Email Compromise Autopsy

By Rembrandt - Mauritshuis online catalogue., Public Domain,

From Wikipeida:

An autopsy (post-mortem examination) is a surgical procedure that consists of a thorough examination of a corpse by dissection to determine the cause, mode, and manner of death or evaluate any disease or injury present for research or educational purposes.

As we move into the year 2021, email compromises continue to be a major concern to all. A de-identified post-mortem of an email compromise for educational purposes seems to be well in order. (Names changed to protect the guilty and gullible)

I shall not name specific email hosting services as all have some vulnerability to these forms of attacks, and all have some form of defense. These defenses are usually not enabled by default.

Social engineering for financially-motivated fraud is a hallmark of the “classic” email compromise.

Every email compromise has a set of predictable phases:

Phase 1: Insertion

Entry or initial access is accomplished via a number of methods:

  • Phishing – Basic malevolent email or links
  • Brute Force – Use of a dictionary attack
  • Credential Exposure – Other compromised sites
  • Legacy Vulnerabilities – Use of access methods with known vulnerabilities (POP/ IMAP)

Of these, the most seen are :

Phishing, which at its core, is a social engineering attack. “Can I convince you to give me your credentials”. This compromise is usually via some link to an online document or form.

Credential Exposure, where your credentials are used on multiple sites, one of which has suffered a data breach or exposure. These data dumps are openly available on the internet. There are also several sites to check for this. A simple google search for “Have I been pwned” or “Has my login data been breached” may yield some interesting information.

Brute Force, or the use of a “data dictionary” to perform automated sequential login attempts. This may use exposed credentials as a data source.

Phase 2: Reconnaissance

Corporate reconnaissance can take many forms:

  • Mail forwarding
    • Via Mailbox rules
    • Additional trusted devices
  • Email traffic analysis
    • Mail client searches
    • Mail corpus searches
  • Test messages

Mail forwarding is the act of mirroring all email traffic (sent and received) to an external system to build a target list for further exploitation. This can be done by adding additional mailbox processing rules or by adding additional trusted devices.

Email Traffic analysis, once a mail flow is being mirrored, it can be examined for not just the sender/recipient, but the amount of traffic, the nature of traffic, and the inclusion of keywords. (Invoice, Payment, Bank Account, ABA Routing Number, SSN, CC Number, etc) Any of the captured data may be used to create a malevolent message or set the timing of a message.

A mail client can search for keywords in both the local store and the service mail corpus.

Test messages, given the above data, an intruder may craft credible messages and send them to targeted recipients to evaluate the “softness” of the target. These can be attached photos from vacation when the email analysis shows the sender has been on vacation, wedding announcements, or birth announcements. These are usually flagged with return receipts and are stripped from the mail inbox by mail rules.

Phase 3: The Sting

All the work to insert oneself and reconnoitre a target has but one reason, financial gain. This can take several forms:

  • Wire Transfer – Transfer money to discharge a debt or make an acquisition.
  • HR Manipulation
    • Direct Deposit update – I am changing my bank
    • W-2 Update – Harvesting Personal data for future fraud
  • Gift Card Purchase – Purchase gift cards for employee “Bonuses.”
  • External Account Exploits – Access to “Rewards sites” (Travel, Credit Card)
  • Attack Amplification – Use of a compromised account to compromise other accounts

Wire Transfer – Usually an “URGENT” email about some forgotten payment or a spur-of-the-moment purchase. Most often applied whence the reconnaissance shows the sender will be unavailable for some period of time.

One real-life example, the sender supposedly requesting the wire transfer was boarding a plane and would be out of communications for 12+ hours, but needed this to occur before the end of the business day. This was most effective when done on a Friday.

Yes, the intruder knew the principal was getting on a plane and knew that they had shut off their phone for takeoff, thence commenced the urgent request for a wire transfer to be done, by EOD, on a Friday.

HR Manipulation – These are self-explanatory.

Gift Card Purchase – These are usually the attacker masquerading as a manager or business owner. The sender wants to reward an employee with a gift card but needs the recipient to purchase gift cards and send him the authorization number from the card’s back.

Real life example, both the email accounts of the business owner and the office manger were compromised. The business owner was visiting a remote production facility. The intruder commenced an attack with an email to the office manager requesting she use her corporate card to purchase “Bonus Gift Cards” for employees at the remote location. Then send photos of the back of the cards to the business owner.

External Accounts Exploit – Email analysis indicates that the mailbox owner has “Reward Points” available. The attacker visits the rewards site. If they can not gain access with known credentials, use the mail account to reset the site password, and order the points’ conversion into a cash payment into the attacker’s aggregation account.

While an attack is in progress, emails send and received may be either deleted or moved into folders to not appear in the inbox. This is maybe done as a manual process or by specially crafted email handling rules.

Attack Amplification – The act of using a compromised account to phish other accounts that trust the sender; this alone can be devastating to a business reputation, any additional accounts compromised or successful frauds are even more disastrous.

Best Practices to Avoid Compromise:

  • Utilize strong passwords.
  • Enforce 2FA.
  • Enforce password expiration.
  • Use a password manager.
  • Do NOT reuse passwords on multiple sites.
  • Disable vulnerable legacy protocols.
  • Enforce an account lockout policy.
  • Train users to recognize phishing attempts.

VERIFY ALL TRANSACTION REQUESTS, either by voice or by secure backchannel.

Leave a Reply