A tale of Business Email Compromise

BEC attacks

Chapter 1, where we are asked to conduct an investigation

  • How were the attackers able to jump into an email conversation they had not been a part of at an arbitrary point in time?
  • Why were they able to see the whole message history?
  • Was it the work of an insider or was it an external adversary?

Chapter 2, where we test our initial assumptions

Chapter 3, where we assess the scale of the campaign

  • the-boeings[.]com
  • airbuus[.]com
  • airbuxs[.]com
  • bmw-my[.]com
  • uksamsung[.]com
  • a-adidas[.]com
  • giorgioarmani-hk[.]com

Chapter 4, where we map out what happened

  • Some were already familiar, we had come across them in the victims’ correspondence with their partners.
  • Others were new and seemed to bear no resemblance to the domains of the victims or the partners. In the context of a BEC attack, we assumed that these domains had been used to compromise the emails. This was confirmed when we found that some of these addresses had been used to deliver phishing emails to the victims.

Chapter 5, where we detail the geography of the campaign

Chapter 6, where we answer any remaining questions

  1. The attackers read the victim’s correspondence with their customers and partners.
  2. After noticing that the conversation was slowly getting to payment issues, the cybercriminals forwarded the required message with the entire story to Phishing address 1 (P1), which is similar to the victim’s address.
  3. From P1, the criminals would write to the victim’s partner.
  4. The partner would reply to P1.
  5. The attackers would then set in motion Phishing address 2 (P2), now similar to the partner’s address. An email that the partner sent to P1 was forwarded to the victim using P2.
  6. The victim simply responded to P2.

Conclusion

--

--

--

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The 2017 Equifax Breach

💰 WE ARE IN IT TO WIN IT 💰 Chenge your life 💰💰👍💯💯

Tachyon Protocol Weekly Report #111

It’s hard for a CISO to make predictions, especially about the future

Applications of Cybersecurity: IoT and Mobile Devices

Hey there, to celebrate #Carv being the 1⃣st project launched through Buidl, @thedapplist and #Carv…

7 Ways to Protect Yourself from Identity Theft

{UPDATE} Des Tonnes De Têtes Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BI.ZONE

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

More from Medium

How to hack a website with basic Hypertext Markup Language (HTML) coding

Finding the Combustion Products when a Large Number of Inorganic Chemical Compounds are Burnt in…

Building in Public — The Cons people don’t talk about

Line drawing of two men standing and staring at a poster on the window of a shop

Using Twitter to notify careless developers — the unorthodox way