April 2022 | Nextworks
Does the following sound too good to be true?
There is an easy means to make this quite true. What’s the catch? It’s illegal.
It's a scam and it’s easy to carry out. But it delivers, year after year.
But first, a clarification for the purpose of this article is required. The intent is to disclose the workings of a common scam. We’re not divulging any secrets nor training criminals. Described here is a well-known trick.
By being informed your likelihood of falling prey is mitigated.
Ready to make some money? Let's go on a “phishing” trip first.
Signup for a web proxy service to mask your Internet activity. There are many companies to choose from. These are legitimate and legal services.
A thousand is a good start. You can purchase lists online or gather them on your own from surfing. While it is legal to purchase bulk email addresses, various local laws have restrictions on your ability to market to them. (What does that matter to a criminal anyway?)
You can use Google, Microsoft, Yahoo, etc. This costs you nothing. The mail provider will eventually detect what you are doing and close your account. But you can keep making new accounts.
Make a graphical, professional looking forgery of a “call to action” email from Microsoft, Google, etc. One of the most common forgeries is a notification that your “Microsoft 365 mailbox is almost full. Click here to log in.” This will link to a web site that you create. (We’ll use this scheme as an example going forward.)
This is the only step that requires some technical know-how.
Construct a small web site that looks like a Microsoft login page. Find a foreign Internet company to host it. All your web site will do is display a Microsoft logo and ask for an email address and password. As people attempt to log in, the credentials they provide are saved.
You can stop there if you want. All you care about is gathering credentials. But if you want to not raise any suspicion once they “log in”, you could pop up an “Approve 100 gigabytes of additional storage for $2/month” button. Once clicked, it confirms the account change was made and they will see the rate increase on their next billing cycle.
Send your “mailbox almost full” emails and wait for passwords to accumulate. The phish will bite.... a lot.
Now it’s time to start logging into Microsoft 365 accounts. Many folks have 2FA enabled. You won’t be able to get into these. We throw these overboard. But many work. These are keepers. You had a good day of phishing. Go play some disk golf.
This part takes a bit of time and patience. You will be logging into a lot of accounts and reading a lot of email. What you are looking for is people in accounting. A conversation with a buyer and seller with transactions in the tens of thousands of dollars is what you are after. Once you’ve found what you are looking for, learn more about the relationship between the two parties. Take notes. Copy email signatures. Who is sending money to whom and what for? How often and how much? What's their usual demeanor?
It’s now time to start a new conversation or hijack an existing one. You will deploy what’s called spoofing. You will pretend to be one of the two parties. Your goal is to intersect a money transfer. Here is an example:
Tim at firstname.lastname@example.org regularly talks to Julie at email@example.com about periodically restocking their supply of thermostats. Tim and Julie have worked together in the past.
Make a Gmail account called firstname.lastname@example.org. Recreate Julie’s email signature and company logo. Use this new email account to send an email to Tim stating that the ACH information changed because XYZ Control Systems has a new bank. Give Tim your (foreign) bank routing information. Sign your email as Julie.
Tim will receive the email from “Julie” with the new bank account information. Tim updates his accounts payables database, and considers the matter closed.
The next time Tim places an order for thermostats, ABC HVAC Services will not send $15,000 to XYZ Control Systems. The money will go to your bank. Once received, you immediately transfer the money elsewhere.
To accomplish this scam, you needed either Tim or Julie’s password to learn about their business relationship. Note that you did not need to login as either of them again once you learned about how they work together. You were able to use your Gmail account to do the rest. All you needed was context.
How was this so easy? Two mistakes were made:
There is no credit card protection here. Your bank will likely be of little assistance They are not at fault. The money is likely gone.
There are variations on this scam. Sometimes the criminals will actually send the email from the hijacked email account. They will then cover their tracks by deleting the email from the “Sent” folder. They may also create email “Rules” to direct any replies to the trash so that their activity goes unnoticed.
Always maintain situational awareness. Stay alert. Be informed. Remember in the old days how we would pick up the phone and talk to people? If asked to send money elsewhere, call to confirm. Don’t rely on the phone number in the questionable email. Dial the phone number that you already know. Enable 2FA for your email. Get cybersecurity training for you and your staff. Trust but verify.