Scammers behind business email compromise (BEC) attacks have adjusted their tactics to match the current situation given the tens of millions of employees working from home during the COVID-19 outbreak.
While normally, they’ve been attempting to convince victims to buy gift cards as a quick favor to one of their company’s executives, they’ve now switched to asking them for digital gift cards since brick and stone stores are now either closed or a lot harder to reach due to lockdowns.
“All a threat actor needs to do is ask unsuspecting victims to send them a picture of the physical gift cards, which can then be sold for roughly 70% of face value in bitcoin,” Agari researchers who discovered this recent development explain.
“This tried and true method is a gateway for laundering money and it isn’t just for BEC gangs, either,” they add. “But in the age of shelter-in-place orders and quarantines, this approach won’t cut it anymore.”
For instance, two Chinese nationals were charged in early-March for allegedly laundering millions of dollars worth of cryptocurrency for the North Korean-backed Lazarus Group by converting them into Chinese yuan and Apple gift cards
Online stores are always open
The hook used by the scammers to trick their victims is still the same: while impersonating their company’s CEO or another executive, they ask them to buy digital gift cards for any number of reasons such as an employee bonus or a vendor payment.
At some point during the exchanged messages, the crooks will tell the victims to continue the conversation over SMS to circumvent email protections that could potentially catch on and reveal their scam.
While before the pandemic, victims were asked to buy the gift cards from a nearby store, scammers will now ask them to buy online, bypassing limits imposed on in-store gift card purchases and leading to a lot higher payouts.
“One BEC group we track that usually requests checks from BEC victims—a gang we’ve code-named Exaggerated Lion—has recently included gift card requests in their repertoire, asking for as much as $15,000 in ‘surprise’ gift cards for employees,” Agari’s research team said.
Stolen money harder to track as digital gift cards
Right before the current COVID-19 outbreak, Agari also observed BEC crime rings asking their targets to get gift cards from local pharmacies like CVS and Walgreens or from other businesses deemed “essential” by the US government to avoid sending the victims to already closed shops.
“While we don’t yet have concrete evidence about how these stores come into play, it seems a safe assumption that victims asked to buy gift cards either comply, or are refusing to venture out and are instead looking for safer alternatives to make the purchase,” Agari found.
“The safest way for the scammers to cash out is through digital gift cards, and they just started doing it.”
What makes such scams harder to investigate is the lack of a central tracking system that would allow following the money while being exchanged to fiat currency.
This and the fact that using digital gift cards allows the scammers to get an even bigger payout will most certainly lead to this new method being adopted by most BEC crime rings.
Increasing number of pandemic related BEC attacks
FBI warned yesterday of a boost in the number of BEC scams that exploit the COVID-19 pandemic, with scammers targeting US municipalities, financial institutions, and bank customers.
“Recently, there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19,” the FBI said.
A BEC scam group tracked by Agari researchers as Ancient Tortoise were the first spotted while using the COVID-19 pandemic as leverage in BEC attacks as BleepingComputer reported last month.
FBI’s Internet Crime Complaint Center (IC3) published its 2019 Internet Crime Report in February revealing that BEC was the cybercrime behind the highest reported total victim losses in 2019, as it reached around $1.8 billion in reported losses.
If your employees are working from home The Cloud Consultancy can help you with VPN’s, Password Management, Multi Factor Authentication, Firewalls, Fast 4G LTE Connectivity and more. We also provide tailored remote training to ensure that you, your staff and stakeholders are informed and educated about good cyber security practices along with Office 365 training on how to use Microsoft Teams.