Phishing Infrastructure Attribution: Tracing a BEC Campaign to a Specific Threat Actor Group

Background

A company's accounts payable department wired $340K to a fraudulent bank account after receiving a convincing email that appeared to come from their CEO. By the time the fraud was discovered, the money had been moved.

Investigation Methodology

1. Email Header Analysis: The phishing email's headers were analyzed for originating infrastructure — mail servers, relay points, and authentication mechanisms.
2. Domain Infrastructure Mapping: The sender domain (a look-alike of the company's real domain) was analyzed for registration details, hosting infrastructure, and connections to other phishing domains.
3. Threat Actor Attribution: The infrastructure fingerprint was compared against known BEC threat actor TTPs (Tactics, Techniques, and Procedures) in our threat intelligence database.

Key Findings

• The phishing domain was registered through the same registrar and hosting provider used by a known West African BEC group tracked as "GOLD FOUNTAIN" in industry threat reports.
• The SSL certificate on the phishing domain was issued by the same certificate authority chains used in 14 previous BEC attacks attributed to this group.
• The receiving bank account was part of a network of money mule accounts previously flagged by FinCEN.
• $220K of the $340K was identified as still held in downstream accounts that could be frozen.

Outcome

The FBI's IC3 was provided with the full infrastructure analysis and bank account chain. $220K was frozen and eventually recovered. The phishing infrastructure was taken down, preventing further attacks on other targets. Total investigation time: 3 weeks. Recovery: $220K of $340K.