Changed structure in forwarded HTML emails can lead to "improved" Business Email Compromise attacks

[netcarver]

Looks like the next level of Business Email Compromise just became unlocked (if it wasn't already.) Lutra Security have a nice write-up on the attack they are calling "Kobold Letters".

Basically, email clients change the DOM of the email when they forward it, allowing different CSS to apply between the first recipient viewing an email, and subsequent recipients. Allows an innocent-looking "request to forward to the CFO" phishing email to the CEO to become a "request to send funds/data" when received by the CFO from the CEO.

Explict verification of the request contents needed now, not just a "Did you send me a message?" question which only verifies that the message was forwarded.

Something to be aware of if you work in a team or are responsible for any kind of staff training on phishing etc.
 

[wbmnfktr]

Why is it that the bad guys are always so creative? They have the nicest hacks and ideas.

[szabesz]

On 4/6/2024 at 8:58 PM, wbmnfktr said:

nicest

Nice?

[JayGee]

On 4/6/2024 at 7:58 PM, wbmnfktr said:

Why is it that the bad guys are always so creative? They have the nicest hacks and ideas.

Have you ever listened to the podcast Darknet Diaries - this is the exact vibe I always get about how these hackers are operating. Begrudging admiration for the ideas they come up with.

 

On 4/6/2024 at 5:19 PM, netcarver said:

Looks like the next level of Business Email Compromise just became unlocked (if it wasn't already.) Lutra Security have a nice write-up on the attack they are calling "Kobold Letters".

Basically, email clients change the DOM of the email when they forward it, allowing different CSS to apply between the first recipient viewing an email, and subsequent recipients. Allows an innocent-looking "request to forward to the CFO" phishing email to the CEO to become a "request to send funds/data" when received by the CFO from the CEO.

Explict verification of the request contents needed now, not just a "Did you send me a message?" question which only verifies that the message was forwarded.

Something to be aware of if you work in a team or are responsible for any kind of staff training on phishing etc.
 

Given that most email css is inlined, does this require the machine or platform of the mailbox doing the forwarding to be compromised? Otherwise how are they modifying the CSS without the forwarder's intervention?

I guess a dodgy browser extension could also do this 😕 I.e. target the CSS of known mailboxes e.g. when you visit gmail or outlook.

 

EDIT: After reading the article I realise I misunderstood the concept. So they're not modifying existing emails, they're sending and email with this method build in as hidden payload. I guess the lesson being to ensure trust of the original message.

Edited April 8 by JayGee
Answering my own question!

[netcarver]

7 hours ago, JayGee said:

So they're not modifying existing emails, they're sending and email with this method build in as hidden payload.

Yes, that's right - it's all included in the original email.

7 hours ago, JayGee said:

I guess the lesson being to ensure trust of the original message

Ideally yes, but it's now possible for what the first recipient sees to be totally benign, just requesting the message be forwarded to another decision maker in your organisation.  Once the forward happens, the message the 2nd recipient sees can be totally different to what the first recipient saw.  So now the content of the forwarded message needs to be validated - not just a quick check that the first recipient actually forwarded a message to the 2nd recipient.

If that's already part of the standard-operating-procedure (SOP) in your organisation, then I think you are OK. If that's not the case, then the SOP needs to be updated so validation of the forwarded content actually happens.

[wbmnfktr]

23 hours ago, szabesz said:

Nice?

Nice as in... creative, impressive, stunning, unexpected.

I really like how creative those bad guys are sometimes. These people would earn good money in QA - ok, probably even better when doing their bad stuff. Still I am more often impressed by how some people can think and how simple some things are. Similar to dark patterns and deceptive design. Not that nice to use those, but still clever.

 

7 hours ago, JayGee said:

Have you ever listened to the podcast Darknet Diaries

Oh... I probably should. Will look it up. Could be totally my thing.