NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods

SecurityVendor
Yanac

Key findings 

Request for Quote scammers are using vendor supplied financing to steal physical goods. 
They utilize email and legitimate online quote request forms to reach potential victims.  
Sophistication varies between threat actors, but the core scam remains the same. 
These actors use a network of shipping forwarding services, standalone warehouses, and individual money mules to enable their crimes.  

Overview 

In this report, Proofpoint threat researchers take a deep dive into a widespread Request for Quote (RFQ) scam that involves leveraging common Net financing options (Net 15, 30, 45) to steal a variety of high value electronics and goods. Net financing of 15-90 days is the most common payment terms used by businesses. 

RFQ scams are a diverse category of business-oriented fraud and among the top five most frequently observed social engineering themes used by fraud actors. In RFQ campaigns, the actor reaches out to a business to ask for quotes for various products or services. The quotes they receive can be used to make very convincing lures to send malware, phishing links, and even additional business email compromise (BEC) and social engineering fraud.  
 
They can also be used as an excuse to open a line of Net 15/30/45 credit with a business to take delivery of a variety of high-value goods based on the promise they will pay the balance due in the allotted time frame. As part of their financing requests, the threat actors typically list popular brands and equipment related to technology and business processes. The brands and products involved are not leveraged maliciously, but rather as part of the fraud, with the requested goods to be stolen and sold. 

To better understand how this scam works, Proofpoint threat researchers identified numerous activity clusters conducting Net RFQ fraud and engaged with them directly by posing as suppliers with lax finance departments to gain a better understanding of the post-interaction attack chain.  

Anatomy of the scam 

Net RFQ scams usually start with fraudsters posing as procurement agents for real companies, often using stolen or publicly available information like Employer Identification Numbers (EINs), Data Universal Numbering System (DUNS) numbers, addresses, and stolen identities of real employees. They create convincing looking email signatures, sometimes even replicating corporate branding. 

Proofpoint researchers have observed Net RFQ lures impersonate a wide range of corporations, colleges, and small to midsized city governments, but they tend to favor specialized industries due to the highly specific orders they place. 

For example, in the following screenshot the threat actor is impersonating a university and requesting a quote for networking equipment.  

Fraudster impersonating a university. 

While many threat actors send these quote requests from a free email account, others will use a lookalike domain—capitalizing on a trusted brand’s reputation to make their messages appear legitimate and increase the chances that recipients will open the email and comply with their fraudulent requests. 

The body text in the lures typically contains a list of highly specific items (see example below). Items most frequently observed are Fluke brand testing equipment, various brands of hard drives, surveillance cameras, Wi-Fi equipment, and all manner of medical devices. These items, while specific, are often in demand in rapidly developing countries. 

Example item list. 

The final component differentiating Net RFQ from other RFQ scam types is an inquiry about obtaining Net 15/30/45-day financing. When an actor gets a response from their target, they send all the information needed to process the net financing request.  This typically includes the legal business name and DBA (doing business as), the Employer Identification Number (EIN), and a DUNS number. Supporting documents such as articles of incorporation and a business license (if required) are included. The scammers are usually keen to get the shipment started as soon as possible. Multiple threat actors Proofpoint researchers interacted with were observed offering to truncate the order to speed up the approval process.  

Items requested by the threat actor during an engagement, related to popular brands of equipment. 

Credit application using stolen information. 

Threat actor asking for partial shipment. 

The check is in the mail 

Once the target has approved the credit terms, then a shipping address is typically provided. The threat actor may include this information in their initial request to speed up the process, but they usually hold off until they know the goods are going to be shipped for operational security purposes. They may need to delay scheduling with a mule – or an intermediary who shifts goods or money from one location to another – that will take delivery of the goods to a residential address.  

Engagements with multiple threat actors have provided insight into what kinds of shipping services are utilized by these groups. The most frequently used companies appear to be shipping forwarding services that specialize in sending goods to West African countries like Nigeria and Ghana. It should be noted that these businesses likely have no knowledge of the illegal nature of the cargo they are shipping. They are likely just convenient for the threat actors.  

Example freight forward service used by a Net RFQ scammer. 

Proofpoint Threat Research has also observed these fraudsters utilizing residential addresses to take delivery of the stolen goods. While it is difficult to determine with high confidence the association between the addresses and mules in this particular scam, in general, money or goods mules may either be voluntarily working with criminals, are friends or family of the fraudsters and have no idea the activity they are facilitating is malicious, or they could be former scam victims themselves looking to pay off a debt. These mules can be found in any country. 

Sanitized recreation of a real mule house. 

In addition to freight forwarding services and mules, the actors also rent warehouse spaces. Proofpoint has observed the threat actors attempting to rent 10’x15’ and 15’x20’ warehouses on a month-to-month basis in a variety of locations across the United States.  

Sanitized recreation of a real rented warehouse. 

