Doppelganger Campaigns and Wire Transfer Fraud

Number: IN17-004
Date: 18 October 2017

Purpose

The purpose of this Information Note is to draw attention Doppelganger Campaigns and Wire Transfer Fraud.

Recently, there has been a significant increase in the number of partner-reported doppelganger domains. In most cases, these domain names were linked to attempted wire transfer fraud. Wire transfer fraud is becoming increasingly common, both in Canada and abroad, and can result in substantial financial losses to the affected organizations. There are a number of different tactics employed to perpetrate wire transfer fraud, including the use of domains that mimic those of your organization. This Information Note describes one such tactic; doppelganger domains.

Assessment

Wire Transfer Fraud / Business Email Compromise

Wire transfer fraud is a scam where criminals use social engineering techniques and other deceptive practices to convince organizations to initiate wire transfers. Deceptive email domains or the compromised accounts of senior executives are often used to send fraudulent invoices to those within the organization that are responsible for authorizing wire transfers. Unlike traditional phishing scams, emails associated with wire fraud are unlikely to set off spam filters because they are targeted and not mass e-mailed.

The individuals behind the scams frequently research employees’ responsibilities using open source reconnaissance techniques so that they understand the corporate structure of their target. For example, a malicious actor may inspect an organization’s website, such as the contacts page. Using the information listed on the organization’s website, the actor can send a fraudulent email to the finance person, pretending to be another individual within the organization asking for a financial transaction.

How do social engineering tactics work?

Social engineering, in the context of cyber security, involves using psychological techniques to manipulate someone into performing a desired action, such as clicking on a malware-embedded attachment. To conduct malicious cyber activities involving social engineering, threat actors can conduct reconnaissance to better craft their techniques for targeting intended victims. In the course of such reconnaissance, they may gather information available on an organization's website, partner websites, and / or social media sites to understand an organization’s hierarchical structure. They may also use business cards, conference registration information, or information obtained from a previous cyber compromise to obtain details of an organization's objectives, projects, contracts, partners and customers.

Companies with international business dealings are more likely to be targeted since transfers to overseas banks are commonplace. Large or mid-sized companies are also frequently targeted, due to these companies having a high volume of invoicing activity between large numbers of resellers/distributors. One technique that appears to be increasingly employed as part of wire transfer frauds involves making use of a “doppelganger domain name” to make the e-mail sent by threat actors appear to come from a reliable source.

What is a doppelganger domain name campaign?

A doppelganger domain name is a legally registered domain name that has been created by threat actors because it appears to be almost identical to the legitimate domain name of a targeted organization. In most cases, these doppelganger domain names were linked to attempted wire transfer fraud. A doppelganger domain name can facilitate such activity because it could be mistaken as legitimate by those within the organization responsible for authorizing wire transfers. For example, a malicious actor could register “my0rganization.ca” (where the “o” is a zero) in the attempt to deceive users of “myorganization.ca”.

The fact that threat actor reconnaissance appears to involve collecting information about an organization, and the people who work there, also suggests that organizations may wish to review how much, and what, information they make available through the corporate website. As well, since social media appears to be one source harvested for company information, organizations may also wish to consult the Office of the Privacy Commissioner of Canada’s tips for “Protecting your Privacy Online” for strategies that can be used to help mitigate against personal information being used for fraudulent activity.

Suggested Action

CCIRC recommends that organizations review the following mitigation suggestions:

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: