Company Says West African Group Used Homoglyph Techniques to Trick Victims
Microsoft has announced the takedown of 17 domains that a threat group operating out of West Africa used to host fake Microsoft websites when conducting business email compromise attacks.
“Sophisticated cybercriminals have engaged in a complex scheme to target Microsoft’s O365 customers and services and conduct malicious activity including business email compromise attacks, using stolen credentials to access O365 customer email accounts, imitate customer employees, and target their trusted networks, vendors, contractors and agents in an effort to deceive them into sending or approving fraudulent financial payments,” Microsoft says in court documents.
Microsoft’s Digital Crimes Unit received a court order on July 16 from the U.S. District Court Eastern District of Virginia that forced domain registrars to disable service on the malicious domains used by the cybercrime gang, the company says.
Once Microsoft had the court order in hand, 17 domains were immediately taken down, the company says. The domains’ names were almost identical to proper Microsoft corporate websites.
“As we continually explore new ways to combat emerging trends and techniques to better protect our customers, we filed this case to target the use of “homoglyph” – or imposter – domains that are increasingly being used in a variety of attacks,” the company says.
The court order also prohibits the domain owners from shifting their malicious infrastructure outside the Microsoft ecosystem and onto third-party services in an attempt to continue their illegal activities, Microsoft says.
“With this case, we secured an order which eliminates the defendants’ ability to move these domains to other providers. The action will further allow us to diminish the criminals’ capabilities and, more importantly, obtain additional evidence to undertake further disruptions inside and outside court,” Microsoft says.
The attacks were launched by what Microsoft describes as a financially motivated group comprising at least two individuals that operated with two third parties. The group, which Microsoft did not name, is likely part of a larger network based in West Africa, and the victims were primarily small businesses in several sectors in North America.
In its complaint filed with the court, Microsoft named the Phoenix-based NameSilo LLC, Germany-based Key-Systems GmbH C and Reston, Va..-based Verisign, Inc. as the domain name registrars used by the APT group to create the imposter domains.
Microsoft Takes Action
The latest takedown move marks the 24th time Microsoft has used legal proceedings to take action against malware or nation-state APT groups since the company began collaborating with law enforcement and other partners in 2010, the software giant reports.
In June, the Microsoft 365 Defender research team said it had “disrupted a large-scale business email compromise infrastructure hosted in multiple web services” (see: Behind the Scenes of a Business Email Compromise Attack).
BEC losses totaled $1.7 billion in 2019, according to the most recent FBI Internet Crime Report .
A Homoglyph Attack
In announcing the latest takedown, Microsoft said the primary tactic used by the cybercriminals was registering a domain that replaces a single character or number in a legitimate Microsoft website URL with one that looks almost identical. This allows a malicious link in an email to appear legitimate to the reader, Microsoft says.
For example, the BEC gang would replace the letter “O” with the number 0 (MICROSOFT.COM vs. MICR0S0FT.COM), making it almost impossible for a casual reader to spot the company says.
“These malicious homoglyphs exploit similarities of alphanumeric characters to create deceptive domains to unlawfully impersonate legitimate organizations,” Microsoft says. “We continue to see this technique used in business email compromise, nation-state activity, malware and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks.”
Microsoft offered details on one particular attack it investigated that it believes is emblematic of other BEC attacks launched by the West African gang.
The attackers first used stolen Office 365 login credentials to gain access to an environment obtained through phishing emails. Once inside, the group performed the reconnaissance and intelligence gathering necessary to impersonate one of the victim’s customers.
“In this instance, the criminals identified a legitimate email communication from the compromised account of an Office 365 customer referencing payment issues and asking for advice on processing payments,” Microsoft says.
The attackers then created an email purportedly from one of the victim’s customers. To make it appear as legitimate as possible, the attackers copied the content, subject line, format and the sender’s name from an old email from that customer.
The only obvious change was a line added to the original body of the email requesting payment for an unpaid bill and that it be paid to its “international subsidiary,” followed by the account details needed to make the payment.
This made it appear as if the new email was merely a continuation of the older conversation, Microsoft says. The attackers sent the email from one of the imposter homoglyph domains.
“The only difference between the genuine communication and the imposter communication was a single letter changed in the mail exchange domain, done to escape notice of the recipient and deceive them into believing the email was a legitimate communication from a known trusted source,” Microsoft says.