Doppelganger campaigns and wire transfer fraud

Number: IN17-004
Date: 18 October 2017

Purpose

The purpose of this Information Note is to draw attention Doppelganger Campaigns and Wire Transfer Fraud.

Recently, there has been a significant increase in the number of partner-reported doppelganger domains. In most cases, these domain names were linked to attempted wire transfer fraud. Wire transfer fraud is becoming increasingly common, both in Canada and abroad, and can result in substantial financial losses to the affected organizations. There are a number of different tactics employed to perpetrate wire transfer fraud, including the use of domains that mimic those of your organization. This Information Note describes one such tactic; doppelganger domains.

Assessment

Wire Transfer Fraud / Business Email Compromise

Wire transfer fraud is a scam where criminals use social engineering techniques and other deceptive practices to convince organizations to initiate wire transfers. Deceptive email domains or the compromised accounts of senior executives are often used to send fraudulent invoices to those within the organization that are responsible for authorizing wire transfers. Unlike traditional phishing scams, emails associated with wire fraud are unlikely to set off spam filters because they are targeted and not mass e-mailed.

The individuals behind the scams frequently research employees’ responsibilities using open source reconnaissance techniques so that they understand the corporate structure of their target. For example, a malicious actor may inspect an organization’s website, such as the contacts page. Using the information listed on the organization’s website, the actor can send a fraudulent email to the finance person, pretending to be another individual within the organization asking for a financial transaction.

How do social engineering tactics work?

Social engineering, in the context of cyber security, involves using psychological techniques to manipulate someone into performing a desired action, such as clicking on a malware-embedded attachment. To conduct malicious cyber activities involving social engineering, threat actors can conduct reconnaissance to better craft their techniques for targeting intended victims. In the course of such reconnaissance, they may gather information available on an organization's website, partner websites, and / or social media sites to understand an organization’s hierarchical structure. They may also use business cards, conference registration information, or information obtained from a previous cyber compromise to obtain details of an organization's objectives, projects, contracts, partners and customers.

Companies with international business dealings are more likely to be targeted since transfers to overseas banks are commonplace. Large or mid-sized companies are also frequently targeted, due to these companies having a high volume of invoicing activity between large numbers of resellers/distributors. One technique that appears to be increasingly employed as part of wire transfer frauds involves making use of a “doppelganger domain name” to make the e-mail sent by threat actors appear to come from a reliable source.

What is a doppelganger domain name campaign?

A doppelganger domain name is a legally registered domain name that has been created by threat actors because it appears to be almost identical to the legitimate domain name of a targeted organization. In most cases, these doppelganger domain names were linked to attempted wire transfer fraud. A doppelganger domain name can facilitate such activity because it could be mistaken as legitimate by those within the organization responsible for authorizing wire transfers. For example, a malicious actor could register “my0rganization.ca” (where the “o” is a zero) in the attempt to deceive users of “myorganization.ca”.

The fact that threat actor reconnaissance appears to involve collecting information about an organization, and the people who work there, also suggests that organizations may wish to review how much, and what, information they make available through the corporate website. As well, since social media appears to be one source harvested for company information, organizations may also wish to consult the Office of the Privacy Commissioner of Canada’s tips for “Protecting your Privacy Online” for strategies that can be used to help mitigate against personal information being used for fraudulent activity.

Suggested action

CCIRC recommends that organizations review the following mitigation suggestions:

• Have a recovery plan in case of fraudulent transfer:
  • Consult with your financial institution for advice.
  • Prepare and maintain a list of contacts.
  • Prepare and maintain instructions on reporting fraudulent transfer.
• If funds are transferred to a fraudulent account, it is important to act quickly:
  • Consult with your financial institution for advice on dealing with fraudulent transfers.
  • Contact your financial institution immediately upon discovering the fraudulent transfer and request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
  • Contact your local law enforcement.
• Err on the side of caution when dealing with requests for large financial transactions. Ask for confirmation.
• Validate the transaction by initiating a new email thread using known good contact information or by using a trusted phone number.
• Implement a dual-signature system with dual-authentication, requiring that at least two authorized signatures from two different personnel for wire transfers. This method can greatly enhance the legitimacy of each wire transfer and ensure the requests are appropriate. The dual-authentication (the use of a security token) system can prevent the use of falsified signatures.
• Consider registering internet domains that are similar to the domain used by your organization or block them at your network perimeter.
• Review existing email logs for sender/recipient anomalies.
• Conduct a regular review and audit of wire transfer transactions. This can allow organizations to spot fraudulent transactions they didn’t approve, allowing them to react more quickly.
• Since doppelganger domain names are often used as part of phishing campaigns, it is also worth looking at the steps your organization could take to increase cyber security awareness among employees:
  • Do not answer suspicious emails or provide any confidential information requested in emails even if they appear legitimate. If uncertain, speak to a supervisor.
  • Do not click on any links in suspicious emails.
  • Do not forward the email to others. If you need to show it to a supervisor, ask them to come and see it on your screen or print it out.
  • If a suspicious email appears to be from a recognized organization or client, contact the legitimate client or organization through another means of communication (e.g., by phone and not using the contact information in the email you received but rather from previously established contact lists) and ask if they sent such an email.
• Most often, attacks of this type are detected by diligent and well-informed users. CCIRC recommends that organizations ensure users receive situational awareness training, including instructions on how to report unusual or suspicious e-mails to their IT security branch. Reviewing departmental policies, requirements and security education and awareness training can help reduce this risk.

References:

• “Get Cyber Safe Guide for Small and Medium Businesses” – Public Safety Canada
• “Protecting your Privacy Online” – Office of the Privacy Commissioner of Canada
• “Phishing” – Canadian Anti-Fraud Centre
• “Public Service Announcement - Business Email Compromise” – Federal Bureau of Investigation, August 27, 2015
• “Public Service Announcement - Business Email Compromise” – Federal Bureau of Investigation, January 22, 2015