{"id":13264,"date":"2019-05-03T00:04:26","date_gmt":"2019-05-02T20:04:26","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/brazil-spam-mail-takeover\/13264\/"},"modified":"2019-11-15T15:22:19","modified_gmt":"2019-11-15T11:22:19","slug":"brazil-spam-mail-takeover","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/brazil-spam-mail-takeover\/13264\/","title":{"rendered":"Sending spam ain’t good for business"},"content":{"rendered":"

Not long ago, we were approached by a major Brazilian company looking for help investigating an incident. The essence of the problem was that cybercriminals had started to distribute spam using employees\u2019 addresses. That is, they were not posing as legitimate senders, as is often the case; they were sending messages directly through the company\u2019s mail server. After a thorough investigation, we were able to establish the attackers\u2019 precise modus operandi.<\/p>\n

Attack scheme<\/h2>\n

First, the fraudsters sent phishing e-mails to company employees, telling recipients their mailbox was about to be blocked for some reason or another and inviting them to click a link to update their account details. The link, of course, led to a phishing form asking for system login credentials.<\/p>\n

\"Phishing<\/a>

Translation: Dear user, your mailbox is about to be deleted because too many messages have been left unread. To avoid this, click here to update your account. We apologize for the inconvenience. System administrator.<\/p><\/div>\n

The victims completed the form, giving the scammers full access to their mail accounts. The scammers began sending spam from the compromised accounts, not even needing to alter the messages\u2019 technical headers, because they were already legitimate. The spam therefore came from reputationally sound servers and did not arouse filters\u2019 suspicion.<\/p>\n

After gaining control of the mailboxes, the cybercriminals proceeded to the next wave of mailings. In this case, the fraudsters sent \u201cNigerian spam<\/a>\u201d in various languages (although in theory the spam could be anything, from offers for black market pharmaceuticals to malware).<\/p>\n

\"Nigerian<\/a>

Sample \u201cNigerian spam\u201d message<\/p><\/div>\n

The analysis showed that the Brazilian company was not the only victim.\u00a0The same message was also sent in large quantities from the addresses of various state and nonprofit organizations, which added even greater reputational weight to the messages.<\/p>\n

Greater implications<\/h2>\n

Having your servers used to send out fraudulent offers does not look good. If the attackers switch to malware distribution, it could be game over for your company\u2019s reputation.<\/p>\n

But the consequences get worse. It is not uncommon for employees\u2019 mailbox login credentials to be the same as their domain username and password, meaning stolen credentials can be used to gain access to other corporate services as well.<\/p>\n

Also, by gaining access to the mailbox of an employee of a reputable organization, cybercriminals can try to engineer a targeted attack against colleagues, business partners, or government officials. Such attacks are hard to pull off, requiring first-rate social engineering skills to persuade the victim to perform all necessary actions, but the damage they cause can be unpredictably high.<\/p>\n

This kind of fraud is categorized as a business e-mail compromise<\/em> (BEC), and it can create major headaches for affected companies. Essentially, the fake sender attempts to obtain account data, financial documents, and other confidential information through correspondence. BEC messages are very difficult to detect; they come from a real address with proper headers and relevant content.<\/p>\n

How to secure your company and employees<\/h2>\n

To protect your company\u2019s reputation and avoid becoming a malicious spammer, we advise using a reliable protection solution<\/a> that can track phishing attempts on both the mail server and employee workstations. And it should go without saying that it\u2019s critically important to update heuristic antispam databases and antiphishing components regularly.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Cybercriminals take control of corporate mail accounts to send filter-dodging spam.<\/p>\n","protected":false},"author":2495,"featured_media":13265,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[80,2095,240],"class_list":{"0":"post-13264","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-fraud","10":"tag-mail","11":"tag-spam"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/brazil-spam-mail-takeover\/13264\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/brazil-spam-mail-takeover\/15735\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/brazil-spam-mail-takeover\/17644\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/brazil-spam-mail-takeover\/15789\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/brazil-spam-mail-takeover\/14493\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/brazil-spam-mail-takeover\/18377\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/brazil-spam-mail-takeover\/17271\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/brazil-spam-mail-takeover\/22686\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/brazil-spam-mail-takeover\/5941\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/brazil-spam-mail-takeover\/26855\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/brazil-spam-mail-takeover\/11676\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/brazil-spam-mail-takeover\/11791\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/brazil-spam-mail-takeover\/10673\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/brazil-spam-mail-takeover\/19150\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/brazil-spam-mail-takeover\/23175\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/brazil-spam-mail-takeover\/18338\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/brazil-spam-mail-takeover\/22571\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/brazil-spam-mail-takeover\/22506\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/spam\/","name":"spam"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2495"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=13264"}],"version-history":[{"count":4,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13264\/revisions"}],"predecessor-version":[{"id":14443,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13264\/revisions\/14443"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/13265"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=13264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=13264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=13264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}