David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager at Bora, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, Barkly and others.

Threat Actors Targeting Homebuyers with Phishing Attacks

Digital attackers have a history of targeting real estate transactions. In 2017, the FBI received 10,000 complaints from individuals who had fallen victim to fraud in the real estate sector. Those fraud cases resulted in $56 million of damages.

Most of the time, real estate fraud takes the form of a business email compromise (BEC) scam. Commonly the result of a spear-phishing attack, a business email compromise involves a fraudster assuming control of a corporate email account. The bad actor then abuses that access to conduct unauthorized wire transfers.

The American Land Title Association provides an explanation of how BEC scams work in the real estate industry specifically:

“In real estate transactions, fraudsters assume the identity of the title or real estate agent handling the sale. The criminals forge the person’s email and other details that appear specific and authentic. Next, posing as the real estate or title agent, the scammers send an email to the buyer, providing wire instructions to the criminal’s bank account, not the title agency’s legitimate account.”

Fraudsters don’t always target real estate agents, however. Sometimes they go after the homebuyers themselves with phishing attacks.

For instance, Proofpoint revealed that it routinely spots digital attackers targeting homebuyers and other real estate customers with lures abusing DocuSign, an electronic signature technology platform. These lures aren’t meant to steal targets’ DocuSign credentials, Proofpoint found. Instead they were intended to lift individuals’ email credentials from fake DocuSign landing pages, the URLs for which are linked in phishing emails. Some of these campaigns, such as the one shown below, leverage well-known real estate brands to add a sense of legitimacy to the attack landing pages.

Other phishing templates spotted by Proofpoint specifically targeted homebuyers who were working to close on a mortgage. One such attack referenced “closing disclosure” and included “onlineclosing.disclosure” in the URL along with the logos of two national realtors on the landing page. Other phishing attacks also mentioned closing or closing documents in the URL.

One attack took the lure of closing documents one step further by instructing targets to download a fake “Important Closing document.” This malicious record took victims to another phishing page designed to steal users’ credentials.

Sherrod DeGrippo, director of emerging threats for Proofpoint, said that fraudsters target real estate transactions because they are fast-paced and involve the exchange of numerous emails, documents and digital signatures. These qualities make it possible for digital attackers to insert themselves into a transaction and commit fraud. As a result, DeGrippo explained it’s incumbent on everyone involved in a real estate transaction to protect themselves. As quoted in a blog post:

Consumers should be exceedingly vigilant in their interactions with parties claiming to be involved in ongoing real estate transactions while realtors, mortgage brokers, and other industry organizations should educate customers about security and take steps to avoid abuse of their brands. Moreover, real estate professionals should implement layers of protection against increasingly frequent attacks on the industry.

The attacks described above signify that users continue to fall for various types of phishing lures. Organizations should recognize this fact and conduct ongoing phishing awareness training with their employees to protect their corporate data.