Published: September 13, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
The Microsoft Threat Intelligence Center (MSTIC) recently published a new blog on the sustained campaign of phishing and credential theft by the threat actor SEABORGIUM. This campaign has persistently targeted larger scale organizations over long periods of time. This debunks the idea of some that cybercriminals get into the organization and right back out. In fact, it is becoming more common for them to sneak in under the radar and wait for long periods of time. Sometimes, that timeframe is years before they attack.
In this situation, SEABORGIUM often conducts its research on individuals in an organization to attempt to gain access. It is common for them to use anything published on the Internet to do this. That includes LinkedIn, Facebook, Twitter, Instagram, TikTok, and anything else where a targeted individual may post information. These criminals are known to identify legitimate contacts in the target organization’s corporate network, through such social media platforms, personal directories, and information it finds in any other open source method.
The above image is an example phishing email where the actor impersonates the lead of an organization and emails select members of the organization with a cybersecurity themed lure.
Their process works like this:
The opening exchange with the target is often a benign email referencing an attachment that doesn’t exist.
The target opens the email and is directed to an actor-controlled server hosting a phishing framework.
The target reaches a final page where there is a prompt for authentication, mirroring the sign-in page for a legitimate provider and intercepting any credentials.
This type of attack is often associated with business email compromise (BEC) attacks. While these often include a large wire transfer into a thief’s account, they can also include phishing email messages that attempt to get other details that can eventually lead to BEC. The FBI has reported that BEC attacks are now topping ransomware in terms of total losses for organizations to the tune of $2.4 billion in 2021 compared to a “measly” $49.2 for ransomware attacks.
Who is SEABORGIUM?
This group is a highly persistent threat actor that frequently targets the same organizations hanging out for long periods of time. According to the Microsoft blog, its 'intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries." Once it successfully gets in, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport building, and phishing to deepen their intrusion.
This threat actor targets particular organizations and sectors, or individuals within them, rather than the general public. Always be conservative about what information is shared to the public, whether on social media, business networking sites, or even webpages. Try to be general about your role, rather than posting a title. And always be on the looking for phishing. There is no such thing as a small phish when it comes to BEC.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com