Courtesy of Agari by Fortra.
Have you ever received a blank email from someone you don’t know? If you have, it may have been from a cybercriminal making sure your email account is legitimate prior to a BEC attack.
We released a report on a business email compromise (BEC) cybercriminal group named London Blue in December 2018. The report dove into the organizational structure of West African criminal groups (which still dominate the BEC scene with a roughly 90% stronghold) and delved into how they operate like modern corporations, as well as how they made a foolish decision to send a BEC email to our CFO here at Agari. What they didn’t surveil was how our significant visibility into London Blue’s operations gave us a leg up in observing the group’s entire attack chain—from preparation to execution. Even more absurd, a BEC group also based in West Africa, coined Scattered Canary, used the same nefarious tactic of targeting Agari’s CFO by impersonating a senior executive!
The second step in this attack chain is “Lead Validation and Processing,” during which a BEC group member takes the raw leads gathered by another member and takes the following steps:
- Validates the contact information to confirm that it is accurate.
- Supplements the leads with open-source intelligence to identify additional information, such as the name of the CEO to be impersonated.
- Organizes the leads in a way that will allow the scammer sending the BEC emails to be more efficient.
The first part of this step—validation—is integral because it gives the BEC scammer confidence that his attacks are being directed to a live mailbox. So how do the scammers actually validate these potential target email addresses?
Taking the Easy Way Out
Many BEC groups use legitimate commercial lead generation services that are also used by companies all over the world to identify sales prospects, as evidenced more recently with the cybercriminal group, Scarlet Widow. Once a scammer conducts a customized search for corporate employees meeting their specific criteria, the service will provide a spreadsheet with target information, and even indicate whether their company has previously verified the email address.
Some scammers, though, use a more hands-on approach to validating target email addresses. During our research into a Nigerian BEC organization we’ve named Curious Orca, we uncovered a more monotonous process some scammers use to verify target contact information prior to initiating BEC campaigns.
Using the “i” to Validate Email Targets
The validation process used by Curious Orca is very rudimentary and straightforward. First, a group member starts with a list of raw targeting leads containing the names and possible email addresses of employees with the title “Controller” or “Accountant.” All of the targets processed by this group have these titles, which is a common tactic employed by BEC groups to identify targets. London Blue, for example, specifically looked for employees with “CFO” in their title. Or, another trend from recent years came in the form of an email impersonating the CFO of one of Agari’s customers sent to an Accounts Receivable specialist requesting a copy of an updated aging report, which the researchers at Agari’s Cyber Intelligence Division (ACID) dubbed Ancient Tortoise.
Using a raw targeting list, Curious Orca attempts to validate any unvalidated email address on the spreadsheet by simply sending a probing blank email with the subject “i” to the target to see if the email is delivered successfully. Unlike the emails for BEC campaigns, which are usually sent during work hours in the morning, these validation emails are sent during non-working hours, often in the middle of the night, when targets are unlikely to immediately see the email.
After sending this reconnaissance email, Curious Orca waits to see if an automated “bounce” is sent from the target’s mail server, which would indicate the email address is not valid. Usually, these emails come in the form of an “Undeliverable” or “Delivery Status Notification” message.
If no bounce notification is received, the target’s email address is assumed to be valid and operational. In the case of Curious Orca, once this contact information has been validated, their name, email address, and title are added to one of the hundreds of consolidated text files containing verified targets. In many cases, this file includes supplemental information about the CEO at the target company, who will be impersonated in the BEC attack.
If a Curious Orca scammer receives one of these automated bounce responses, however, the address is deemed to be invalid. When an email address is invalidated, the scammer moves on to other tactics.
Continuing the Chase
The target information is useful, so the scammer does not want to immediately give up immediately. As a result, he begins iterating through a series of likely email username combinations to see if one works. For example, if the target’s name was John Smith and the original invalid email address was [email protected], the scammer may cycle through the following email variations:
For each email variation, Curious Orca sends another blank probing email looking for a bounce. If one of the alternate email permutations fails to generate a bounce message, the target and the newly-validated information is added to a verified target list. If, however, the scammer burns through all of the obvious address combinations and receives a bounce email for all of them, then the target is simply excluded from the final target list—sparing that address from receiving a subsequent BEC attack.
While Curious Orca manually tests various email address variations, there are also online tools that attempt to predict the likely pattern used by email addresses on a specific domain. Like other commercial services used by BEC groups to identify initial raw target sets, these services are widely used by legitimate marketing teams; however, cybercriminals are exploiting them for more nefarious purposes.
By using these services, the cybercriminals are able to quickly and easily spot patterns and then test the most likely email combination, without having to go through the manual testing outlined above.
The Ugly Truth About Cybercrime
You might be thinking to yourself at this point… “This verification process seems like a lot of work. Surely, this group isn’t able to probe THAT many email addresses!” To the contrary, cybercriminal organizations have become well-versed in these tactics to the point that they are able to perform them in an extremely efficient manner. Since August 2018, a single Curious Orca associate has sent blank reconnaissance emails to more than 7,800 email addresses at over 3,200 companies in at least twelve countries, including Australia, Canada, Denmark, Hong Kong, Israel, Italy, the Netherlands, Papua New Guinea, Singapore, Sweden, the United Kingdom, and the United States. The validated contact information collected by this actor has contributed to a master targeting database containing more than 35,000 financial controllers and accountants at 28,000 companies around the world.
Even more surprising, these scammers are not using automation to send their probing emails. Each validation email is sent manually. Recently, over the course of a week, one Curious Orca actor spent 46 hours performing reconnaissance using probe emails and consolidating validated address into master target lists. This is a significant amount of time and looks very similar to an actual work schedule, which underscores our previous findings that these groups operate very similarly to normal, everyday businesses.
All of this has contributed to a seismic shift in the email threat landscape, leaving CISOs bracing for sophisticated new forms of BEC scams and feeling like they are fighting a hydra and its many heads—as soon as they chop off one threat, two more emerge; and despite the decades (and billions of dollars) of investment and innovation in cybersecurity, it is still a battle being lost in the long run. What is also changing is the penetration of scammers and threat actors cross-continents, including Russia (i.e. 2019’s Cosmic Lynx), Eastern Europe, the Middle East, and as far as Asia.
So How Do I Protect My Organization from Pre-Attack Email Probes?
One easy step is to disable email bounce messages to external senders. This tactic will prevent threat actors conducting bounce reconnaissance from getting a notification telling them whether an email address is valid. While this would make an actor think that any email address they test is valid, meaning that all target email addresses on your domain would likely make it into the final target list, it would prevent them from being alerted if a test address is invalid. In this case, any email they send to an illegitimate address would simply go into a black hole and they would be none the wiser.
Another strategy is to configure your inbound email filter to look for inbound emails with no content. Since these emails are often used as a precursor for a follow-up attack, notifications of this nature would allow your team to alert targets to be cautious of any suspicious activity and block additional phishing emails before they reach the inbox. If you don’t know how to get started with DMARC, or Domain-Based Message Authentication, Reporting, and Conformance, read our recent guide here.