Firebrick Ostrich and business email compromise.
N2K logoFeb 1, 2023

Threat actor uses open-source information to launch BEC attacks.

Firebrick Ostrich and business email compromise.

Abnormal Security describes a business email compromise (BEC) gang it calls “Firebrick Ostrich” that performs third-party reconnaissance attacks in the service of subsequent business email compromise (BEC) attacks.

Open-source research for BEC.

The researchers explain that third-party reconnaissance attacks rely on open-source information rather than compromised accounts:

“For example, many state and local governments offer detailed information about existing and previous contracts on their websites. These records provide key insights into the services a vendor has provided, contact information for both the vendor and customer, and the total contract amounts.

“In other cases, an attacker could simply visit a vendor’s website where the company has displayed the names or logos of their customers to help market their products and services via customer proof. Or, they may be able to simply Google two company names to see what the connection may be.”

After the threat actors have established that two organizations have a business relationship with each other, they’ll set up lookalike domains and email addresses to impersonate the vendor organization. They’ll then send a vague request for an invoice, hoping that an employee at the customer organization will assume it’s real.

Firebrick Ostrich launches hundreds of BEC campaigns.

Firebrick Ostrich has launched more than 350 of these types of BEC attacks since April 2021, impersonating at least 151 organizations. All of the threat actor’s targets have been based in the US, although the targeted industries seem to be opportunistic. The attackers impersonate multiple vendor employees in each campaign, and one of these is usually the company’s Chief Financial Officer.

Industry comment on the implications of BEC battlespace preparation.

(Added, 3:00 PM, February 1st, 2023. Erich Kron, security awareness advocate at KnowBe4, made the Willie-Suttonesque observation that social engineering continues because it works.

“Once again we see where simple email phishing tactics yield big results for the cybercriminals using them. It also demonstrates just how valuable even the smallest amount of information can be for social engineers. Often we see organizations that suffered a breach downplaying the information that was leaked, especially when it doesn't contain Social Security numbers or credit card information, however using this information to build more convincing attacks is generally trivial and improves the success of the phish greatly. Even otherwise benign seeming websites, such as LinkedIn, can be a treasure trove for this kind of information and the more specific it is, as is demonstrated by this group using information from government websites, the better.

“This sort of success is why it is so critical for organizations to ensure they are educating their employees on how to spot and report these types of social engineering attacks. The tactics used here are far from new and easy to spot if the employee knows what they're looking for. Simply knowing how to, and remembering to check the URL is a simple way to avoid falling for these sorts of attacks. Unfortunately many organizations that even bother to do education only do it once a year, and it is quickly forgotten by employees. By doing short training sessions more often, it keeps security front of mind for employees, making them far less likely to fall for these simple tricks.”)