Cybercriminals are opportunists by nature, so it’s no surprise to see that they continuously exploit attack vectors that have been proven to show success. Of these attack vectors, phishing and business email compromises (BECs) are often the most fruitful. With the significant frequency and value of phishing and BEC scams, many criminals turn to this tried and proven social engineering technique. In fact, the FBI reports that BEC scams cost enterprises more than $26 billion worldwide between 2016 and 2019.
Throughout the past several weeks, I personally received five of these suspicious emails. BEC emails are becoming incrementally more sophisticated in nature, complete with official-looking headshots and signatures from a genuine law firm. Cybercriminals deploying social engineering techniques like this are audacious. When I received this email my spider-senses were tingling: Something was off, even though this email was not caught by the email protection or kicked into my spam box. I always have Preview turned off in Microsoft to ensure that when I hover over the document/PDF it does not show me document preview unless I click on it. Fortunately, my firsthand experience dealing with these types of emails meant that I could avert the damage that would have ensued. Unfortunately, not everyone has this experience on their side.
While many BEC emails seem legitimate, there’s still a suspicious nature about them. For example, the location of the fraudulent sender and the location of the attorney that they were impersonating did not match up. Upon a quick search, we realized the attorney was in a totally different state. After calling the phone number on the email the call was answered as if I called the actual law firm, however my query revealed the actual phone number to the real attorney was different than the one on email.
These scam emails have severe implications, not just for the innocent (but uneducated) employee who may fall victim to them, but for the firms that they are impersonating as it may result in severe lack of trust. When it comes to potentially fraudulent emails, it’s best to verify the authenticity by conducting thorough research, and that’s exactly what we did.
A certified forensics expert at Cerberus Sentinel and I worked on the PDF to ascertain what it was meant to do. We wanted to see it real-time and execute the program to view the progression or outcome. We took the email with the PDF attached and put it into a safeguarded standalone sandbox. This particular email had seven different redirects to known malicious sites that would have uploaded into my browser from the PDF. It also contained a Ryuk-type program to run as soon as the file was clicked, and Adobe opened to execute on my system.
The outcome was astounding, it not only redirected to the sites, but started pushing out data to known bad IP’s to create connections. In a commercial network, the machine receiving the email and the network would have been compromised. Within minutes the sandbox was compromised in several file directories and had established connections to known bad IPs. Interestingly, the amount of resources to accomplish the program directive barely slowed the machine down, which most people would not notice.
The code embedded was very cutting edge and infectious if opened. In most situations, somebody getting a legally-served paper and or information regarding a pending legal case from a law firm would immediately open it. Even running antivirus and malware programs against the PDF, it came back with no errors.
These BEC programs are becoming more targeted to individuals and more importantly, they are becoming more advanced in terms of how the payloads infiltrate the targets. In this current climate of phishing and BEC scams, both comprehensive email security and employee training have never been more important. Moving forward, companies need to develop detailed cybersecurity awareness training programs that teach workers across all levels to question everything and stay wary of potential phishing schemes; especially when the stakes are so high.
David Jemmett, founder and CEO, Cerberus Sentinel
