New Phishing Campaign Leverages Aging Reports to Target Businesses

  • The new threat group impersonates company CFOs, requesting an updated aging report from companies' financial department staff.
  • There should be a multi-layered approach to email security to prevent scams by impersonation.

A hacker group called Ancient Tortoise was reportedly found targeting accounts receivable specialists for hoodwinking them into obtaining information on customers via aging reports.

What is an aging report?

An aging report is a collection of outstanding invoices of users that help a company's financial department keep track of unpaid bills of customers for the goods or services bought on credit.

Attackers’ trick

Researchers at Agari Cyber Intelligence Division (ACID) have revealed Ancient Tortoise’s intent to scam customers after collecting their information using aging reports from organizations.

  • The new threat group would impersonate a company's CFO requesting the specialist an updated aging report altogether.
  • By not asking the employee to change payment accounts, in the beginning, is a tactic to win the trust first.
  • The attackers also mimic the names and free email accounts of the firm's CFO to further strengthen their hoax.

Undercover operation by Agari

Agari's research team connected with the scammers and continued the email exchange in order to further understand Ancient Tortoise's fraud scheme.

  • The team sent a fake aging report containing the names of purported customers and their overdue amounts, along with the names and contact details.
  • Two days after the email exchange, scammers started contacting all the fake customers from the aging report, requesting payment for the outstanding invoices.
  • This is where they asked for the outstanding invoices to be paid via ACH or wire to a new account.
  • In the next, actors shared the details of the bank account they controlled for the outstanding payments to be made.

The Agari team said, “To make their email look legitimate, Ancient Tortoise registered a new domain about an hour and a half before sending the messages that closely mimicked our fake employee’s domain. Of course, the display name and username used by the scammer also matched our persona as well.”

Defense techniques

Learning defense techniques for such scams is critical for companies, vendors, and suppliers.

  • There should be a multi-layered approach to email security to prevent scams by impersonation. The approach involves implementing strong anti-phishing email and layered email authentication protections to defend against advanced identity deception attacks and brand spoofing.
  • For companies trading with external parties, besides utilizing identity deception defenses, having a formal process for handling outgoing payments is recommended (especially if the supplier’s normal payment account has changed).