How Hackers Derail Transactions with Lookalike Email Domains
In part one, we covered the basics of wire fraud, which starts with social engineering, a compelling phishing email and credential harvesting through the website fabricated and controlled by the hacker. If successful, the attacker gains access to the victim's email credentials and surveys correspondence to learn about the victim and possibly access real estate transaction information. Now, let’s discuss how hackers move forward with their attack and identify all parties to the targeted transaction to build the runbook for execution.
Part of that exercise could be registering a look-a-like domain they later divert the inconspicuous victim who may not pay attention to details. In this step, hackers check registrars for the available domain that may look similar to the target by dropping, adding, or substituting a single letter - for example, xyzconpany.com – or go for a comparable domain. For instance, if xyzcompany.com is a target, the hacker may try to use xyzcompanyinc.com or xyzcompanyllc.com to create an email address they control and looks very similar to the original email they are looking to replicate.
Double check the email domain.
If that is not an option, the hacker will go for plan b and register an email address with an open platform (i.e., Gmail, Outlook, Yahoo, etc.) by creating a random email address under the target's display name. For example, Judy Realtor realtor_xyzcompanyinc@gmail[.]com, where Judy Realtor is the name of a genuine realtor, loan officer, or escrow officer. The attacker will later use the fabricated email address that looks familiar to send "updated" wiring instructions.
One of the possible next steps is email manipulation. The attacker can actively be in the victim's mailbox or abuse mail rules. For example, during the course of the transaction, emails are sent to a group of participants for various actions or informational purposes. If an attacker wants to interject, they may create a set of mail rules. Suppose the attacker wants to send new (fraudulent) wiring instructions to a seller from the email account they control, portraying to be from an escrow officer. In that case, they need to ensure that the correspondence does not go to the "real" escrow officer. So they may set up a mail rule to manipulate recipients' addresses or intercept and delete the email an actual recipient should never see.
Pay attention to the details in the signature.
Remember, by this point, the attacker could be reading every email in the victim's mailbox, so they are familiar who each party is and their role in the transaction. They can also copy everyone's signature block so that when they are ready to send an email from the "fake" account, they can insert the authentic signature of the person they are trying to impersonate. Pay attention to the details in the signature. Sometimes, the criminal will replace a phone number in the genuine signature with one they control in case the victim calls for confirmation.
Remember, if a hacker penetrates a party that works on multiple transactions, they have access to different sets of buyers, sellers, brokers, attorneys, lenders, and closing and escrow companies. Now they can skip the social engineering step and go directly to the phishing credentials of new potential victims. I call it a vicious circle, which is not limited to a single transaction.
Be suspicious of last-minute wiring instruction changes.
From here, everything is staged and ready for the last-minute wiring instructions change. Modern attackers are versed in the real estate transaction process. They learn all steps in our cycle and make their email very convincing, especially for inconspicuous buyers or sellers who are not versed in wire fraud attacks our industry faces daily.
We hope this breakdown of the steps hackers and cyber attackers go through to trap victims is helpful. Make sure to follow us on social media to see when the blog in this series goes live.