- Proofpoint observed hackers using stolen files to spoof businesses
- The threat actors would send RFQ emails and ask for Net 45 financing terms
- The goods would end up sold in African countries
Cybercriminals have found a way to leverage stolen company files to obtain actual physical goods, and it revolves around a business practice called Request for Quote (RFQ).
An Request for Quote is when one business asks another how much it would cost to purchase certain products, and is used when buying in bulk, wanting to compare prices, or looking for volume-based discounts.
But according to security researchers at Proofpoint, scammers are using files stolen in other cyberattacks to spoof the businesses and create convincing RFQ emails.
Shipping to Ghana
In the emails, they would ask for all kinds of equipment, from networking gear, to CCTV cameras, healthcare hardware, and similar.
After receiving a quote, they would then ask for Net 15/30/45 financing terms – payment terms that give the buyer 15, 30, or 45 days to pay the full invoice amount, with interest, *after* receiving the goods – which is common practice in B2B transactions.
If the victim business agrees, the scammers would share a shipping address. Sometimes, these are residential addresses, and other times, they lead to rented warehouses across the US. From there, the crooks would hire shipping forwarding services that specialize in sending goods to West African countries like Nigeria and Ghana, where the gear ends up (likely to be sold).
The victim, on the other hand, never gets their money as the scammers just disappear.
Proofpoint also stated the shipping forwarding services most likely don’t even know they’re transporting stolen goods, and that people living in houses listed as the shipping address can be scammers, or former scam victims themselves looking to pay off a debt.
The researchers also said they were tracking and blocking emails associated with RFQ scam groups, and partnered with the company’s Takedown Team to successfully take down 19 domains associated with these scams.
