Beware of Agreement Fraud: Scammers Targeting CEO's with Agreement DraftPosted on: 14 Apr 2023 | Author: Foresiet
Fraudulent campaigns aimed at top-level executives through phishing are on the rise. In this technical blog post, we will delve into a particular type of CEO phishing scam that employs an attachment containing an agreement draft. We will examine the attack's technical aspects and suggest preventive measures that businesses can adopt to safeguard themselves.
This form of phishing attack typically begins with the attacker conducting research on the targeted company to gather information about their financial practices and operations. Once they have the necessary details, the attacker proceeds to send an email to the CEO, masquerading as a representative of a potential business partner.
The phishing email includes an attachment that looks like a genuine draft agreement between the targeted companies. The attachment name is designed to look legitimate. The attacker requests that the CEO review and sign the agreement and return it to the sender via email.
The attacker uses several technical tactics to make the phishing email and attachment appear legitimate and avoid detection. Some of these techniques include:
The attacker utilizes email spoofing, a method of manipulating the email header to make it seem like the email originated from a legitimate source, such as a representative of a potential business partner.
The attacker designs the attachment to look like a legitimate draft agreement between the two companies. However, the attachment contains a obfuscated payload that is executed once the CEO opens the attachment.
- Deobfuscated Code
- CEO’s Email address is hardcoded into code to show the legitimacy
- Phishing web page with hardcoded CEO’s email address
- After putting random password it shows 'Incorrect password'
- Webpage will show "Incorrect password" message until you click 3 times on "Sign In" button. Once you click more than 3 times it will get redirected to legitimate Microsoft Office 365 domain.
The attacker uses social engineering techniques to create a sense of urgency and pressure the CEO to sign the agreement quickly without seeking approval from anyone else in the company.
To prevent becoming a victim of phishing scams that involve agreement draft attachments, organizations should implement several preventive measures, such as:
Agreement Draft Attachment:
Verifying the credibility of email attachments, particularly those containing legal documents, is crucial. If you receive an attachment that appears to be a draft agreement, take the following steps:
Phishing schemes that aim at CEOs and other high-ranking executives are becoming more frequent. To remain safe and informed, it's critical to remain cautious and stay up to date with the latest phishing techniques and trends. Organizations can lessen the risk of becoming a victim of phishing attacks by implementing preventive measures such as training for security awareness, enforcing rigorous security policies and procedures, and utilizing advanced technologies like email filtering and malware detection software. It's also crucial to verify the credibility of email attachments, particularly those that include legal documents.
Indicator of compromise: