EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public
7644_email_betrug_buero

Week 50: Spying on business email

0
Share:

17.12.2024 – As a company, you are constantly in contact with your customers, often by e-mail. Project enquiries and processing, placing orders, payment and delivery modalities – many things run via this communication channel. Fraudsters can take advantage of this with a certain amount of effort, but first need precise information. If the undertaking succeeds, the damage to the victim can be enormous. A very exciting case on this topic was recently reported to the BACS.

The attackers’ plan

The attack, in which unauthorized access to a company’s business email traffic exists, is known in cybersecurity as “business email compromise”, or simply “BEC” for short – to German something like “third-party access to business emails”.

Attackers can gain access to very valuable information by accessing a business account:

  • invoices and payment information;
  • data on the projects and customers;
  • Technical details of products;
  • Customer relationship information.

Depending on what the attacker is up to, the same information is not always in the foreground:

  • Most of the known cases of BEC are about money:
    invoices are manipulated (e.g. with a new payee) and redelivered under a pretext in the hope that the invoice recipient will trigger the payment. Depending on the amount of the payment, the victim may suffer considerable damage;
  • Research and technical data:
    competitors or other interested parties could try to catch up by inspecting sensitive documents;
  • Projects and offers:
    With this information, a competitor can try to gain a competitive advantage and land important contracts, for example.

The case reported to the BACS and explained here should be assigned to the last point – it is probably a form of industrial espionage.

The compromise of a business account

It starts with an attempt to gain access to an email account – preferably that of a person who has to do with the documents that are of interest to the attacker. These can be accounting employees, research managers, project managers or members of the executive board.

In many cases, customer relationships and employment relationships can be found directly on the website of the respective company, often also searched for on LinkedIn.
Next, the target receives a phishing email asking them to enter the password of their email account. This brings the attackers closer to their goal – at least if two-factor authentication is not activated.

When accessing the account for the first time, the attackers often try to set up forwarding rules: In this way, they receive a copy of the victim’s complete email traffic and can remain undetected for a longer period of time.

The Deception Machinery

In the present case, the perpetrators went even further. After the initial access, they registered similar-looking domains for both the Internet domains of several customers and the domain of the company concerned (e.g. “firma-x.ch”). They used the top-level domain “.cam” for this purpose. For example, the customer “kunde-1.com” became “kunde-1.cam”, for the contractor “firma-x.ch” became “firma-x.cam”, and so on.

The “.cam” top level domain has been active for several years and was originally intended for the manufacturing industry (CAM stands for “Computer Aided Manufacturing”). Today, however, it is also used for the photo and video sector (“camera”). It was pointed out early on that “.cam” could lead to misunderstandings due to its similarity to the widely used «.com” domain. It is precisely this risk of confusion that is exploited in this case.

The fraudsters can now intervene in the communication between the customer and the company and now pretend to be the other to both the victim and their customers. For example, the fraudsters write a message from “firma-x.cam” with a request to “kunde-1.com”. The fraudsters can even return a possible answer (again to “firma-x.cam”) “firma-x.ch”, but now with the sender “kunde-1.cam”, so that the feedback is also routed through the environment of the fraudsters again.

Schematic representation of pre- and post-compromise communications
Schematic representation of pre- and post-compromise communications
Fortunately, such cases are rare and often come to light, for example because other employees of the contractor are also in contact with the customer, or because the people involved also contact each other by phone – then information is suddenly contradictory. The fake email addresses may also be noticed by someone, or an attentive system administrator may see access to their email systems from unusual IP addresses.

Thus, even in the reported case, greater disaster could be averted.

Recommendations

  • Raise awareness of this type of fraud among key people;
  • Enable two-factor authentication on accounts (especially email) that are potentially accessible via the Internet;
  • If possible, limit access to such accounts to smaller address ranges, e.g. addresses that can be assigned to Switzerland, or use a VPN;
  • Periodically check forwarding rules on your email accounts;
  • If there are requests for changes in payment transactions (e.g. new bank accounts), ask the recipient of the payment, preferably by telephone;
  • In the event of successful compromises and financial loss, report the case to the police.

Current figures and statistics

The number of reports of the last week by category are published at:

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
10:55 am, Jan 22, 2025
weather icon 3°C
L: 3° | H: 5°
overcast clouds
Humidity: 91 %
Pressure: 1005 mb
Wind: 3 mph NNW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 7 km
Sunrise: 7:52 am
Sunset: 4:31 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
3° | 5°°C 0 mm 0% 4 mph 91 % 1004 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
2° | 8°°C 1 mm 100% 16 mph 91 % 1005 mb 0 mm/h
Fri Jan 24 9:00 pm
weather icon
6° | 10°°C 1 mm 100% 23 mph 90 % 1004 mb 0 mm/h
Sat Jan 25 9:00 pm
weather icon
4° | 6°°C 0.93 mm 93% 9 mph 86 % 1012 mb 0.17 mm/h
Sun Jan 26 9:00 pm
weather icon
5° | 7°°C 0.9 mm 90% 13 mph 89 % 1011 mb 0 mm/h
Today 12:00 pm
weather icon
3° | 4°°C 0 mm 0% 3 mph 91 % 1004 mb 0 mm/h
Today 3:00 pm
weather icon
4° | 5°°C 0 mm 0% 3 mph 85 % 1004 mb 0 mm/h
Today 6:00 pm
weather icon
4° | 4°°C 0 mm 0% 4 mph 87 % 1003 mb 0 mm/h
Today 9:00 pm
weather icon
3° | 3°°C 0 mm 0% 4 mph 89 % 1004 mb 0 mm/h
Tomorrow 12:00 am
weather icon
3° | 3°°C 0 mm 0% 5 mph 88 % 1004 mb 0 mm/h
Tomorrow 3:00 am
weather icon
2° | 2°°C 0 mm 0% 6 mph 89 % 1005 mb 0 mm/h
Tomorrow 6:00 am
weather icon
2° | 2°°C 0 mm 0% 6 mph 91 % 1005 mb 0 mm/h
Tomorrow 9:00 am
weather icon
4° | 4°°C 0 mm 0% 9 mph 90 % 1003 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€100,522.14
2.04%
Ethereum(ETH)
€3,161.01
0.44%
XRP(XRP)
€3.02
2.15%
Tether(USDT)
€0.96
0.10%
Solana(SOL)
€243.36
6.45%
Dogecoin(DOGE)
€0.348680
5.71%
USDC(USDC)
€0.96
0.00%
Shiba Inu(SHIB)
€0.000019
1.39%
Pepe(PEPE)
€0.000015
3.61%
Peanut the Squirrel(PNUT)
€0.352001
0.68%
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top