers?

Information on Senior And Management level executives

Senior employees of the organization can be looked up from Linkedin. Threat actors then use popular Sales Intelligence or Lead Generation tools such as Signalhire, Zoominfo, Rocket Reach to gather PII information like emails, phone numbers, and more. These online databases of businesses have their methodologies for obtaining, verifying, and then selling the employees’ contact details of an entity.

Common techniques to extract information

SignalHire LinkedIn email extractor is a software built to help navigate through LinkedIn profiles and collect contact information of all people relevant to your business. The following are some examples of how senior employees' personal contact details can be extracted from Linkedin using SignalHire:

Figure 2: SignalHire information extraction from LinkedIn

Information from open source and cybercrime forum

CloudSEK’s flagship digital risk monitoring platform XVigil contains a module called “Underground Intelligence” which provides information about the latest Adversary, Malware, and Vulnerability Intelligence, gathered from a wide range of sources, across the surface web, deep web, and dark web.

While triaging the discussions on TOR-based (Dark Web) and surface web cybercrime forums/marketplace, our threat researchers discovered multiple posts related to the sale of databases of companies like signalhire that allegedly contain personal phone numbers of employees of various corporations.

Figure 3: Threat actors' posts on the cybercrime forum

The Conti ransomware first appeared as a sophisticated Ransomware-as-a-Service (RaaS) in 2019. The group uses multiple methods to distribute its ransomware. The most common one is phishing which includes spear-phishing campaigns and social engineering techniques to induce victims to submit more information or access credentials.

One of the tools used by the Conti group is gathering information from business information services like Zoominfo and Signalhire.

Figure 4:Source: INFOSECURITY MAGAZINE

Mitigation & Future Prevention

  • Cyber security awareness programs must be organized for all employees to educate employees about the ongoing cyberattacks.
  • Any payment requests with new or amended bank details received by email, letter or phone should be independently verified.
  • Be cautious of how much information you reveal about your company and key officials via social media platforms and over the internet.
  • B2B directories provide contact details for business purposes; hence, most of them also provide a “removal request” feature in their platform so the targeted entity will be allowed to contact them in order to remove their own data from the B2B Directory platform.

References

Author

Aarushi Koolwal

Aarushi Koolwal is an avid cyber security learner.

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Scam
October 25, 2024

Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

CloudSEK’s Threat Research Team uncovered a sophisticated scam targeting air travelers at Indian airports. The fraud involves a malicious Android application named Lounge Pass, distributed through fake domains like loungepass.in. This app secretly intercepts and forwards SMS messages from victims’ devices to cybercriminals, resulting in significant financial losses. The investigation revealed that between July and August 2024, over 450 travelers unknowingly installed the fraudulent app, resulting in a reported theft of more than INR 9 lakhs (approx. $11,000). The scammers exploited an exposed Firebase endpoint to store stolen SMS messages. Through domain analysis and passive DNS data, researchers identified several related domains spreading similar APKs. Key recommendations include downloading apps only from official stores, avoiding scanning random QR codes, and never granting SMS access to travel or lounge apps. Travelers should book lounge access through official channels and stay vigilant to protect their personal data. Stay updated on the latest scams and protect your travel data by following these guidelines.

Blog Image
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
October 10, 2024

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
Deep Fake Monitoing
Scam
Threat Intelligence
October 4, 2024

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Phishing

7

min read

Spear Phishing Scams: The CEO Impersonation Fraud Threatening IT Companies

While investigating phishing cases of various customers, CloudSEKs’ analysts identified a spear phishing campaign targeting multiple corporations.

Authors
Aarushi Koolwal
Aarushi Koolwal is an avid cyber security learner.
Co-Authors
Deepanjli Paulraj

Category:

Adversary Intelligence

**Type:

**Spear phishing

Industry:

IT

Region:

India

Executive Summary

  • While investigating phishing cases of various customers, CloudSEKs’ analysts identified a spear phishing campaign targeting multiple corporations.
  • In this scam, the scammer pretends to be the CEO of the company and sends out a Whatsapp message to employees (mostly top-level executives) on their personal phone numbers.
  • This report explains the TTPs (Tactics, Techniques and Procedures) used by these fraudsters including the misuse of business information tools and recommendations on future prevention.

Highlight: Recent investigations that displayed impersonation of the CEO’s publicly available pictures as Whatsapp Profile Pictures as a social engineering tactic to convince the victim.

Figure 1: Whatsapp message received by employees

Modus Operandi of the Scam

While investigating the incident for the modus operandi and likely Tactics, Techniques and Procedures we discovered the following:

  1. The scam starts with employees receiving an SMS-based message from an unknown based number allegedly impersonating a top-ranking executive from the organization. The reason for impersonating the top-ranking executive is to instill urgency and panic.
  2. If the receiver of the SMS acknowledges the scammer with a response, the threat actor/scammer would request to complete a quick task. The quick tasks commonly include:
  3. purchasing gift cards for a client or employee and/or
  4. wiring funds to another business.
  5. In some cases, the scammer may ask employees to send personal information (like PINs and passwords) to third parties, often providing a plausible reason to carry out the request.

Based on our experience in investigating similar incidents, we observed following:

  • Threat actors often use commanding and persuasive language to convince the email victim to respond.
  • The timeline to execute this action will also be short and the task urgent and in some cases, they will send multiple messages asking when the request will be completed and stress the importance of this action.
  • Similar to the "phishing" scams seen over email, this version relies on texts that lure potential victims into disclosing information or clicking on a link.

How was information likely gained by scammers?

Information on Senior And Management level executives

Senior employees of the organization can be looked up from Linkedin. Threat actors then use popular Sales Intelligence or Lead Generation tools such as Signalhire, Zoominfo, Rocket Reach to gather PII information like emails, phone numbers, and more. These online databases of businesses have their methodologies for obtaining, verifying, and then selling the employees’ contact details of an entity.

Common techniques to extract information

SignalHire LinkedIn email extractor is a software built to help navigate through LinkedIn profiles and collect contact information of all people relevant to your business. The following are some examples of how senior employees' personal contact details can be extracted from Linkedin using SignalHire:

Figure 2: SignalHire information extraction from LinkedIn

Information from open source and cybercrime forum

CloudSEK’s flagship digital risk monitoring platform XVigil contains a module called “Underground Intelligence” which provides information about the latest Adversary, Malware, and Vulnerability Intelligence, gathered from a wide range of sources, across the surface web, deep web, and dark web.

While triaging the discussions on TOR-based (Dark Web) and surface web cybercrime forums/marketplace, our threat researchers discovered multiple posts related to the sale of databases of companies like signalhire that allegedly contain personal phone numbers of employees of various corporations.

Figure 3: Threat actors' posts on the cybercrime forum

The Conti ransomware first appeared as a sophisticated Ransomware-as-a-Service (RaaS) in 2019. The group uses multiple methods to distribute its ransomware. The most common one is phishing which includes spear-phishing campaigns and social engineering techniques to induce victims to submit more information or access credentials.

One of the tools used by the Conti group is gathering information from business information services like Zoominfo and Signalhire.

Figure 4:Source: INFOSECURITY MAGAZINE

Mitigation & Future Prevention

  • Cyber security awareness programs must be organized for all employees to educate employees about the ongoing cyberattacks.
  • Any payment requests with new or amended bank details received by email, letter or phone should be independently verified.
  • Be cautious of how much information you reveal about your company and key officials via social media platforms and over the internet.
  • B2B directories provide contact details for business purposes; hence, most of them also provide a “removal request” feature in their platform so the targeted entity will be allowed to contact them in order to remove their own data from the B2B Directory platform.

References