Threat Hunting Scenario: Real Estate Scams

Name:
Threat Hunting Scenario: Real Estate Scams

TTP:
T1586.002 Compromise Accounts: Email Accounts, T1189 Drive-by Compromise, T1534 Internal Spearphishing, T1599.001 Network Boundary Bridging: Network Address Translation Traversal, T1566 Phishing, T1204.001 User Execution: Malicious Link

Hypothesis:

Attackers are compromising email accounts to launch real estate scams, targeting individuals seeking rental properties.

Campaign Type:
Entity Driven

Data Sources:

Email logs
Network traffic logs
Web server logs
User activity logs

Tools:

Email security tools
Network monitoring tools
Web application firewalls
User behavior analytics tools

Scenario:

Initial Access: Attackers compromise email accounts through phishing, browser exploitation, or drive-by compromise.

Weaponization: Attackers use compromised email accounts to send phishing emails to potential victims, impersonating legitimate real estate agents or property owners.

Delivery: Victims receive phishing emails containing malicious links or attachments.

Exploitation: Victims click on malicious links or open attachments, leading to malware infection or credential theft.

Installation: Malware may be installed on the victim’s device, allowing attackers to gain further access and control.

Command and Control: Attackers establish command and control over compromised devices to exfiltrate data or launch additional attacks.

Actions on Objectives: Attackers use compromised email accounts to spread real estate scams, deceiving victims into paying for fake properties.

Exfiltration: Attackers may exfiltrate sensitive data, such as personal information and financial details, from victims’ devices or accounts.

Impact: Victims suffer financial losses, identity theft, and reputational damage. Organizations may experience operational disruptions, compliance implications, and loss of trust.

Hunting Strategy:

Monitor email traffic for suspicious patterns, such as unusual senders, recipients, or content. Analyze network traffic for connections to known malicious IP addresses or domains. Inspect web server logs for requests to suspicious websites or pages.

Track user activity for anomalies, such as login attempts from unusual locations or devices.

Correlate events from different data sources to identify potential email account compromises and real estate scams.

Investigate suspicious emails, user activity, and network connections.

Remediate compromised accounts by resetting passwords, revoking access, and implementing security updates.

Educate users about phishing and social engineering tactics.

Recommendations:

Implement strong email security controls, including multifactor authentication, spam filtering, and anti-phishing protection.

Deploy network monitoring tools to detect and block malicious traffic.

Utilize web application firewalls to protect against web-based attacks. Implement user behavior analytics to identify and alert on anomalous activity.

Educate users about cybersecurity best practices and how to avoid real estate scams.

False Positive Consideration:

Legitimate emails that may trigger false positives in security tools.

Normal user activity that may appear suspicious due to travel or remote work.

D3 Diagram:

### D3 Diagram (Email Account Compromise)

**T1595.001 - Compromise of Accounts: Email Accounts**

**Implementations**

1. Phishing attacks targeting email credentials.
2. Browser exploitation to gain access to email accounts.
3. Drive-by compromise leading to email account takeover.
4. Internal spearphishing to compromise email accounts within an organization.

**Observables**

| Observable | Value | Robustness Level | Rationale |
|---|---|---|---|
| Email logs | Suspicious sender, recipient, content, attachments | Level 1: Ephemeral Values | Easily modified by attackers. |
| Network traffic | Connections to known malicious IP addresses or domains | Level 2: Core to Adversary-Brought Tool or Outside Boundary | Can indicate C2 communication but can be obfuscated or mimicked. |
| Web server logs | Requests to suspicious websites or pages | Level 2: Core to Adversary-Brought Tool or Outside Boundary | Can reveal phishing or malware delivery sites but can be changed or obfuscated. |
| User activity | Login attempts from unusual locations or devices, suspicious file activity | Level 2: Core to Adversary-Brought Tool or Outside Boundary | Can indicate account takeover but can be mimicked or obfuscated. |

**Scoring Notes**

* Email logs are easily manipulated by attackers and therefore have low robustness.
* Network traffic and web server logs can provide valuable indicators but require further investigation to confirm malicious intent.
* User activity logs can reveal suspicious behavior but can be mimicked or obfuscated.

**Additional Notes**

* This D3 diagram focuses on the general scenario of email account compromise.
* Specific implementations and observables may vary depending on the attack techniques used.
* It is crucial to consider the context and environment when analyzing these observables.

Threat Hunting Scenario: Real Estate Scams

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense