Nextworks Logo
Back to Nextworks  

The Ubiquitous Heist

Examination
   

HOW THE #1 EMAIL SCAM WORKS

April 2022 | Nextworks


do not trust spam

Does the following sound too good to be true?

Work from home. Be your own boss. Earn $10-$50 thousand a month. Work only a few hours a day. No degree required. All you need to know is how to make a simple web site.

There is an easy means to make this quite true. What’s the catch? It’s illegal.

It's a scam and it is quite simple. But it delivers, year after year.

But first, a clarification for the purpose of this article is required. The intent is to disclose the workings of a common scam. We’re not divulging any secrets nor training criminals. Described here is a well-known trick.

By being informed your likelihood of falling prey is mitigated.


Phase 1 - Let’s go Phishing

Ready to make some money? Let's go on a “phishing” trip first.

Put on Your Camouflage

Signup for a web proxy service to mask your Internet activity. There are many companies to choose from. These are legitimate and legal services.

Gather Email Addresses

A thousand is a good start. You can purchase lists online or gather them on your own from surfing. While it is legal to purchase bulk email addresses, various local laws have restrictions on your ability to market to them. (What does that matter to a criminal anyway?)

Create Some Anonymous Free Email Accounts

You can use Google, Microsoft, Yahoo, etc. This costs you nothing. The mail provider will eventually detect what you are doing and close your account. But you can keep making new accounts.

Prepare your Bait

Make a graphical, professional looking forgery of a “call to action” email from Microsoft, Google, etc. One of the most common forgeries is a notification that your “Microsoft 365 mailbox is almost full. Click here to log in.” This will link to a web site that you create. (We’ll use this scheme as an example going forward.)

Ready your Net

This is the only step that requires some technical know-how.

Construct a small web site that looks like a Microsoft login page. Find a foreign Internet company to host it. All your web site will do is display a Microsoft logo and ask for an email address and password. As people attempt to log in, the credentials they provide are saved.

You can stop there if you want. All you care about is gathering credentials. But if you want to not raise any suspicion once they “log in”, you could pop up an “Approve 100 gigabytes of additional storage for $2/month” button. Once clicked, it confirms the account change was made and they will see the rate increase on their next billing cycle.

Cast Your Phishing Rod

Send your “mailbox almost full” emails and wait for passwords to accumulate. The phish will bite.... a lot.

Sort your Catch

Now it’s time to start logging into Microsoft 365 accounts. Many folks have 2FA enabled. You won’t be able to get into these. We throw these overboard. But many work. These are keepers. You had a good day of phishing. Go play some disk golf.


Phase 2 - Clean Your Phish

This part takes a bit of time and patience. You will be logging into a lot of accounts and reading a lot of email. What you are looking for is people in accounting. A conversation with a buyer and seller with transactions in the tens of thousands of dollars is what you are after. Once you’ve found what you are looking for, learn more about the relationship between the two parties. Take notes. Copy email signatures. Who is sending money to whom and what for? How often and how much? What's their usual demeanor?


Phase 3 – Cook Your Phish

It’s now time to start a new conversation or hijack an existing one. You will deploy what’s called spoofing. You will pretend to be one of the two parties. Your goal is to intersect a money transfer. Here is an example:

Tim at accounting@abc-hvac.com regularly talks to Julie at julie@xyz-controlsystems.com about periodically restocking their supply of thermostats. Tim and Julie have worked together in the past.

Make a Gmail account called xyz-controlsystems@gmail.com. Recreate Julie’s email signature and company logo. Use this new email account to send an email to Tim stating that the ACH information changed because XYZ Control Systems has a new bank. Give Tim your (foreign) bank routing information. Sign your email as Julie.

Tim will receive the email from “Julie” with the new bank account information. Tim updates his accounts payables database, and considers the matter closed.

The next time Tim places an order for thermostats, ABC HVAC Services will not send $15,000 to XYZ Control Systems. The money will go to your bank. Once received, you immediately transfer the money elsewhere.


Okay. What Just Happened Here?

To accomplish this scam, you needed either Tim or Julie’s password to learn about their business relationship. Note that you did not need to login as either of them again once you learned about how they work together. You were able to use your Gmail account to do the rest. All you needed was context.

How was this so easy? Two mistakes were made:

  1. Either Tim or Julie fell for the “Your Mailbox is Almost Full” email. They went to a web site that was not microsoft.com and provided their email address and password. They didn’t notice that the URL was wrong.

  2. Tim didn’t notice that the email from Julie was not from julie@xyz-controlsystems.com. Instead, it was from xyz-controlsystems@gmail.com. He just saw the name Julie In the “From” address and recognized the logo in her email signature.

Is the Money Really Gone?

There is no credit card protection here. Your bank will likely be of little assistance They are not at fault. The money is likely gone.


Scam Variations

There are variations on this scam. Sometimes the criminals will actually send the email from the hijacked email account. They will then cover their tracks by deleting the email from the “Sent” folder. They may also create email “Rules” to direct any replies to the trash so that their activity goes unnoticed.


How Can I Stay Safe?

Always maintain situational awareness. Stay alert. Be informed. Remember in the old days how we would pick up the phone and talk to people? If asked to send money elsewhere, call to confirm. Don’t rely on the phone number in the questionable email. Dial the phone number that you already know. Enable 2FA for your email. Trust but verify.


[ Return to News & Commentary home. ]

Celebrating our 11th Year Anniversary!