Crimson Kingsnake BEC group impersonates law firms.
N2K logoNov 4, 2022

A sophisticated business email compromise group is sending phony invoices purporting to come from well-known law firms and attorneys.

Crimson Kingsnake BEC group impersonates law firms.

Abnormal Security is tracking a threat actor dubbed “Crimson Kingsnake” that’s launching business email compromise (BEC) attacks by impersonating attorneys, law firms, and debt recovery services.

BEC gang impersonates international law firms.

Crimson Kingsnake specializes in blind third-party impersonation attacks, a term Abnormal uses to describe BEC attacks in which the threat actor doesn’t have direct visibility into the targeted organization’s communications or business transactions. The researchers state:

“Based on our observations, a typical Crimson Kingsnake attack starts with an email impersonating an attorney and referencing an overdue payment the targets company owes to the firm or a company they represent. The impersonated attorney and the law firm they purportedly work for actually exist in the real world, so if the target ran a Google search for either, they would actually find results for the impersonated parties.

“To add legitimacy to their communications, Crimson Kingsnake uses email addresses hosted on domains closely resembling a firm’s real domain. The display name of the sender is set to the attorney that is being impersonated and the email signature contains the firm’s actual company address. Since March 2022, we’ve identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies in the United States, the United Kingdom, and Australia. Many of the firms referenced in Crimson Kingsnake attacks are major, multinational practices with a global footprint.”

If an employee replies to one of these emails, the attacker will send them a phony invoice requesting tens of thousands of dollars. If the employee questions the invoice, the attackers will impersonate an executive at the employee’s company authorizing the transaction.

Major law firms impersonated by Crimson Kingsnake.

BleepingComputer has a list of some of the law firms being impersonated by Crimson Kingsnake. They include Allen & Overy, Clifford Chance, Deloitte, Dentons, Eversheds Sutherland,Herbert Smith Freehills, Hogan Lovells, Kirkland & Ellis, Lindsay Hart, Manix Law Firm, Monlex International, Morrison Foerster, Simmons & Simmons, and Sullivan & Cromwell. Note that these are impersonations, not compromises of the firms.

Comment on the phishing techniques employed and how to defend against them.

Sean McNee, Chief Technology Officer at DomainTools, offers the following advice to help organizations defend themselves against BEC attacks:

“BEC attacks remain a lucrative business, and unfortunately, impersonating third party vendors is the newest trend. Criminals are hijacking the external relationships businesses have with their suppliers, particularly those that share highly sensitive data and invoice large amounts.

“Attackers start by conducting detailed reconnaissance on their victims to understand who they do business with, how they communicate, and the type of information they share. Then they set up lookalike domains and email accounts in order to trick people into sending them funds. Since law firms, construction firms and other such suppliers are considered trusted vendors, employees are less likely to verify their transaction requests or catch a spoofed domain. 

“Here are 3 steps businesses can take to protect against BEC attacks and domain spoofing:

  • “Conduct awareness training and teach employees to verify domains and look for other malicious techniques that attackers use
  • “Establish processes that require employees to verify all transactions and partner details before initiating transfers over a certain amount
  • “Use security tools that look for intentional typos and other keyword variations, as well as tools that explore DNS data to find connected infrastructure (for example, shared IP address hosting, shared name servers, shared registration details, etc).”

Added, 12:15 PM, November 4th, 2022.

James McQuiggan, security awareness advocate at KnowBe4, wrote to point out the way in which fear and authority can be combined in an effective social engineering campaign:

“Criminal groups target organizations utilizing fear and authoritative positions to intimidate users with phishing emails to gain access and learn how the organization operates so they can insert themselves into the infrastructure. Cybercriminal groups continue to be successful because of the ability to socially engineer users and gain access to an organization with a well-crafted spear phishing attack.

"Organizations can reduce the risk of a BEC attack with a robust security program, including email authentication controls and technology, to detect fake emails. This program should be linked to a security awareness training program to engage employees and help them recognize unusual emails from vendors. These emails attempt to "socially engineer" employees to give up information or data. An email should be one of many lines of communication for delivering sensitive information regarding payments or financial account changes. However, the organization should rely on applications, repeatable processes, and confirmation to determine if the email is valid.”