Hackers pose as Bloomberg employees in email scam

The emails politely ask users in fluent English to enable Microsoft Excel features that allow the code to execute.
The streets of Najaf, a city in south-central Iraq, are pictured in March 2020. A new hacking campaign is dubbed "Fajan," or Najaf spelled backwards, after a malicious computer script used in the activity. (Photo by HAIDAR HAMDANI/AFP via Getty Images)

Hackers are impersonating Bloomberg employees in an attempt to install remote access software on target computers, researchers said Wednesday.

The ruse seeks to capitalize on the influence of Bloomberg Industry Group (formally known as Bloomberg BNA), whose analysis major corporations use to track markets, according to Cisco Talos, which discovered the activity. The perpetrator is sending fake Bloomberg invoices that are laced with a “remote access trojan” tools that could be used to surveil computer networks or steal data.

The goal of the malicious email campaigns, and exactly who was targeted, remain unclear. But the perpetrator has clearly gone beyond the bumbling phishing emails in broken English that typically give other scammers away.

It’s a clever piece of social engineering from a cyber actor that has apparently only been active for a year, but which has looked for economical ways into victim networks. One of the tools used, called NanoCore, is available for purchase on underground forums for just $20.


The emails seen by Cisco Talos politely ask users in fluent English to enable Microsoft Excel features which allow for the execution of malicious code. One email, for instance, lists a New York City phone number that recipients can call for “customer service.” When CyberScoop dialed the number, an automated voice read a different phone number and said that the voicemail inbox was full.

Vanja Svajcer, technical leader at Cisco Talos, said the malicious emails have come at around monthly intervals over the last year.

“The level of sophistication does not require a big group to execute [the scam],” he said.

Svajcer and his colleagues said they had “moderate confidence” that the operators of the malware were Arabic speakers. One clue suggested targets for the campaigns could be in North Africa and the Middle East: Attackers used a file-sharing site popular in Algeria, Egypt and Yemen to deliver the malicious code to victims.

The researchers call the malicious email campaigns “Fajan,” a reverse spelling of the Iraqi city of Najaf, which is referenced in the malicious code. 


Email security firm Proofpoint in December 2019 revealed another NanoCore phishing campaign aimed at manufacturers in Germany, among others.

Bloomberg Industry Group did not respond to a request for comment by press time on the research.   

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts