Business Email Compromise - A Brief Analysis - Preparation (1/3)
This is the beginning of a three part series on a Business Email Compromise campaign that we recently observed.
Part 1: Preparation
Part 2: Artifact Collection
Part 3: Artifact Analysis - Coming Soon
Business Email Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
While BEC campaigns are nothing new, I happened to receive one the other day and, in discussing it in passing with a colleague in another forum, he asked me what a BEC was. It really caught me off-guard, because in our world of studying the adversary, it was a concept that I thought had been fairly well sussed out. However, the more I thought about it, outside of cyber threat intelligence analysis, these concepts that we take as “table stakes” in CTI, may be a bit foreign to others.
In a previous life, I did a lot of whale, spear, and traditional phishing analysis; so when I received the email, I instantly went from “this could be a business opportunity” back to “well well well, what have we here?”.
The email had all the hallmarks of a phish, from an unknown person (but, in a business, that’s not terribly abnormal), it came to me directly vs. through our publicly advertised contact email address (but, my address isn’t a secret), then the big red flag, a context-created sense of urgency
I am in a meeting and can not talk but will look for your reply. [Removed] sent from mobile. Please excuse my Brevity.
Note: The Display Name from the screenshot is blurred because as I was analyzing this, I discovered that it was the name of a CTO for a company that has a similar name to ours and realized that he was likely being used as a foil, no need in casting a spotlight his way.
Normally, you’d just mark an email like this as spam, but, I’d not gotten a phish in a bit, so I thought I’d make sure the tools and skills we teach in the Perched Analyst were still up to the challenge.
First, we need to grab the email in a safe way from Gmail. While I’m sure there are a few ways to skin the cat here, I just fired up Outlook to download the email as an
.eml file without opening it by just dragging the email straight from Outlook to my analysis folder. You can download the email from Gmail, but you have to open it, and as we’ll see later, that’s not wise.
Note: If anyone has a process to download Gmail without opening it via an API or script, please share.
Note: Before we start anything, I wanted to make a short comment on using the filenames that are in my path vs. providing the full path of the analysis binaries. Best practice is certainly to use the full path to avoid any nefarious aliases. That said, for this blog post, I’m going to use filenames that are in my path because there are nuances between macOS and Linux and I didn’t want to fill the screen with the differences. If there are filename differences, I’ll call them out.
Let’s get started and hash the file so we can make sure at the end of the analysis, nothing has changed. Generally speaking, MD5 is a fine algorithm for this kind of work, but to avoid the MD5, SHA1, SHA256 religious debate, we’ll just get them all.
macOS md5 spam.eml MD5 (spam.eml) = c2ea63bbcbb78e0e595e25366d504222 shasum -a 1 spam.eml faed9aa81550ac3e6474b14199599b793064b5b0 spam.eml shasum -a 256 spam.eml 57957f77ae300285b2ba6cd433d43193386ecae0c2d1845caf896b217e0e04e1 spam.eml Linux md5sum spam.eml c2ea63bbcbb78e0e595e25366d504222 spam.eml sha1sum spam.eml faed9aa81550ac3e6474b14199599b793064b5b0 spam.eml sha256sum spam.eml 57957f77ae300285b2ba6cd433d43193386ecae0c2d1845caf896b217e0e04e1 spam.eml
Now, let’s make an analysis copy, using the
cp command, and leave the original intact in the event everything goes pear-shaped.
Note: we’re going to use the
-p switch for the
cp command to preserve all of the file attributes like modification time, access time, file flags, file mode, user ID, and group ID, as allowed by permissions. Access Control Lists (ACLs) and Extended Attributes (EAs), including resource forks, will also be preserved.
cp -p spam.eml spam.eml.working
Now, let’s make another check to make sure nothing to changed while we were making our copy by re-running the hashing process from above and validate that the hashes haven’t changed.
In our next post, we’re going to discuss the technical steps involved in collecting the artifacts. Please check back in with us!