The Fraud Gala: Exploring a Recent BEC Campaign
By Cluster25 Threat Intel Team
August 25, 2023
In the modern digital era, businesses operate on a global scale, exchanging information, collaborating, and conducting financial transactions at the speed of light, all this through emails. Yet, this very convenience has paved the way for cybercriminals to exploit human vulnerabilities and manipulate the trust inherent in digital communication. This deceptive phenomenon is known as Business Email Compromise (BEC) scams, a threat that has emerged as a critical concern for organizations of all sizes. For these scams, attackers impersonate key figures within an organization, such as executives or trusted partners, to deceive employees into performing actions they believe are legitimate. These actions often involve transferring funds, revealing sensitive information, or executing other tasks that can lead to financial losses or data breaches. The perpetrators employ various techniques to manipulate human psychology, leveraging urgency, authority, and familiarity to ensure their fraudulent requests are executed without suspicion.
Some common types of BEC scams include what is called CEO Fraud, where scammers impersonate high-ranking executives to request urgent transfers of funds under the guise of confidential deals or unforeseen emergencies, with fake invoice that appear legitimate, targeting employees responsible for processing payments, thus redirecting funds to fraudulent accounts.
In the last few days, Cluster25 observed a BEC campaign using as lure the donation for some non-profit foundations. In all the analyzed cases, the scam email is delivered to employees working in the financial or accounting team, with the CEO’s email address as CC. The attacker asks to make a quite huge donation, about 15k-25k dollars, to the non-profit foundation using the specified bank account, which is actually controlled by the attacker.
INSIGHTS
In this section, we provide an example of the recently observed BEC attack, reporting the entire email message as received by the victim. To increase the effectiveness of the attack, the malicious actor created a complete email thread in which was simulated a conversation with the company CEO (whose address is in the CC of the email), where he agreed to a donation request. As visible in the example below, the CEO replies with “I am pleased to inform you that I am choosing the Premier support level, which is at $25,000. We are excited to be part of your fundraising efforts and to support your organization’s mission.” and then “Please send all invoices to <victim> for payment processing”.
The victim receiving this email thread could think that the payment has been already approved by his/her supervisor, so the wire transfer can be sent without asking for a confirmation.
| Hello <victim>, Please see attached and kindly confirm receipt. Thank you |
| On Mon, Aug 21, 2023 at 11:12 AM <victim> wrote: Thank you, Collins, but the attachment is missing. Please, can you send it again? Regards <victim>From: Collins Birk <co*****@ae****.com> Date: Monday, August 21, 2023 at 3:11 PM To: <CEO>, <victim> Subject: Fw: Gala Premier Sponsorship for AEC Fund Hello <victim>, Attached, as per request of <CEO>, you will find gala and sponsorship invoice Thank you and have a wonderful day. Collins Birk Finance Manager | Special Events President E:co*****@ae****.com Alfred E Chase Foundation, Inc P o Box 653067, Dallas, TX 75265-3067 From: <CEO> Date: Friday, August 18, 2023 at 1:52 PM To: Collins Birk <co*****@ae****.com> Subject: Re: Re: Gala Sponsorship for AEC Fund Hi Collins, Please send all invoices to <victim> for payment processing. Thank you for the updates on SuperValu and C&S Wholesale Grocers. Keep us informed about the events progress. Warm regards, <CEO>From: Collins Birk <co*****@ae****.com> Date: Wednesday, August 16, 2023 at 12:04 PM To: <CEO> Subject: Re: Gala Sponsorship for AEC Fund Hello <CEO>, Thank you for your pledge and interest in sponsoring our gala. We’re thrilled to have you on board as a Premier level sponsor. SuperValu and C&S Wholesale Grocers have responded positively. We’ll keep you updated on your contribution’s impact. Please find a sponsorship pledge invoice attached. Thanks! Collins Birk Finance Manager | Special Events President E:co*****@ae****.com Alfred E Chase Foundation, Inc P o Box 653067, Dallas, TX 75265-3067 From: <CEO> Date: Tuesday, August 15, 2023 at 3:19 PM To: Collins Birk <co*****@ae****.com> Subject: Re: Gala Sponsorship for AEC Fund Hi Collins, I hope this letter finds you well. I wanted to express my gratitude for considering our involvement in your upcoming gala. Your organization’s cause deeply resonates with us, and we are eager to support initiatives that align with our values. After careful deliberation, I am pleased to inform you that I am choosing the Premier support level, which is at $25,000. We are excited to be part of your fundraising efforts and to support your organization’s mission. We understand the various benefits associated with each sponsorship level and would like