Over the last few months, we’ve been seeing a huge influx of attackers using VistaPrint for business email compromise (BEC) scams. Losses due to account takeovers total over a billion dollars, and given the nature of these wire fraud attempts, it’s pretty easy to get the money, unless you’re the VP of finance for PhishMe. Why are attackers using VistaPrint, and what makes them such a middle-man for these attacks?

One of the main VistaPrint features that the attackers are using is the option to create a free domain, coupled with web hosting and an email account to the domain. They advertise a 1-month trial, which is more than enough time for an attacker to steal money, and create another account.

When creating a domain, we’re presented with a “billing information” form. Note the quotes, as you can punch in fake information here.

Next, we’re presented with a payment method for a credit card. We decided to use used a throw away card with a balance of $0.01, to see what extent of “security checks” are performed. The only check is to see if the number was active, and we were never prompted to enter the CVV. Zip code validation usually takes place as well, however there were no checks for us.

Within 10 minutes, we’re up and running with a credit card of no balance and able to create emails to spoof a CEO.

The web interface is also very nice, and we are able to log in and read the emails for our domain, right off the bat with a little more configuration.

And in another 5 minutes, we’re phishing away, spoofing CEO’s.

While performing research on the issue, it turns out that ThreatSTOP has run into VistaPrint being used for these types of attacks. In a blog post, they were able to confirm the same thing, that not only is it easy to use VistaPrint for sending phishing emails from new domains, but that money has been stolen from different companies.

In an email correspondence with Francis Turner, VP of Research and Security with ThreatSTOP, he wrote that the fix is simple. “All they would need to do is not let the website or email go live until they have checked (with the usual link in email) that the user email address works, that the CC# exists and matches the name, address, expiry, CVV etc. supplied and had some human do a basic look at the domain to see if it looks legit.” Turner also mentioned that while this won’t stop every case of fraud, this will at least raise the bar from nothing to something.

For those who are interested, you can download a feed of new VistaPrint domains in the last 24 hours here: http://vistaprinta.tk/ . If JSON is your thing, you can also download a copy of the new domains here: http://vistaprinta.tk/latest.json

In yesterday’s dump, we looked over some of the domains, and they did not give us the warm fuzzies. Here’s a very brief list of domains that are either off by one letter, have an extra letter, or are straight up copies of another domain. Most of these had no content on the page, but did have MX records for sending and receiving email. Now keep in mind that these domains were created in a 24 hour period.

To add insult to injury, VistaPrint is also hosting the webpage http://www.vistaprintmorons.com/ , a mock website that details how to use their service for stealing money from different companies.

While we did not reach out to VistaPrint on this specific issue, they have long known about this problem.

For Triage customers, they already have the rules to help find possible threats coming from VistaPrint. For everyone else, you can download the Yara rules here.