Weekly review 44

09.11.2021 - The number of reports received by the NCSC was moderate last week. Aside from numerous phishing emails, there were numerous Microsoft Exchange Server attacks. Malware emails were sent via the hacked servers. Moreover, a new type of scam showed how people end up on a dubious website after a quote request for a subsea bolt tensioner.

Malware emailed after an Exchange Server attack

A fortnight ago, we reported on the increase in emails that use previous email correspondence. Links to malware are added to the emails, which are then reused and sent once again to the recipient. Due to the previous correspondence, the victim is tricked into opening a document and thus installing malware.

The attackers need to have access to the sender's or recipient's account in order to reach this correspondence. The QakBot malware used in recent cases has a module for this purpose, which can extract the emails from the Outlook client using stolen access data and upload them to a remote server. This correspondence is then used for further attacks. However, the fake emails themselves are usually sent via the attackers' infrastructure and can thus be identified as forgeries.

In recent days, there has been a growing number of reports that such emails are being sent via the company's actual email infrastructure. At the very least, the attackers are thus using the access data of a company email account that has been hacked to send the emails. However, the NCSC has indications that access is gained not only via leaked access data for email accounts, but also directly through an Exchange Server vulnerability.

  • The NCSC recommends as a matter of urgency that operators of Microsoft Exchange servers apply all appropriate patches and keep their servers up to date.
  • Microsoft Exchange servers must not be directly accessible from the internet. Either place a WAF (web application firewall) upstream or place an SMTP filtering proxy in front of the Exchange Server.

Quote request with fraudulent ulterior motives

Last week, the NCSC was informed about a strange email that was supposedly sent to various companies on behalf of SBB. It contained a request for a quote for a very specific model of bolt tensioner that can be used underwater. The email indicated that this very exclusive product was probably not available in the portfolio and would have to be procured from a third-party company. The urgency of the order was also pointed out.

RFQ for a subsea bolt tensioner
RFQ for a subsea bolt tensioner

The first hit in a Google search for the product is a company that sells precisely the desired model. The name of the model to be ordered is available solely on this website and does not exist anywhere else. Coincidentally, this company is based in Switzerland and has a Swiss telephone number. The rare part can thus be ordered easily. It seems that the order can be completed quickly and is also likely to yield a corresponding profit.

But where exactly is the hitch in this apparently innocuous request? The attackers assume that the company will want to find out about the bolt tensioner on the internet and, in particular, who could supply such a part. And that is precisely where the pitfall is lurking!

Google search for the model of subsea bolt tensioner
Google search for the model of subsea bolt tensioner

It is only on closer inspection and analysis of the website that the inconsistencies emerge. The website was not created until 1 October 2021, one month before the actual fraud, so that Google would index the page. The contact address given does not exist and there is no entry in the commercial register either. It is assumed that the scammers created this website specifically to lure people interested in the subsea bolt tensioner to the site and to persuade them to make an advance payment. It goes without saying that the product is never delivered. This type of fraud is also known as request for quote or quotation fraud.

  • Before buying anything online, check that the company in question is reputable.
  • Aside from information on the internet, checking the commercial register number or the address can also give clues about a company's reliability.

Last modification 09.11.2021

Top of page