Targeted Spearphish attacks impersonating dept heads, directors

[randy <marchany () VT EDU>]

One of my analysts sent this out to our local techie list. I thought the
info in it would be appropriate for this list. FYI.

---------------
The Security Office has noticed a number of Business E-mail Compromise
(BEC) phishing emails recently and wanted to make sure the Techsupport
community was aware.  These emails generally are from a spoofed VT email
address that is masquerading as a Department Head or Director.  They
generally target individuals that are related to purchasing or finance
within the group.  The spear-phishing attempts leverage publicly available
information.

It works as follows.  The spoofed email from a higher up will ask the
employee to pay some invoice or purchase something from a particular
vendor.  The higher up is in a meeting and will be tied up all day long but
this is a high priority rush, can the employee take care of it
immediately.  When the employee responds, a back and forth communication
can happen where they try to persuade the employee to complete the
transaction.  Usually the invoice that the scammer creates will be a valid
business that the Department already uses or are familiar with them.  The
payment routing is generally to an individual involved in the scam.

There are some interesting variations we’ve seen on these.  In a few,
they’ve asked to purchase gift cards that they want to use as give-a-ways
or as prizes for some upcoming event.   Some have been to make online
purchases and ship directly to individuals.  In all of these cases, the
scammers have done a lot of research including the VT and Departmental
websites, State procurement records, Linked-in and other similar sites.
 They identify the relationships in a department and can target the right
individuals that have access to make payments.

The FBI has a page on this:

https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise

And here are some additional links with more information and examples of
companies that have fallen prey to this.

https://www.trendmicro.com/vinfo/us/security/definition/
business-email-compromise-(bec)
https://resources.infosecinstitute.com/5-real-world-examples-business-email-
compromise/

Thank you,

Jeff Lang

---------------------------------------------------

Jeffry Lang
IT Security Operations (0284)
1300 Torgersen Hall, Virginia Tech
620 Drillfield Dr.
<https://maps.google.com/?q=620+Drillfield+Dr.+Blacksburg+VA+24061&entry=gmail&source=g>
Blacksburg VA 24061
<https://maps.google.com/?q=620+Drillfield+Dr.+Blacksburg+VA+24061&entry=gmail&source=g>
540-231-4117
jefflang () vt edu
--------------------------------------------------