The Crimson Kingsnake threat actor has been using typo-squatted domains to send out emails impersonating top law firms. The group uses the domains to create fake email addresses and carries out Business Email Compromise (BEC) attacks by sending emails to recipients across the world. The emails include a fake invoice directing payments to a threat actor-controlled bank account. The invoices include the letterhead and logos of the impersonated firms, and the domains appear to be legitimate at first glance. According to researchers at Abnormal Security, the impersonated firms include:
- Allen & Overy
- Clifford Chance
- Deloitte
- Dentons
- Eversheds Sutherland
- Herbert Smith Freehills
- Hogan Lovells
- Kirkland & Ellis
- Lindsay Hart
- Manix Law Firm
- Monlex International
- Morrison Foerster
- Simmons & Simmons
- Sullivan & Cromwell
There are no specific industries or countries that these attacks are targeting. If the recipient is reluctant for any reason, the group will go a step further and either provide a fake description for a service or insert a reply from an executive that is approving the transaction.
Analyst Notes
BEC attacks account for a very small percentage of phishing emails that are targeting companies worldwide yet is still a multibillion-dollar issue. Organizations should adapt policies to prevent BEC scams from being executed, including a verification process for all business transactions or money transfers. Because it is so easy for a threat actor to set up a typo-squatted domain, this verification should take place in person or over the phone. Companies can work to prevent being impersonated in attacks like these by employing a service such as the Binary Defense Counterintelligence team, who looks for and identifies newly registered domains that appear similar to the legitimate ones.
https://www.bleepingcomputer.com/news/security/new-crimson-kingsnake-gang-impersonates-law-firms-in-bec-attacks/
