Starting on 2 November 2022, I began to see posts like:
"We're seeing some incredibly targeted phishing attacks happening this morning. They're referring to specific email chains that have happened in the past. It looks like a data breach [..] is being used to harvest actual emails to make a very believable phishing email. What's going on?"
This is likely to be EMOTET.
A well-known cybercrime group historically based in Ukraine.
I've previously written about how difficult and time-consuming it is to launch an international cybercrime investigation. However, the EMOTET group was raided in January 2021 following the collaboration of 15 law enforcement agencies across 8 countries.
At the time of the raid, Europol described them as "one of the most professional and long lasting cybercrime services out there" and "one of most significant botnets of the past decade."
Unfortunately, it only took 10 months to rebuild the criminal operation after the raid. And the recent activity ended a 4-month pause in operations over the summer of 2022.
So why do we see a return to operation now?
Thinking Like a Hacker
It's easy to speculate that someone in the criminal organisation thought, "I need more cash."...
Which quickly leads to "We need more malware infections..."
With Black Friday and Cyber Monday just around the corner, when is a better time to launch a cybercrime campaign?
The Cybercrime Escalation Game
Phishing has long been a preferred way to deliver malware to victims. And as Europol stated at the time of the raids, "The EMOTET group managed to take email as an attack vector to [the] next level."
So as a member of the EMOTET group - how could you send the phishing email?
Option One: is to send a cold email from a spoofed domain. However, as more businesses deploy email authentication and integrity techniques (SPF, DKIM) and email clients flag suspicious emails, this attack avenue becomes less valuable.
Option Two: is to pretend to be the CEO of a company. However, security awareness training is having an impact. Demanding the urgent purchase of gift cards for customers has become a trope and straightforward for many people to spot.
Option Three: is to hijack an ongoing business transaction. This is the foundation of a Business Email Compromise (BEC). An attack where bank details are switched out of a valid transaction at the last moment before payment. It's also why your bank will ask if you've verified the recipient's bank account details.
One of the challenges hackers face with Business Email Compromise attacks is that large payments are scarce.
Is it worth the effort for the one or two $100k - $5M per month?
Maybe... but it's risky.
What if the cybercriminal is asleep when the transaction is made?
So the EMOTET group use a variation of a Business Email Compromise attack to hijack and reply to old email threads. The emails appear to come from a trusted person and reference a trusted (albeit out-of-date) email exchange.
As the Europol investigation found, "Through a fully automated process, EMOTET malware was delivered to the victims' computers via infected email attachments."
What Can You Do to Protect Yourself?
If you've been reading Fresh Thoughts for a while, you'll know many of the preparation steps.
Take a multi-layered approach by:
But there's also some specific advice...
Stay within the security measures in place.
Victims of the EMOTET phishing emails received in early November 2022 receive a Microsoft Excel file. Luckily, because Microsoft opens Office documents downloaded from the web in Protected View, the macros will not run automatically.
To become infected, the victim must copy the downloaded Excel file to a different directory and reopen the document.
It takes effort to become compromised.
However, the attackers have been kind and added a How To in the infected Excel sheet.
But if the Microsoft Office security defaults were allowed to run as planned… there wouldn't be a problem.
Please don't listen to the bad guys.