Researchers at Abnormal Security have identified a specific BEC scammer group targeting university staff in new payroll diversion attacks. Called Chiffon Herring, the group has been active since March and mainly targets local school districts and universities in the U.S.

The scammers are likely located in Nigeria and South Africa.

Setting the hook to divert funds

  • The general structure of an attack from this group is similar to many other payroll diversion attacks.
  • As part of the attack, the attackers pose as non-executive employees, such as teachers and professors, and send emails to the department head at a university or office staff at a school district.
  • The emails indicate that the impersonated teacher has recently changed to new banks and needs to update their direct deposit information. To create a sense of urgency, the email also mentions that the previous account will become inactive before the next payday.
  • In addition to spoofing teacher email addresses, the analysis reveals that Chiffon Herring also leverages GoDaddy infrastructure to send the attacks. 

Green Dot Bank used to divert funds

  • In almost all of these attacks, Chiffon Herring provides banking details of Green Dot Bank to redirect the funds.
  • The accounts under these banks are relatively easy to open and are mostly linked to prepaid cards. 
  • Prepaid cards are commonly used in payroll diversion attacks to receive direct deposits up to 48 hours before a payday. In this way, the threat actors can have access to diverted funds for several days before the targeted victim even realizes anything is wrong.

Staying safe

To ensure protection against payroll diversion attacks, it is important that all staff, especially those in finance and human resources, are trained to detect the signs of phishing attacks. Additionally, institutions and schools should also implement an email security solution to block malicious emails.
Cyware Publisher