Quote:

Not long ago, we were approached by a major Brazilian company looking for help investigating an incident. The essence of the problem was that cybercriminals had started to distribute spam using employees’ addresses. That is, they were not posing as legitimate senders, as is often the case; they were sending messages directly through the company’s mail server. After a thorough investigation, we were able to establish the attackers’ precise modus operandi.

Attack scheme

First, the fraudsters sent phishing e-mails to company employees, telling recipients their mailbox was about to be blocked for some reason or another and inviting them to click a link to update their account details. The link, of course, led to a phishing form asking for system login credentials.

The victims completed the form, giving the scammers full access to their mail accounts. The scammers began sending spam from the compromised accounts, not even needing to alter the messages’ technical headers, because they were already legitimate. The spam therefore came from reputationally sound servers and did not arouse filters’ suspicion.

After gaining control of the mailboxes, the cybercriminals proceeded to the next wave of mailings. In this case, the fraudsters sent “Nigerian spam” in various languages (although in theory the spam could be anything, from offers for black market pharmaceuticals to malware).

The analysis showed that the Brazilian company was not the only victim. The same message was also sent in large quantities from the addresses of various state and nonprofit organizations, which added even greater reputational weight to the messages.