Черная схема Business email compromise

3yewhorsever001

Участник
32
8
17 Май 2020
This scheme is quite old but still operable in the underworld. I am sharing this, for the sole purpose of enlightenment, incident response practices and progressive research. I will not be accountable for deviant actions committed by readers, although it is a black scheme for earning. Firstly the scheme entails gaining access to email accounts, that a company uses to conduct business transactions (processing and receiving of payments), after getting access to the email, the actor goes through the inbox and new mails in search of keywords such as ‘Invoices’, ‘Product inquiry’ or basically, any new email regarding placement of an order ( this would be what the actor should look for, as they are the relevantly mails needed). After reading through the mails, the actor is on the lookout for mails from clients who have been sent a proforma invoice. Hence, an anticipation of a part payment, as indicated on the invoice, from the client, if such mail is found, it is suggested that the actor implements the following attack vectors;

email spoofing using an e-mailer: The actor is expected to extract the email address of the potential customer and send an email through a mailer using the compromised email address and name as it appears.

social engineering: The context of the mail should be that, the bank account of the company of the compromised email is undergoing some audits, hence, it would not be able to receive the payment using the details on the invoice and since the trade can not be postponed, the payment should be made to an alternate account ( drop account). You can make up better stories but this one should work too, now all you have to do is sit back and wait for the payment receipt in your email after a job well done.

Note: it is advisable that you clone the email address of the client and ask that the payment receipt should be sent to the cloned email by the customer upon completion of payment, It is better than having the receipt sent to the original email, and not reading and deleting it before the email owner views the mail. for example if the compromised email is ‘[email protected]’ the cloned email can be ‘[email protected]’, you can say it’s the email of an assistant representative. Sounds easy, cheers.
 

Profiler7548

Участник
30
2
4 Авг 2020
Ой блин, на инглише написали, это фигня, обычно когда реквизиты меняют в 99,9% случаев созваниваются.
И еще, те кто от бизнеса далек - в реквизитах счета есть ИНН фирмы и название.
Муля в общем.
 

3yewhorsever001

Участник
32
8
17 Май 2020
[QUOTE = "Profiler7548, post: 67063, member: 49632"]
Oh damn, they wrote in English, this is garbage, usually when the details are changed in 99.9% of cases, they call up.
And yet, those who are far from business - in the account details there is the company's TIN and the name.
Mule in general.
[/ QUOTE]
It might sound complicated, and yes mules (there is the option to patronize account services) given the scope of the operation, which is filtering mail and noticing for incoming transactions, i think the almighty email app vulnerabiity (unmark message as read ) make the attack more realistic, as this feature allows for altering the state of the mail (read/unread). This post was intended to shed more light on the b.e.c cyber attacks, populated amongst the b2b and c2b business model, with more conclusions drawn from archaic new sources, a translator should aid in proper comprehension of the op, i'm sure the forum is open to english persons. i hope you enjoy the read.