CHALLENGE
An attacker pretended to be the CEO of a Hong Kong charity and tricked a staff member into buying gift cards worth several hundred dollars. When Blackpanda investigated, they discovered the charity also had an infected old website, an exposed digital address, and staff passwords available for attackers to buy — all hidden problems the organisation didn't know existed.
A Hong Kong charity with a small, lean team relied on a handful of staff to manage both its programmes and its day-to-day operations, including IT. Like many non-profit organisations, it had no dedicated security function and no formal process for monitoring its digital footprint. Cybersecurity was not top of mind — until a staff member received an unusual email.
In May 2025, four employees received emails purportedly from the organisation's CEO. The emails were sent from external consumer email addresses — not from the organisation's official domain — but were written with authority and urgency, requesting that recipients purchase digital gift cards for an internal bonus distribution. This is a well-documented form of fraud known as Business Email Compromise (BEC) — specifically, CEO impersonation: a technique in which attackers pose as a senior figure inside an organisation to pressure employees into financial action before they have time to question the request.
One staff member was successfully deceived. The conversation moved from her work email to her personal account, and she purchased multiple gift cards, sharing the codes with the attacker. The attacker then demanded a much larger amount. When she requested reimbursement before proceeding, the attacker refused — and that refusal raised her suspicions. She stopped, and reported the incident. Three other employees had received the same approach but had not acted on it.
The organisation knew it had been scammed. What it did not know was that this incident was only the most visible layer of a much broader set of vulnerabilities that had accumulated silently over time — in systems no one was actively watching.
SOLUTION
Blackpanda confirmed the scam, checked whether any accounts had been broken into, and then systematically scanned everything the organisation had connected to the internet — including old websites and forgotten subdomains. They also searched criminal marketplaces to see whether staff passwords were being sold. What they found went well beyond the original phishing attack.
- Confirmed the BEC Attack and Scoped the Phishing Campaign
Blackpanda reviewed the phishing emails, traced the external sender addresses, and confirmed the incident as a Business Email Compromise (BEC) attack. The full scope of targeted employees was established, and the attack methodology — CEO impersonation via external consumer email accounts — was documented. - Investigated Google Workspace for Account Compromise
Blackpanda audited the organisation's Google Workspace environment — the platform used for email, documents, and collaboration — to determine whether any accounts had been accessed without authorisation. No evidence of account compromise was found as a result of the phishing attack. However, the audit surfaced a suspicious login to one account originating from a foreign country, with no clear business justification — flagged for further review. The investigation also confirmed that Multi-Factor Authentication (MFA) — the security feature requiring a second verification step before login — was not enforced across all staff accounts, leaving accounts protected by passwords alone. - Performed Attack Surface Readiness (ASR) Scanning
Using Attack Surface Readiness (ASR) — a systematic process of mapping every internet-facing system associated with an organisation — Blackpanda identified two significant risks in the organisation's web infrastructure that had gone undetected. The first was a decommissioned website the organisation had stopped using after migrating to a new platform. The old server was still live and publicly accessible — and had been infected with NDSW malware, a type of malicious code injected into website files that silently redirects visitors to attacker-controlled sites or executes malicious code in their browsers. The server was also running severely outdated software with a known critical vulnerability that could allow an attacker to execute their own commands on the server remotely. Additionally, SMB (port 445) was found exposed to the public internet. The second was an abandoned subdomain (a separately-addressed section of the organisation's web presence) that was still pointing to an external platform the organisation no longer used. Because that external platform was no longer active, any attacker could register that same space for themselves — meaning a web address that appeared to belong to the organisation could be taken over and used to serve malicious content or deceive visitors. - Conducted Dark Web Monitoring
Blackpanda searched criminal marketplaces and databases — collectively known as the dark web — for credentials associated with the organisation's domain and staff. Multiple sets of usernames and passwords belonging to current and former staff were found circulating in these marketplaces. One credential set was traced to evidence of infostealer malware activity — a category of malicious software that silently harvests saved passwords and browser data from infected devices — on a former employee's device, raising questions about whether that device had been properly decommissioned when the employee left. - Traced How the Attacker Targeted the Victim
Blackpanda's dark web investigation revealed that the personal email address of the successfully deceived staff member had been exposed in prior data breaches, and was publicly linkable to her professional identity through her online profile. This gave the attacker the intelligence needed to craft a targeted, convincing impersonation — combining leaked personal data with public professional information to identify and approach a specific individual, rather than sending generic phishing emails at random.
RESULTS
The scam was confirmed and stopped. No accounts were found to have been broken into. But Blackpanda's investigation found four additional problems the organisation didn't know about — any one of which could have been exploited for a far more serious attack.
