Double-check demand payment emails from law firms: Convincing fakes surface

A new threat group called Crimson Kingsnake is impersonating real law companies and debt recovery services to intimidate businessess into paying bogus overdue invoices.

The cybercrime gang's business email compromise (BEC) campaign is targeting marks in the US, Europe, Australia, and the Middle East using blind third-party impersonation tactics, via email addresses hosted on domains that closely resemble the firms' real domains, and sending emails that include the actual address and VAT number of the impersonated companies.

All of this is to reinforce the legitimacy of the messages, according to researchers with cloud email security company Abnormal Security. The emails look real and if the targets were to search Google for the lawyers' or law firms' names, they would seem legitimate.

If a targeted employee questions the invoice, the threat group at times will send another bogus email supposedly from an executive at the employee's company clarifying the legitimacy of the invoice

The Abnormal Security researchers say in a report that since March, they have detected 92 domains linked to Crimson Kingsnake that are impersonating the domains of 19 legal eagles and debt collection agencies in the US, UK, and Australia. Many of the firms are "major, multinational practices with a global footprint," they write.

The Crimson Kingsnake campaign is part of the growing threat from BEC attacks. In a report about email threats in the first half of the year, Abnormal Security found that BEC attacks increased 84 percent year-over-year. The security company added that BEC remains a low-volume problem – less than one per 1,000 mailboxes – compared with other kinds of scams, but they also resulted in almost $2.4 billion in losses in 2021.

That figure echoes what the FBI reported earlier this year, adding that there were almost 20,000 BEC victims in 2021.

• Online romance scamlord who netted $9.5m jailed for 25 years
• Interpol: We can't arrest our way out of cybercrime
• This big phish can swim around MFA, says Microsoft Security
• We regret to inform you the professor teaching your online course is already dead

Blind third-party impersonation attacks are a subset of BEC – different from those involving internal employees – and accounted for more than half of all BEC attacks in the first half of 2022, according to Abnormal Security.

"Unlike other forms of financial supply chain compromise, blind third-party impersonation attacks have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful," the researchers write. "Scammers behind blind impersonation attacks are relying on the hope that, like so many other types of social engineering attacks, a target isn't paying close attention to the email and simply complies with the request."

The attackers back this up with fake invoices that look authentic and include bank account information and real details of the organization they're impersonating. Some even go as far as creating fake email chains with the names and addresses of the victim's associates.

In one example from Crimson Kingsnake's campaign, a company received an email from a lawyer from Simon and Cromwell, a New York-based international law firm, with "unpaid invoice" in the subject line. The message stated that the lawyer was representing a client and "chasing an unpaid invoice issued to your company. I have been advised to contact you on this matter and hoping you can get this settled as soon as possible."

If a target responds to the email, the threat group sends a fake PDF invoice that includes payment account information, a false account of services given, the total amount due, and the law firm's logo. There is a bill number, account reference number, bank account details, and the company's actual VAT (value added tax) ID, which is a number unique to a taxable or non-taxable business. VAT numbers are used in the UK, Europe, Australia, and parts of Asia.

Some of the invoices even include information about who to contact with questions and a "notification of rights." The details and complexity of the invoices could mean that Crimson Kingsnake is using altered versions of the impersonated firms' legitimate invoices, the researchers wrote.

They added that part of the information they've collected tells them that at least some of the threat group's members could be located in the UK.

If a targeted employee questions the invoice, the threat group at times will send another bogus email supposedly from an executive at the employee's company clarifying the legitimacy of the invoice – sometimes referencing an action that supposedly happened months before – and authorizing the payment.

While the email from the impersonated executive is sent from a domain controlled by Crimson Kingsnake, the name displayed includes the executive's email in parentheses, giving the impression that it's from a legitimate source.

Enterprises can reduce the threat of such BEC scams by adopting email security platforms that are more behavioral-based and context-aware and can analyze identities and context, according to Abnormal Security. They also need strong processes in place for outgoing payments, particularly for invoices involving a lot of money.

As with any social-engineering attack, cybersecurity awareness training for employees also is important. ®