Fresh Thoughts #40: Think Like a Hacker

production line

Starting on 2 November 2022, I began to see posts like:

"We're seeing some incredibly targeted phishing attacks happening this morning. They're referring to specific email chains that have happened in the past. It looks like a data breach [..] is being used to harvest actual emails to make a very believable phishing email. What's going on?"

This is likely to be EMOTET.

A well-known cybercrime group historically based in Ukraine.

I've previously written about how difficult and time-consuming it is to launch an international cybercrime investigation. However, the EMOTET group was raided in January 2021 following the collaboration of 15 law enforcement agencies across 8 countries.

At the time of the raid, Europol described them as "one of the most professional and long lasting cybercrime services out there" and "one of most significant botnets of the past decade."

Unfortunately, it only took 10 months to rebuild the criminal operation after the raid. And the recent activity ended a 4-month pause in operations over the summer of 2022.

So why do we see a return to operation now?

Thinking Like a Hacker

It's easy to speculate that someone in the criminal organisation thought, "I need more cash."...

Which quickly leads to "We need more malware infections..."

With Black Friday and Cyber Monday just around the corner, when is a better time to launch a cybercrime campaign?

The Cybercrime Escalation Game

Phishing has long been a preferred way to deliver malware to victims. And as Europol stated at the time of the raids, "The EMOTET group managed to take email as an attack vector to [the] next level."

So as a member of the EMOTET group - how could you send the phishing email?

Option One: is to send a cold email from a spoofed domain. However, as more businesses deploy email authentication and integrity techniques (SPF, DKIM) and email clients flag suspicious emails, this attack avenue becomes less valuable.

Option Two: is to pretend to be the CEO of a company. However, security awareness training is having an impact. Demanding the urgent purchase of gift cards for customers has become a trope and straightforward for many people to spot.

Option Three: is to hijack an ongoing business transaction. This is the foundation of a Business Email Compromise (BEC). An attack where bank details are switched out of a valid transaction at the last moment before payment. It's also why your bank will ask if you've verified the recipient's bank account details.

One of the challenges hackers face with Business Email Compromise attacks is that large payments are scarce.

Is it worth the effort for the one or two $100k - $5M per month?

Maybe... but it's risky.

What if the cybercriminal is asleep when the transaction is made?

So the EMOTET group use a variation of a Business Email Compromise attack to hijack and reply to old email threads. The emails appear to come from a trusted person and reference a trusted (albeit out-of-date) email exchange.

As the Europol investigation found, "Through a fully automated process, EMOTET malware was delivered to the victims' computers via infected email attachments."

What Can You Do to Protect Yourself?

If you've been reading Fresh Thoughts for a while, you'll know many of the preparation steps.

Take a multi-layered approach by:

But there's also some specific advice...

Stay within the security measures in place.

Victims of the EMOTET phishing emails received in early November 2022 receive a Microsoft Excel file. Luckily, because Microsoft opens Office documents downloaded from the web in Protected View, the macros will not run automatically.

To become infected, the victim must copy the downloaded Excel file to a different directory and reopen the document.

It takes effort to become compromised.

However, the attackers have been kind and added a How To in the infected Excel sheet.

But if the Microsoft Office security defaults were allowed to run as planned… there wouldn't be a problem.

Please don't listen to the bad guys.

November 8, 2022
4 Minutes Read

Related Reads

Nope written on a board

Fresh Thoughts #39: The #1 Reason Cyber Insurers Don't Pay

Why do cyber insurers refuse claims? It turns out there's one main reason...

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868