Detailed by cybersecurity researchers at Abnormal Security, an organized cyber criminal group – dubbed Lilac Wolverine – has fine-tuned techniques that pull on people’s heartstrings.  They include false claims that the gift cards are meant for people who’ve been diagnosed with or lost relatives to serious illnesses, with the claim that they can’t buy because their bank card is missing, or because they’re out of the country.  In what researchers describe as an “extremely high attack volume” and “one of the most prolific” BEC campaigns today, one of the elements that makes it look more realistic to victims – and potentially more successful for the scammers – is hacking into real email accounts.  According to researchers, this is likely achieved with phishing attacks, using passwords leaked in an earlier an data breach or simply because the password securing the account is common or re-used.   But once an email address is successfully compromised, the attackers don’t use the account itself to send out BEC campaigns.   Also: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed Instead they copy the victim’s address book and set up a lookalike account, using the same name and username, or if that isn’t available, making very subtle, often unnoticeable changes. The attackers use free webmail services to set up these accounts.  It’s these newly generated email accounts that are used to send out BEC phishing lures to the first victim’s contacts. They’re designed to look like the real account and they do come from the real address, but the reply address is to the newly created account used by the scammers.  Setting up one of these accounts sounds elaborate, but it means there’s less chance of the victim of the initial account hack will notice something is wrong.  “They likely use a separate, lookalike account so the owner of the compromised account doesn’t get alerted if and when someone responds to an email they didn’t send. Instead, any responses go to the lookalike account controlled by the attacker,” Crane Hassold, director of threat intelligence at Abnormal Security, told ZDNET.  Ultimately, by making the BEC email look like it comes from someone the targets know, rather than a stranger or a vague contact address, it makes it more likely that the attackers will succeed in scamming victims.  This is also achieved by not bringing up the idea of needing a gift card in the initial email, which looks innocuous enough, asking the receivers if they want to catch up, asking for a favor or asking where they do their online shopping.   It’s only if the victim responds to the initial spoofed email that the scammers will send an additional message requesting a gift card.  It’s here they attempt to emotionally manipulate victims, using claims of bank cards not working and needing to urgently buy a gift for someone dealing with serious illnesses. “The pretexts the group uses in their BEC campaigns are meant to elicit an emotional response that they hope would persuade a target to comply with their request,” said Hassold.   “Like other gift card BEC attacks, since the target population is substantially larger than other types of attacks, their success rate doesn’t need to be that high to get a good return on investment on their campaigns,” Hassold said.  Also: Your biggest cybercrime threat has almost nothing to do with technology It’s believed that the campaign is still active and that people should be made aware of telltale signs of BEC gift card scams. These include unexpected urgent requests – particularly if they’re trying to use emotional subjects requiring swift action – and messages that don’t sound like they come from who they say they come from.  If you’re unsure if the message is real, if possible, you should check with the person sending it by calling them on the phone or checking with them in person.  And to prevent your email being abused to send out BEC scams to your contacts, it’s recommended that you use a strong password and multi-factor authentication to help protect your account. 

MORE ON CYBERSECURITY

US judge sentences men for $1.5 million Apple Gift Card scamRaising cybersecurity awareness is good for everyone - but it needs to be done betterThe scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threatsThe next big security threat is staring us in the face. Tackling it is going to be toughThe biggest cyber-crime threat is also the one that nobody wants to talk about