Perched | Security Education, Consulting, and Support
Security Solutions

Perched Blog

Business Email Compromise - A Brief Analysis - Preparation (1/3)

Introduction

This is the beginning of a three part series on a Business Email Compromise campaign that we recently observed.

  1. Part 1: Preparation

  2. Part 2: Artifact Collection

  3. Part 3: Artifact Analysis - Coming Soon

Background

Business Email Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

In mid-2018, the FBI’s Internet Crime Complaint Center (IC3) released the BEC statistics for 2013 - 2018, and they were a staggering $12.5B in losses to companies, with $1.3B in 2018 alone!

While BEC campaigns are nothing new, I happened to receive one the other day and, in discussing it in passing with a colleague in another forum, he asked me what a BEC was. It really caught me off-guard, because in our world of studying the adversary, it was a concept that I thought had been fairly well sussed out. However, the more I thought about it, outside of cyber threat intelligence analysis, these concepts that we take as “table stakes” in CTI, may be a bit foreign to others.

The Email

In a previous life, I did a lot of whale, spear, and traditional phishing analysis; so when I received the email, I instantly went from “this could be a business opportunity” back to “well well well, what have we here?”.

The email had all the hallmarks of a phish, from an unknown person (but, in a business, that’s not terribly abnormal), it came to me directly vs. through our publicly advertised contact email address (but, my address isn’t a secret), then the big red flag, a context-created sense of urgency

I am in a meeting and can not talk but will look for your reply. [Removed] sent from mobile. Please excuse my Brevity.

Note: The Display Name from the screenshot is blurred because as I was analyzing this, I discovered that it was the name of a CTO for a company that has a similar name to ours and realized that he was likely being used as a foil, no need in casting a spotlight his way.

Normally, you’d just mark an email like this as spam, but, I’d not gotten a phish in a bit, so I thought I’d make sure the tools and skills we teach in the Perched Analyst were still up to the challenge.

Email Collection

First, we need to grab the email in a safe way from Gmail. While I’m sure there are a few ways to skin the cat here, I just fired up Outlook to download the email as an .eml file without opening it by just dragging the email straight from Outlook to my analysis folder. You can download the email from Gmail, but you have to open it, and as we’ll see later, that’s not wise.

Note: If anyone has a process to download Gmail without opening it via an API or script, please share.

Analysis Preparation

Note: Before we start anything, I wanted to make a short comment on using the filenames that are in my path vs. providing the full path of the analysis binaries. Best practice is certainly to use the full path to avoid any nefarious aliases. That said, for this blog post, I’m going to use filenames that are in my path because there are nuances between macOS and Linux and I didn’t want to fill the screen with the differences. If there are filename differences, I’ll call them out.

Let’s get started and hash the file so we can make sure at the end of the analysis, nothing has changed. Generally speaking, MD5 is a fine algorithm for this kind of work, but to avoid the MD5, SHA1, SHA256 religious debate, we’ll just get them all.

macOS
md5 spam.eml
MD5 (spam.eml) = c2ea63bbcbb78e0e595e25366d504222
shasum -a 1 spam.eml
faed9aa81550ac3e6474b14199599b793064b5b0  spam.eml
shasum -a 256 spam.eml
57957f77ae300285b2ba6cd433d43193386ecae0c2d1845caf896b217e0e04e1  spam.eml

Linix
md5sum spam.eml
c2ea63bbcbb78e0e595e25366d504222 spam.eml
sha1sum spam.eml
faed9aa81550ac3e6474b14199599b793064b5b0 spam.eml
sha256sum spam.eml
57957f77ae300285b2ba6cd433d43193386ecae0c2d1845caf896b217e0e04e1 spam.eml

Now, let’s make an analysis copy, using the cp command, and leave the original intact in the event everything goes pear-shaped.

Note: we’re going to use the -p switch for the cp command to preserve all of the file attributes like modification time, access time, file flags, file mode, user ID, and group ID, as allowed by permissions. Access Control Lists (ACLs) and Extended Attributes (EAs), including resource forks, will also be preserved.

cp -p spam.eml spam.eml.working

Now, let’s make another check to make sure nothing to changed while we were making our copy by re-running the hashing process from above and validate that the hashes haven’t changed.

In our next post, we’re going to discuss the technical steps involved in collecting the artifacts. Please check back in with us!