Disrupting the status quo 

Proofpoint threat researchers have not only been tracking and blocking emails associated with these groups but also took steps to disrupt their operations by partnering with Proofpoint’s Takedown Team to successfully take down 19 domains associated with this specific activity. We wanted to see how the threat actors would respond to a mitigation action in real time. In one case, while a threat actor was patiently waiting for their credit approval to go through, the Takedown Team collaborated with the registrar to take down the malicious domain, resulting in the threat actor abandoning the conversation entirely. This was the most common reaction, but in some other scenarios we noted the threat actor quickly spun up a new domain to resume the conversation.  

Proofpoint researchers were also able to identify some threat actor-controlled email addresses used to communicate with various shipping carriers in the U.S. We contacted the shipping companies and halted delivery of these packages. This also resulted in other associated deliveries being stopped beyond the ones that we had identified.  

Intercepted fraudulent shipment. 

Intercepted fraudulent shipments.

Ways to spot a Net RFQ 

As this scam continues to proliferate, there are key characteristics that organization should keep in mind:  

Be wary of Net financing requests that impress a heightened sense of urgency. 
Always check the delivery address. If it is a freight forward service or residential address proceed with caution and find alternative methods to validate the identity and authenticity of the individual you’re communicating with. 
Always verify the email address and domain name of the company referenced. Search the company name online; does the domain match the sender domain, is the email legitimate? Phoning the business directly from a phone number listed on the legitimate business website can help validate whether something is authentic, or if it’s a scam. 
Be wary of free mail accounts purporting to be a representative from an established company or institution. This should set off immediate red flags.  

Attack chain walkthrough.  

Malicious domains and outcomes 

Proofpoint’s Takedown Team deployed a two-pronged mitigation strategy to neutralize the threats for the listed domains – first, working with leading blocklist partners to rapidly block the domains on a global scale; then, coordinating full takedowns with key infrastructure providers to effectively mitigate the activity at the time.  

Note: The following list reflects the status of the domains at the time of our investigation. Some may have since been re-registered—potentially by the same actors or by entirely new registrants and registrars.  

RFQ Domain 

Details 

novartispharmaceuticalscorp[.]com 

hbfullercompany[.]net 

magnetek-inc[.]com 

americaninstituteresearch[.]org 

abec-electricinc[.]com 

innovativemedicinejnj[.]com 

labchem-wako-fujifilm[.]com 

gwelecco[.]com 

lakeland-gov[.]net 

uk-novartis[.]com 

quad-graphics[.]org 

abecelectric[.]net 

thekrogerc[.]com 

abecelectrics[.]com 

louisvileedu[.]net 

twc-texas-gov[.]us 

novartispharmcorp[.]com 

novartisphamcorp[.]com 

omegaengineering-inc[.]com 

Proofpoint Suspended 

faureciausa[.]com 

claycorpe[.]com 

konannmedical[.]com 

omexom-nz[.]com 

thedotfunds[.]org 

volusiacountygov[.]org 

volusiagov[.]org 

Already Suspended 

creechlogistic[.]com 

bbtruckings[.]net 

marrten[.]net 

sheppardtruckings[.]com 

icon-consturction[.]com 

honplumbing[.]com 

nterceptroofings[.]com 

smithppi[.]net 

portable-air1[.]net 

abecelectric[.]biz 

abecelectric[.]xyz 

abecelectrical[.]com 

abelectriceincs[.]com 

aceelectricalsinc[.]com 

advances-electricsinc[.]com 

atlanticsdda[.]com 

azdamiaan-be[.]com 

bcciconsts[.]com 

beauchampcos[.]com 

citicgroups-hk[.]com 

cityofchicago-gov[.]org 

cleanswatersteam[.]com 

cleanwatersteams[.]com 

clemsons-edu-school[.]com 

clemsons-edu-schools[.]com 

collinsmns[.]com 

cummingselecs[.]com 

delcoelectricsinc[.]com 

denttoni[.]com 

dgicomunication[.]com 

dgicomunications[.]com 

dropsausas[.]com 

dvnemail[.]com 

dvnenergycorp[.]net 

dvnenergycorp[.]org 

elllisdoninc[.]com 

energyelectricneinc[.]com 

enerveos[.]com 

fossmaritimes[.]com 

foxcorporations[.]net 

gsk-ch[.]com 

gskpharma[.]co[.]uk 

hammondelectrics[.]com 

hard1nge[.]com 

hardlnge[.]com 

hearingcomponent[.]com 

iciconstructionincs[.]com 

interceptroofiing[.]com 

interceptrooofing[.]com 

johnsoncontr0ls[.]com 

keyeances[.]com 

lewiisupply[.]com 

magnetekgroup[.]com 

magnetekhm[.]com 

magnetekincs[.]com 

mexicanbarrier[.]com 

mgnetekinc[.]com 

mtindgovsg[.]com 

ngbaileys[.]com 

ourmexicanwall[.]com 

patmurphyelectrics[.]com 

sjdieselservices[.]com 

superiorcranesinc[.]com 

tudisinc[.]com 

turtlleinc[.]com 

vseaviations-inc[.]com 

weikart-ch[.]com 

willmengconstructions[.]com 

No Longer Registered Proofpoint Threat InsightRead More