The Ministry of Home Affairs has warned citizens against a new modus operandi — using names of high-ranking officials — being adopted by cybercriminals to defraud. Named the ‘Boss scam’, I4C – the Indian
Cyber Crime Coordination Centre, MHA, has issued an advisory warning citizens about fraudulent emails and WhatsApp messages which could impersonate RBI officials and target CEOs of companies. Through CEOs, subordinate employees could be compromised to carry out high-value financial frauds. “National Cybercrime Threat Analytics Unit (NCTAU), The Indian Cyber Crime Coordination Centre (I4C) has observed an emerging trend in cybercrime referred to as the “Boss Scam” or CEO impersonation fraud. Cybercriminals are targeting high-ranking officials and executives by delivering malicious archives via email or WhatsApp under the guise of urgent regulatory compliance,” the advisory said. As per I4C, once the email or the WhatsApp message is acted upon or executed, the malware compromises the executive’s Windows device and active Web WhatsApp sessions, enabling the fraudsters to message subordinate employees and orchestrate fraudulent financial transfers.
The MODUS OPERANDI
Initial Contact: Sophisticated cybercriminals contact CEO or high-ranking official via email or WhatsApp, impersonating regulators such as the Reserve Bank of India (RBI). The fraudulent communication falsely claims regulatory violation or mandates an urgent security improvement, demanding a response within a very short timeframe.
Delivery of the Payload: These fraudulent emails or WhatsApp messages usually contain a compressed .zip archive, the I4C advisory warns. Inside this archive is a malicious executable (.exe) accompanied by a Dynamic Link Library (.dll) file. Anecdotal evidence collected by investigators shows that the CEOs usually forward such messages to the finance officer of the company, thereby setting off a chain of compromised systems.
Device and Session Takeover: “When the executive extracts and executes the file on a Windows desktop or laptop, a Trojan dropper is initiated. The malware establishes a persistent foothold, compromises the system, and hijacks the active Web WhatsApp session tokens,” I4C advisory states.
Transfer Instruction: The real fraud begins at this stage. Once the fraudster is armed with access to the executive’s real WhatsApp account, they contact accounts or finance employees, instructing them to make immediate payments to specified mule bank accounts, I4C officials said.
Contact Manipulation Variant: It has also been observed in some cases that fraudsters after completing device takeover, covertly modify the device’s contact list, saving a fraudulent, attacker-controlled phone number under the name of the “CEO”. This secondary number is then used to instruct employees to transfer funds into mule accounts.
I4C in its advisory has asked Finance departments of companies to re-verify the request of any urgent financial transactions or account changes based solely on a WhatsApp text or email. “Verification through a direct voice call or in-person confirmation may be done,” officials said.
