A large-scale ongoing BEC scam has been identified targeting vendors of Middle East-based organizations and individuals. The campaign is an expansion that includes an additional cluster of phishing domains registered using similar naming schemes as in a previous campaign observed in July.

The expanded campaign

CloudSEK researchers found the massive BEC campaign that has expanded its attack targets and used several scams to lure users.
  • The cluster of phishing domains targets contractors in the UAE with vendor registration, contract bidding, fake job offers, investment opportunities, and other types of lures.
  • Of the 35 phishing domains analyzed, 90% are targeting Abu Dhabi National Oil Company (ADNOC), Sharjah National Oil Corporation (SNOC), and Emirates National Oil Company (ENOC).
  • Some domains have only an email server (mostly by Zoho) enabled, some have copied content from legitimate businesses to trick the users, and some domains redirect to legitimate domains to trick victims into trusting the phishing emails.

Campaign strategy

  • The threat actors behind this campaign are strategically buying and registering domains with keywords similar to the legitimate organization domains.
  • These are hosted in North America, with several affordable service providers and they take time to process takedown requests.
  • The majority of these domains belong to Tucows Domains which is known for a slow response rate on requests for the suspension of such domains.

Additionally, the campaign uses pre-stored static web pages with similar templates that make it resilient to takedowns. These templates are uploaded from one domain to another in case of a ban.

The last campaign from July

  • The campaign targeted various government and corporate entities in the finance, travel, hospital, legal, oil and gas, and consultation industries in the Middle East.
  • Researchers assessed that a single threat actor or a threat actor group owns all phishing domains and websites used in the large-scale phishing campaign.


Experts conclude that threat actors have set up an entire network of such fake domains related to the finance, travel and tourism, oil and gas, real estate, and investment sectors. The attacks are strategically targeted. Organizations must train employees regarding BEC scams and make multi-level authentication and identification mechanisms for payments.
Cyware Publisher