to collaborate with you to tailor them to our company’s specific needs and goals. I did reach out to Flowers Foods, SuperValu and C&S Wholesale Grocers and other interested organizations on your behalf. They should be in touch with you soon. Thank you for considering our involvement in your gala. We eagerly anticipate a successful event. Best Regards, <CEO> From: Collins Birk <co*****@ae****.com> Date: Monday, August 14, 2023 at 10:08 AM To: <CEO> Subject: Gala Sponsorship for AEC Fund Hello <CEO>, We would like to express our heartfelt appreciation for the recent phone call. Your interest and dedication to supporting our organization’s upcoming gala are truly commendable. We are extremely grateful that you have agreed to become a sponsor for this important event. Your partnership and contribution will play a pivotal role in ensuring its success. To fulfill your request, we are pleased to provide you with a comprehensive sponsorship package. The package outlines in detail various benefits associated with each sponsorship level. Additionally, you will find valuable information about the event itself, including details about how the funds raised will be utilized to support our cause. We are genuinely excited about the opportunity to collaborate with you and your esteemed team. Together, we can customize the benefits offered to align with your company’s specific needs and goals. We firmly believe that this partnership has the potential to create a positive impact on our community, making a significant difference in the lives of those we serve. In addition, we kindly ask for an update regarding your progress with Flowers Foods, SuperValu and C&S Wholesale Grocers. Once again, we extend our deepest gratitude for your support and unwavering commitment to our cause. Thank You. Collins Birk Finance Manager | Special Events President E:co*****@ae****.com Alfred E Chase Foundation, Inc P o Box 653067, Dallas, TX 75265-3067 |
The scam email contains two PDF files. The first one is “Request for Taxpayer Identification Number and Certification”, a document containing tax information about the foundation the victim should donate. The document is used to legitimize the money request, thereby increasing the chances of success.
The second PDF file is a sort of invoice containing the money amount the victim should pay, the Bank details for the wire transfer, and an empty form that should be filled out if the user prefers to use a credit card as the payment method.
The logo on top and the email redirection shown in the document are much possibly a typo from a previous campaign, linked to the Chicago Children’s Museum.
During our investigations, we found several scam attacks having the described characteristics targeting companies in the United States, Canada, and Italy operating in the technology, financial, energy, and logistics sectors. In the following table we reported the email Subjects observed during the investigations, all of them refer to a Gala event and to a possibility of sponsorship.
| SUBJECT EXAMPLES |
| Re: Gala Premier Sponsorship for AEC Fund Re: Fw: Gala Premier Fw: Gala pledge for Eagle Lake Foundation Re: Latchman Fund Gala Pledge |
We analyzed the non-profit foundations used as bait in the various attacks, all of them really exist. So, the attacker used the real information about these foundations to legitimize the attack attempt. He registered a new domain for any of the foundations to use in the attacks. The registered domains just have set the MX record, because they are used as mail servers by the attacker.
As visible in the following table, some of the reported domains have only been active for a few days, just long enough to carry out the attack.
| FOUNDATION NAME | FAKE DOMAIN | FIRST SEEN | LAST SEEN |
| The Laskin Foundation, Inc | laskinchfinc.com | 2023-06-12 | 2023-08-24 |
| Eagle Lake Foundation, Inc | eagleake.com | 2023-08-02 | 2023-08-20 |
| The Latchman Foundation Inc. | latchmainc.com | 2023-08-02 | 2023-08-21 |
| Alfred E Chase Foundation, Inc | aechas.com | 2023-08-14 | 2023-08-16 |
Finally, analyzing the payment details reported in the second PDF file, it is possible to obtain more information about the bank used by the fraudster. For all the analyzed attacks, the attacker used a bank account registered on PNC Bank at Pittsburgh.
MITRE ATT&CK MATRIX
| TACTIC | TECHNIQUE | DESCRIPTION |
| Reconnaissance | T1593.002 | Search Open Websites/Domains: Search Engines |
| Reconnaissance | T1589.002 | Gather Victim Identity Information: Email Addresses |
| Reconnaissance | T1589.003 | Gather Victim Identity Information: Employee Names |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
INDICATORS OF COMPROMISE
| CATEGORY | TYPE | VALUE |
| MAIL-SERVER | DOMAIN | laskinchfinc.com |
| MAIL-SERVER | DOMAIN | eagleake.com |
| MAIL-SERVER | DOMAIN | latchmainc.com |
| MAIL-SERVER | DOMAIN | aechas.com |
| ATTACKER-EMAIL | EMAIL-ADDR | pa****@la********.com |
| ATTACKER-EMAIL | EMAIL-ADDR | co*****@ae****.com |
| ATTACKER-EMAIL | EMAIL-ADDR | ve******@ea******.com |
| ATTACKER-EMAIL | EMAIL-ADDR | ma****@la**********.com |
