Business Email Compromise: Spam to misdirected payments.

One of my domains that I used for consulting received a bunch of spam this weekend. It wasn’t targeted at all but it’s easy to see how people fall for it.

The first e-mail was a “confirm your credentials” type phish, the site lead to a page hosted that took the e-mail on a parameter to populate the page so it would show your e-mail address to make it a bit more believable. It was hosted on a compromised domain. It might look quite realistic if you aren’t IT savvy but the domain wasn’t particularly sneaky to someone with a bit of experience.

The second e-mail was a “email access will be deactivated” type e-mail, the site was hosted on Google firebase storage.

This wasn’t particularly smart but it looked realistic-ish, the URL had mentions of Microsoft-like services and the login page looked very much like an O365 login page. It didn’t show a phishing warning, people would easily fall for it.

The last attempt was a little more interesting. It was a keylogger sent in a zip. When extracted the exe had an icon of a PDF and was named “URGENT: INVOICE <DESC> <date>.pdf.exe”. This isn’t new but how it progressed was – it wasn’t someone just after my netflix password.

I stood up my sandbox and let the ‘invoice’ work. I captured it sending traffic over port 587 in cleartext, the credentials were base64 encoded. To my horror it was sending my saved passwords from my browser. Luckily the sandbox only had my router credentials saved in my browser and it was the default password. The tool did the standard kind of crypted malware thing… it waited, prompted an error, appeared to have stopped Windows Defender, it added something to startup and it ran in the background as something that looked half legit, in this case it was WSUSS.EXE (like Windows Update). Looking at the format of the e-mail, it appeared to be a variant of Origin keylogger – but they’re likely all pretty similar.

Spammers don’t have great opsec.

Things got a little more interesting when I checked the SMTP conversation. When sending these details in cleartext, they are giving you credentials to the sender e-mail account. Sometimes these are compromised accounts acting as a forwarder to an external account, sometimes they’re on a domain purchased by the spammer but sending to another mailbox, but in this case the sender e-mail was also the recipient e-mail. With a bit of guess work against the domain I found the webmail panel and could login.

An example which was similar to what was seen.

This spammer had tested the crypted ‘tool’ on their own server/laptop so the captured info was being sent back to this same mailbox that I had access to, this gave me some insight into exactly what he was doing. He was kind enough to capture the keylogging and screenshots to build the full picture.

This spammer left his Instagram, Facebook and other identifiable details available in his logs inbox. I’ve tried to send to the Enugu police in Nigeria where I think he’s located but I doubt alot will happen from it. I also contacted the businesses I found to be compromised in the yandex account.

This was his process:

  • He bought a spam list from a site that sells “leads” with a perceived anonymous currency that isn’t crypto.
  • He purchased a domain and an e-mail service from a provider that only accepts cryptocurrency, let’s call the purchased domain “badboy.com”
  • He bought an RDP for SMTP from the site he purchased the “leads”, the mail server was setup with DKIM – this guaranteed it’d hit the inbox of most providers for a while, particularly if he avoided Hotmail and GMail recipients.
  • He downloaded a cracked version of a spam tool on the RDP he purchased and set up the spam tool.
  • He configured the keylogger to his logs@badboy.com domain, the sender and recipient were the same.
  • He tried to use an online crypter service but this failed to make it “FUD” (fully undetectable).
  • He went and purchased another crypter and crypted his binary. I guess this was FUD or had better results.
  • He sent this out as an attachment with an e-mail titled “URGENT: INVOICE <DESC> <date>” to his “leads” list
  • Once results filtered in, he would login to their inbox and forward all the mail received to a yandex account.
  • At some point he had purchased another domain that was very similar to the compromised business, it had a typo in the domain name (qroup vs group) and he used this to reply to the customers to try get them to pay by bank transfer to a BOA account in America. A case of business e-mail compromise.

BEC is a big deal in countries where law enforcement can be bought. With a small upfront cost to setup, some basic IT ability and persistence, the return can be massive.