Sending spam ain’t good for business

Not long ago, we were approached by a major Brazilian company looking for help investigating an incident. The essence of the problem was that cybercriminals had started to distribute spam using employees’ addresses. That is, they were not posing as legitimate senders, as is often the case; they were sending messages directly through the company’s mail server. After a thorough investigation, we were able to establish the attackers’ precise modus operandi.

They were not posing as legitimate senders, as is often the case; they were sending messages directly through the company's mail server.

Attack scheme

First, the fraudsters sent phishing e-mails to company employees, telling recipients their mailbox was about to be blocked for some reason or another and inviting them to click a link to update their account details. The link, of course, led to a phishing form asking for system login credentials.

Phishing message

Translation: Dear user, your mailbox is about to be deleted because too many messages have been left unread. To avoid this, click here to update your account. We apologize for the inconvenience. System administrator.

The victims completed the form, giving the scammers full access to their mail accounts. The scammers began sending spam from the compromised accounts, not even needing to alter the messages’ technical headers, because they were already legitimate. The spam therefore came from reputationally sound servers and did not arouse filters’ suspicion.

After gaining control of the mailboxes, the cybercriminals proceeded to the next wave of mailings. In this case, the fraudsters sent “Nigerian spam” in various languages (although in theory the spam could be anything, from offers for black market pharmaceuticals to malware).

Nigerian spam

Sample “Nigerian spam” message

The analysis showed that the Brazilian company was not the only victim. The same message was also sent in large quantities from the addresses of various state and nonprofit organizations, which added even greater reputational weight to the messages.

Greater implications

Having your servers used to send out fraudulent offers does not look good. If the attackers switch to malware distribution, it could be game over for your company’s reputation.

But the consequences get worse. It is not uncommon for employees’ mailbox login credentials to be the same as their domain username and password, meaning stolen credentials can be used to gain access to other corporate services as well.

Also, by gaining access to the mailbox of an employee of a reputable organization, cybercriminals can try to engineer a targeted attack against colleagues, business partners, or government officials. Such attacks are hard to pull off, requiring first-rate social engineering skills to persuade the victim to perform all necessary actions, but the damage they cause can be unpredictably high.

This kind of fraud is categorized as a business e-mail compromise (BEC), and it can create major headaches for affected companies. Essentially, the fake sender attempts to obtain account data, financial documents, and other confidential information through correspondence. BEC messages are very difficult to detect; they come from a real address with proper headers and relevant content.

How to secure your company and employees

To protect your company’s reputation and avoid becoming a malicious spammer, we advise using a reliable protection solution that can track phishing attempts on both the mail server and employee workstations. And it should go without saying that it’s critically important to update heuristic antispam databases and antiphishing components regularly.