Security Brief: French BEC Threat Actor Targets Property Payments

What happened 

Proofpoint identified and named a new financially motivated, business email compromise (BEC) threat actor conducting fraud, TA2900. This actor sends French language emails using rental payment themes to target people in France and occasionally in Canada. 

In these campaigns, messages purport to inform the recipient that the rental installment for their property has not been received and to submit payment immediately. Additionally, the messages state that the rental company’s bank account details have changed and instructs them to send their next rent payment to a new account using the International Bank Account Number (IBAN) details provided by the attacker. Researchers have observed that the IBAN details change frequently, the actor will usually send two to three campaigns using the same bank account, before switching to a new one. Proofpoint has observed almost two dozen IBAN numbers across over 50 campaigns attributed to this actor to date. 

The IBAN details are often provided by the attacker in the body of the message or in the attachment. On other occasions, the messages don’t contain any bank account information. In these cases, the actor instructs the victim to reply to the email to receive new bank account details for the next rental payment.   

The bank accounts are registered at French banks that appear to be mostly “low cost” branches of large financial institutions. Recipients are instructed to reply to freemail accounts hosted by services like Gmail or Outlook, with evidence of their latest rental payment, and in some cases authorization for automatic payment of future rent installments, to the attacker-controlled bank account.  

TA2900 Message examples including IBAN and BIC numbers. 

Most campaigns are sent from compromised mailboxes belonging to educational institutions in various regions, and use a generic subject line, for example “Loyer” and “Nouveau RIB.” The term “RIB” refers to “Relevé d’Identité Bancaire” (which roughly translates to “bank account identity statement”). Early campaigns often included attached PDFs using logos and statements such as “Gestion locative de bien immobilier” (“Rental property management”), “Garantie des loyers” (Rent guarantee), and “Gestion immobilier comptabilité” (“Real estate management accounting”). Whenever PDF documents are attached to the emails, they all carry similar logos to those used in attachments from prior campaigns by the same actor. The actor is using PDF attachments less frequently since late 2024.  

PDF example for TA2900 campaign.

Due to some unusual phrasing and email body content of the messages observed in the campaigns, it’s possible that the emails are written with the help of generative AI. However, this cannot be confirmed as of writing.  

Attribution 

Proofpoint Threat Research assesses with high confidence that the objective of TA2900 is financial theft. The exact location of this actor is unknown, but they are likely knowledgeable about the rental payment process for properties in France and may have information about the rental properties identified in the campaigns. As the campaigns are almost exclusively in French and utilize French-language bank accounts, a layer of legitimacy exists, giving the recipient a false sense of security. The observed language in email messages could be generated by a language translation application, meaning that the actor may not be located in the targeted French-speaking country and/or are not fluent in French. We assess with high confidence that some of the compromised education accounts used to send campaigns are obtained through previous credential phishing or keylogger malware campaigns. These accounts are from global sources and appear to be opportunistically compromised.  

Why it matters 

Social engineering is a tactic characterized by an attacker leveraging human emotion to trick a victim into performing an action, such as sending the attacker money, divulging sensitive information, disclosing credentials, or installing an application on their system. Email message lures that alert users to unpaid and overdue rental installments are intended to cause anxiety in recipients of these campaigns so that they act quickly to avoid potential eviction and/or interest, penalties, and fees. By acting immediately and based on an emotional response, humans may overlook details that indicate this is a scam. This is a good example for why it is important to pause and reassess any email – or message from social media, messaging applications, etc. – that provokes a strong emotional response and demands immediate action. This is a cornerstone of successful social engineering upon which BEC and fraud threats rely.  

IOCs