skip to Main Content

Cybercrime, Crimson Kingsnake is a new BEC group involved in global attacks

Crimson Kingsnake is a new BEC group involved in global attacks. It impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices

Crimson Kingsnake is a new Business Email Compromise (BEC) group, involved in blind third-party impersonation attacks. Abnormal Security cybersecurity experts discovered it. The cybercrime gang impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices. It targets companies throughout the United States, Europe, the Middle East, and Australia. Like most BEC groups, it is industry-agnostic, meaning it doesn’t explicitly target companies in certain sectors. Intelligence collected by researchers indicates that at least some of the actors associated with Crimson Kingsnake may be located in the United Kingdom.

How the Crimson Kingsnake attacks work

A typical attack starts with an email impersonating a real attorney/law firm and referencing an overdue payment the targets company owes to the firm or a company they represent. To add legitimacy to their communications, the group exploits email addresses hosted on domains closely resembling a firm’s real domain. The display name of the sender is set to the attorney that is being impersonated and the signature contains the firm’s actual company address. After a victim responds, Crimson Kingsnake replies with payment account details contained with a manufactured PDF invoice, which includes the law firm’s logo, details about bogus services rendered, and the total amount due. The invoices also list bill number, account reference number, bank account details, and the company’s VAT ID. Based on the complexity and detailed nature of the invoices, it’s possible that cybercrime gang is using altered versions of legitimate invoices used by the impersonated firms.

Back To Top