Proofpoint has identified a new financially motivated BEC threat actor named TA2900, targeting individuals in France and Canada through fraudulent rental payment emails. These emails stress urgency and often include changing International Bank Account Numbers (IBANs) to facilitate financial theft. Affected: France, Canada, educational institutions, financial sector
Keypoints :
- New threat actor TA2900 conducts business email compromise targeting individuals in France and Canada.
- The actor uses French language emails focused on rental payment scams.
- Emails claim unpaid rental installments and request immediate payment to new bank account details.
- Frequent changes to IBANs used for the fraudulent accounts; up to two dozen observed over 50 campaigns.
- Emails often sent from compromised educational institution accounts using generic subject lines.
- Messages may provoke urgency and anxiety to elicit a quick emotional response from victims.
- Social engineering tactics are heavily utilized in the campaigns to deceive victims.
- Some email content may be generated by AI, indicated by unusual phrasing.
- Evidence shows that email accounts were likely obtained through phishing or malware campaigns.
- Common reply-to email addresses used by TA2900 have been tracked and listed.
MITRE Techniques :
- Business Email Compromise (T1583): TA2900 employs fraudulent emails to impersonate rental companies and solicit payments.
- Credential Dumping (T1003): Compromised educational accounts suggest previous credential harvesting via phishing efforts.
- Phishing (T1566): The actor sends deceptive emails to the victims to obtain sensitive information or commit theft.
Indicator of Compromise :
- Email Address: bureaugestionetcomptabilite@outlook[.]fr
- Email Address: compta[.]gestionimmo@yahoo[.]com
- Email Address: comptable[.]gestion[.]locative3@gmail[.]com
- Email Address: comptable[.]gestion58@yahoo[.]com
- Email Address: gestion[.]locative[.]immo@outlook[.]fr