These devious cybercriminals impersonate law firms to steal your data

A laptop showing lots of email notifications
(Image credit: Shutterstock)

Cybersecurity researchers have spotted crooks impersonating major law firm powerhouses to try and trick people into making payments for bogus work. 

Experts from Abnormal Security uncovered a brand new Business Email Compromise (BEC) attack, conducted by a threat actor dubbed Crimson Kingsnake.

In the attack, the threat actors would send out an email, pretending to be one of a number of large American law firms, requesting payment for work that was allegedly done months ago. 

Talking to themselves

The targets are most likely chosen at random, in what researchers describe as “blind BEC attacks” - so in other words, the attackers would cast a wide net and see what sticks.

The email itself is quite meticulously crafted, using big names such as Kirkland & Ellis, Sullivan & Cromwell, and Deloitte. Obviously, it’s typosquatted (the email address is almost identical to the authentic email belonging to the impersonated law firm, but not quite identical), but the body holds all the right logos and letterheads. It’s also punctual, which is not a feature we usually see in BEC and phishing attacks.

It gets even more interesting when the victim challenges the attacker. Should they question the work, the payment, or anything else of the sorts, the attackers would add in a third persona, a fake executive from the target firm, who would then “confirm” the authenticity of the request, and “approve” the payment.

"When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company," the report reads. 

“When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we've observed instances where the attacker sends a new email with a display name mimicking a company executive. In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and “authorizes” the employee to proceed with the payment."

Despite everyone’s best efforts, phishing emails and business email compromise attacks are still one of the most popular ways for cybercriminals to conduct their raids. Employees on the receiving end of these emails are often reckless, overworked, or distracted, doing things they wouldn’t normally do, including making wire transfers, downloading attachments, signing into services through links provided in the email, etc. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Phishing
Corporate executives are being increasingly targeted by AI phishing scams
Shopping scams
New wave of sextortion scams uses personal details and images to intimidate targets while bypassing traditional security measures
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Red padlock open on electric circuits network dark red background
Aviation firms hit by devious new polyglot malware
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does