It's been a while since I've done one, so let's close out this week with a #FunWithPhishers thread! This is a recent active defense engagement with a #BEC actor that takes a bunch of twists and turns and even has a little #COVID19 flair!

ENJOY!

Meet Keegan. Keegan is a fake accounts payable specialist at a fake company.

Meet David. David is a scammer posing as the CEO at our fake company.

Fake David wants Keegan to mail a check to a "vendor" and includes a W-9 and invoice for the payment.

You might be thinking to yourself, "A check? Didn't I hear something recently about a #BEC group that liked to ask for checks?"

That's because this actor is part of Exaggerated Lion, a group my team at @AgariInc recently published a report on! https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-exaggerated-lion.pdf

Here's a look at the fake invoice and W-9. If you've read our Exaggerated Lion report, you know the logo on the fake invoice is a distinct characteristic of an Exaggerated Lion #BEC attack.

Unfortunately, this damn pandemic has made Keegan's job more difficult and check payments are prohibited until our fake company's office re-opens. Fake David is happy to wait or he could, I don't know, just give us a mule account to try.

Due to #COVID19, the "vendor" is having issues with his account, so we need to go more "digital" and use bitcoin instead of a wire transfer (because that's how most legitimate business transactions are handled these days, right?).

This bitcoin wallet has actually had a little activity since early-March. Looks like mostly receiving BTC from mixers? https://www.blockchain.com/btc/address/3DC1T6zxUxkTecyC5LXszutewfbJmmbRF2

Being the CEO of our fake company, David should know bitcoin isn't a valid form of payment to our fake vendors! He'll need to get a bank account from them to complete this transaction.

Will he do it? My Magic 8-ball tells me, "Outlook good."

Of course! Fake David was able to wrangle a viable bank account out of our fake vendor.

But of course it's another actual business account, it's their...personal assistant's bank account??

Ooh, sadly for Fake David, the account he got was flagged for..."reasons."

Perhaps the vendor has another account they can try?

Good news! Fake David's vendor has a another backup account they can use! This time the account holder has a distinctly Nigerian-sounding name. Hmmmmmm.....

Keegan, being the amazing finance specialist she is, got the payment to "go through" this time! She really is an amazing asset to our fake company and really goes the extra mile to get things done!

With that taken care of, we're probably all done here, right?

WRONG! Fake David has more work for Keegan. Now he generously wants her to buy some gift cards for our fake company's employees for "personal shopping online from their homes" because of #COVID19. How kind!

This is a great example of a few recent trends we've been seeing in the #BEC landscape, including using #COVID19/remote work themes and requesting gift cards be purchased online rather than at a store.

We recently wrote a blog post about these trends: https://www.agari.com/email-security-blog/bec-gift-card-scams-covid-19/.

Keegan's curious about where she's supposed to be buying these gift cards. Shouldn't this be a job for Fake David's executive assistant and not someone in the accounts payable department?

Wow, so many questions here!

You'd think employees could use some Amazon gift cards, but nope, Fake David wants to get them eBay gift cards?

Buy them from the actual eBay website? Nope, Fake David gives Keegan three completely random websites where she can find them.

Keegan is as shocked as we were. $15,000 in gift cards???

(BTW, this was the largest #BEC gift card request we have ever seen!)

Thanks for doing the math for us Fake David!

Keegan is amazed at Fake David's generosity. She must know, how is he going to divvy these up??

Ugh, really Fake David? You're going to hand these gift cards out RANDOMLY???

Keegan recognizes how ridiculous Fake David's answer is and gives him a few ideas.

Fake David likes Keegan's suggestions and decides that all of these eBay gift cards will be given to employees at our fake company based on merit.

Since Keegan has been Employee of the Month four months in a row, of course she expects one of these huge eBay gift cards. Good thing too because she's had her eye on some vintage records, a Goonies Funko, and a used iPhone (you know, the necessities during a pandemic).

Fake David goes a little schizophrenic here. First, he promises Keegan a gift card, then he gives her a little sass for not buying the gift cards fast enough.

He's also realized the first payment hasn't gone through yet and he's reverting to the original check request.

#COVID19 must be messing with Fake David's memory because Keegan has to remind him that she won't be able to mail a check out until the non-existent office opens back up. Pay attention Fake David!!!

Fake David must be running low on mule accounts because he's back on the bitcoin train again! Nice touch saying it's "very important for us to go more digital during this period." Could have sworn a wire transfer was "digital," but .

Meet Tonya. She's Keegan boss who confirms that bitcoin is obviously not a valid option for paying a vendor. Fake David really should have checked with Keegan before going rogue and telling the fake vendor we could pay them with cryptocurrency.

Nope, not suspicious at all. Now Fake David wants to use Western Union and MoneyGram "thrice" to wrap this payment up. Methinks someone is getting a smidge desperate.

Sure Fake David. Just send us the information for the mule you'd like to receive the money and we'll see what Tonya says.

Checked my Magic 8-ball again: "My sources say no."

Thanks Fake David for your mule's physical address. Tonya still thinking about it...

Damn! Really thought there was a chance Tonya would approve Western Union and MoneyGram as an acceptable form of payment to a vendor.

But seriously though, let's just blame these issues on the coronavirus!

Proving Fake David's mule account supply is running low, he's going back to the original two accounts he's already given us.

What is it they say again about doing the same thing over and over and expecting a different result?

As expected, no dice. But maybe, just maybe, if Fake David sends over the addresses for these mules, it might help move things along!

Sorry Fake David. You've already given us this mule's location. Clearly, this one won't work!

(NOTE: The name and address provided is a match for an actual person. Likely a romance scam victim that has been converted to a mule.)

Keegan is trying so hard, but nothing's working! I guess Fake David is going to have to keep handing over more mule info!

Fake David sends over another address which, based on some quick searches, clearly doesn't match up with the name on the account. Obviously this won't work!!!

Keegan is getting pretty frustrated with Fake David. This vendor needs to get their financial house in order!

Looks like Fake David has given up hope of getting a payment to his "vendor."

But, oh yeah, what about those gift cards? There's still hope for a payday, right???

Meet Andrew. Andrew is in charge of the corporate credit card and is currently MIA. Obviously Keegan isn't going to put $15k on her personal credit card!

Andrew's "daughter" has been sick recently. Hopefully, his household has been social distancing and it isn't serious!

Fake David really wants to get these eBay gift cards out to the "staffs" today. Good to see he really cares about employee morale!

Oh no...Keegan finally heard from Andrew. Unfortunately, he notoriously doesn't wash his hands and ignored social distancing practices. Now he's in isolation at the local hospital with a #COVID19 diagnosis!

Getting those gift cards to the employees is starting to look bleak!

And with that, Fake David finally had enough and went on his (un)merry way to try his epic social engineering skills on some other target.

Hope everyone enjoyed!