The Indian Cyber Crime Coordination Centre (I4C) has observed an emerging trend in cybercrime referred to as the "Boss Scam" or CEO impersonation fraud. Cybercriminals are targeting high-ranking officials and executives by delivering malicious archives via email or WhatsApp under the guise of urgent regulatory compliance. Once executed, the malware compromises the executive's Windows device and active Web WhatsApp sessions, enabling the fraudsters to message subordinate employees and orchestrate fraudulent financial transfers.

MODUS OPERANDI

• Initial Contact: Sophisticated cybercriminals contact CEO or high-ranking official via email or WhatsApp, impersonating regulators such as the Reserve Bank of India (RBI). The communication falsely claims regulatory violation or mandates an urgent security improvement, demanding a response within a very short timeframe.
• Delivery of the Payload: The message contains a compressed .zip archive. Inside this archive is a malicious executable (.exe) accompanied by a Dynamic Link Library (.dll) file. As seen in multiple cases, the CEO forwards the message to finance officer.
• Device and Session Takeover: When the executive extracts and executes the file on a Windows desktop or laptop, a Trojan dropper is initiated. The malware establishes a persistent foothold, compromises the system, and hijacks the active Web WhatsApp session tokens.
• Transfer Instruction: Armed with access to the executive's real WhatsApp account, the fraudster contacts accounts or finance employees, instructing them to make immediate payments to specified mule bank accounts.
• Contact Manipulation Variant: In alternative scenarios, if the attacker achieves complete device takeover, they covertly modify the device's contact list, saving a fraudulent, attacker-controlled phone number under the name of the "CEO", and use that secondary number to instruct employees into transferring funds.

Precautions & Safety Recommendations

• Finance departments of the companies should verify the request of any urgent financial transactions or account changes based solely on a WhatsApp text or email. Verification through a direct voice call or in-person confirmation may be done.
• Do not install executables received from unknown or unverified sources. Regulators like the RBI will never distribute mandatory software updates or security fixes via WhatsApp attachments.
• System administrators should enforce strict software restriction policies (SRP) configurations to block the execution of unknown .exe and .dll files originating from the user profile directories.
• Regularly audit authorized devices within your mobile WhatsApp application (Settings > Linked Devices) and proactively log out of any Web WhatsApp sessions that are no longer actively monitored.
• Ensure Windows endpoints are equipped with up-to-date solutions that detect malwares.
• Report any fraudulent applications or any scam incident immediately on 1930 or www.cybercrime.gov.in.

(रिलीज़ आईडी: 2276809) आगंतुक पटल : 232