The communications demonstrate knowledge of French rental payment processes, incorporating legitimate terminology like “Garantie des loyers” (Rent guarantee) and “Gestion immobilier comptabilité” (Real estate management accounting). The bank accounts used by TA2900 are registered at legitimate French financial institutions, specifically “low cost” branches of larger banks, making transactions appear genuine to victims. Subject lines are typically generic such as “Loyer” (Rent) or “Nouveau RIB” (New bank details), while attached PDFs feature logos and terminology common to property management companies. The threat actor typically sends two to three campaigns using the same bank account before switching to a new one, demonstrating operational security awareness and methodical approach to avoiding detection. Messages often contain specific instructions for victims to reply with proof of payment or authorization for future automatic payments, creating multiple opportunities for financial theft. The fraudulent communications often employ authentic-looking letterheads and official terminology such as “Relevé d’Identité Bancaire” (bank account identity statement) to enhance credibility. The campaign primarily focuses on French-speaking victims in France and occasionally Canada, exploiting the anxiety associated with potential missed rent payments to manipulate targets into immediate action without proper verification. In a sophisticated business email compromise (BEC) scheme, cybercriminals are targeting tenants with fraudulent requests to redirect rent payments to attacker-controlled bank accounts. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These messages inform recipients that the property management company’s banking details have changed and provide new account information for future payments. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Proofpoint researchers identified this threat actor, designated as TA2900, through analysis of over 50 campaigns utilizing nearly two dozen different IBAN numbers. The attacks follow a consistent pattern where victims receive official-looking communications claiming their rental payment has not been processed. The attackers trigger emotional responses by suggesting tenants’ housing could be at risk, creating urgency that bypasses rational verification processes. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The attackers leverage compromised mailboxes belonging to educational institutions to distribute their campaigns, providing an additional layer of perceived legitimacy.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 01 May 2025 12:20:05 +0000