A client business email account was compromised and the attacker sent emails to everyone in his contact list… he also read all of his entails… logged in easily as the client… learned his email style… searching through the info for sensitive info they can use in the attack… and… this email did not have MFA and likely was using a simple and very old password. Completely avoidable with basic MFA and a password manager. This client should also get identity protection for himself and his family as a proactive step. He is retired and is a multi-business owner.
Here is what it looks like:
Step 1: Send email to all contacts as trusted person. Make it look legit and important. Before doing so, look at all emails and choose highest likelihood of success. If a business, pick a business template and send.
Step 5: Find end user accounts in email. Try all passwords. Get money In Whatever way possible. Continue to target and attack. Put on easy target list. Try bank accounts and other systems. Look for personal information. Look for credit cards, social security numbers, anything that can be used to hijack accounts and get money.
Rinse and repeat for any and all contacts that fill out phishing page. Continue attack forever until you are swimming in money. Screw America. Screw these end users. If they don’t know how to protect themselves or their money, then I deserve it. It’s mine, so a better job. Maybe you will learn a lesson from this. I’m actually helping you. You’re welcome!