- BEC Fraud Confirmed; No Account Compromise Found
The CEO impersonation attack was confirmed as a Business Email Compromise (BEC) fraud. Blackpanda established that no internal accounts were accessed or compromised as a direct result of the phishing attack — the attacker relied entirely on social engineering, not technical intrusion. - Decommissioned Website Found Infected with Live Malware
The organisation's abandoned website was confirmed to be actively infected with NDSW malware and exposed to critical vulnerabilities. Any visitor to the old site during this period could have been silently redirected to a malicious page or had attacker-controlled code executed in their browser. Blackpanda recommended taking the server fully offline and removing all content immediately. - Abandoned Subdomain Identified as Hijackable
A dormant subdomain was identified as vulnerable to takeover. Because the external platform it pointed to was no longer active, any attacker could register that space and use a legitimate-looking address to deceive the organisation's contacts or staff. Removing the DNS record — a quick administrative action — was recommended to eliminate the risk entirely. - Staff Credentials Found on the Dark Web
Multiple credential sets belonging to current and former staff were confirmed to be circulating in criminal marketplaces. Evidence of infostealer malware activity on a former employee's device was identified, raising the likelihood that those credentials were actively harvested rather than exposed through a third-party breach. Full decommissioning of the former employee's device and revocation of all associated credentials was recommended. - Suspicious Login and MFA Gap Identified in Google Workspace
A login to one staff account from a foreign country with no business justification was flagged for investigation. Separately, the absence of enforced Multi-Factor Authentication (MFA) across all accounts was identified as a critical gap — without MFA, any of the stolen credentials found on the dark web would be sufficient to access staff accounts directly.
Why this matters for your organisation
This case shows that a relatively modest incident — a gift card scam — can be the visible tip of a much larger problem. The organisation had accumulated unmonitored digital risk: forgotten systems, unused addresses, and leaked credentials. None of these vulnerabilities announced themselves. They required active investigation to surface. For any organisation with a lean IT function and no dedicated security monitoring, the same hidden risks are likely already present. The question is not whether they exist — it is whether you know about them before an attacker does.
Frequently Asked Questions
What is a BEC attack, and how do attackers choose their targets?
A Business Email Compromise (BEC) attack is a form of fraud where an attacker impersonates a trusted figure — typically a CEO, senior manager, or vendor — to trick an employee into sending money or sensitive information. Targets are chosen using a combination of publicly available professional information (company websites, LinkedIn) and leaked personal data from prior breaches. The attacker in this case used a staff member's leaked personal email, combined with her public professional profile, to build a targeted and convincing approach.
My organisation uses Google Workspace. Are we at risk of the same kind of attack?
Any organisation using cloud-based email and collaboration tools can be targeted by BEC attacks — the platform itself is not the vulnerability. What matters most is whether Multi-Factor Authentication (MFA) is enforced on all accounts, whether staff are trained to recognise and report suspicious requests, and whether there is a clear verification process for financial or sensitive actions. The MFA Bypass Attack at a Singapore IT Services Firm and Google Workspace hijacking case are relevant examples of how these risks manifest.
What is a subdomain takeover and why does it matter?
A subdomain takeover occurs when an organisation leaves a web address pointing to an external service or platform that is no longer active. If that external space becomes available for re-registration, an attacker can claim it — meaning a URL that looks like it belongs to the organisation actually serves content controlled by an attacker. It can be used to phish customers, staff, or partners, or to host malware. The fix is simple: remove the DNS record pointing to the defunct external service.
We decommissioned an old website years ago. Could it still be a risk?
Yes. A decommissioned website that was not taken fully offline remains accessible to anyone on the internet, including attackers. Outdated servers typically run unpatched software with known vulnerabilities, making them easier to compromise than actively maintained systems. The ClickFix WordPress compromise case is another example of how attackers exploit abandoned web infrastructure.
How can my organisation find out if staff credentials are on the dark web?
Dark Web Monitoring, as part of Blackpanda's Attack Surface Readiness (ASR) service, continuously scans criminal marketplaces and databases for credentials associated with your organisation's domain. It is included as part of IR-1 and provides early warning before leaked credentials are used in an attack.
What This Means for Your Organisation
CEO impersonation and BEC attacks are not targeted exclusively at large enterprises. They are disproportionately effective against organisations where staff wear multiple hats, where there is no dedicated security function, and where the culture of trust — a genuine organisational strength — can be exploited. Charities, non-profits, schools, and small businesses across Asia are regularly targeted precisely because they are often less defended, not because they are less valuable as targets.
The deeper lesson from this case is about visibility. The malware on the old server, the hijackable subdomain, the credentials on the dark web — none of these were introduced by the phishing attack. They had accumulated independently, over time, without anyone noticing. This is the normal state of digital infrastructure for any organisation that has grown organically: systems get stood up and forgotten, employees join and leave, third-party tools are trialled and abandoned. Each of these events leaves a trace. And traces accumulate into an attack surface that no one has mapped.
If your organisation has been running for more than a few years, has had staff turnover, has changed web platforms, or has used and discontinued any cloud-based tools, it is almost certain that some version of these same risks exists in your environment. Attack Surface Readiness (ASR) and dark web monitoring exist specifically to surface these risks before an attacker finds them first — and both are included in Blackpanda IR-1, the fixed-cost incident response subscription built for organisations of exactly this size and profile.
About Blackpanda
Blackpanda is a Lloyd's of London–accredited insurance coverholder and Asia's leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.
Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.
