Firebrick Ostrich uses open-source tactics to launch cyberattacks
Abnormal Security discovered a new business email attack threat actor known as “Firebrick Ostrich” performing Business email compromise (BEC) on a near-industrial scale. It also employs a stealth strategy to avoid the obvious giveaways of typical social engineering attacks.
Since April 2021, Firebrick Ostrich has reportedly launched over 350 of these types of BEC attacks, impersonating at least 151 organizations. The group’s wholesale gunslinging approach enables this volume of attacks. When it comes to targets, Firebrick Ostrich doesn’t discriminate much, nor does it gather exceptional intelligence to craft the perfect phishing bait. It throws darts at a wall because, apparently, when it comes to BEC at scale, that’s all that’s needed.
The threat actor’s targets have all been based in the United States, though the industries targeted appear to be opportunistic. In each campaign, the attackers impersonate multiple vendor employees, one of whom is usually the company’s Chief Financial Officer.
According to Abnormal Security, there doesn’t appear to be a pattern that the threat actors follows, but it dips into retail and education, transportation and healthcare, and everything in between. The group also specializes in third-party impersonations, reflecting a shift in BEC more generally and uses open source research, such as trawling through government websites to check information on existing contracts and vendors, and total vendor numbers.
Once the attacker has this information, they will use Namecheap or Google to register a domain name that is very similar to the legitimate domain of the impersonated vendor. Because they lack detailed information about the vendor-customer relationship, BEC emails are typically vague, inquiring about an outstanding payment or requesting an update to the vendor’s payment details.
“Since its inception, BEC has been synonymous with CEO impersonation,” Crane Hassold, director of threat intelligence at Abnormal Security notes. But more recently, “threat actors have identified third parties as a sort of soft target in the B2C attack chain. More than half of the B2C attacks that we see now are impersonating third parties instead of internal employees.”
The sources for this piece include an article in Darkreading.