Intercepted Email Attempts to Steal Payments
A reader sent in details of a incident that is currently being investigated in their environment. (Thank you Peter for sharing! ) It appears to be a slick yet elaborate scam to divert a customer payment to the scammers. It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers.
Here is a simple breakdown of the flow:
-
Supplier sends business email to customer, email mentions a payment has been received and asks when will next payment arrive.
-
Scammer intercepts and slightly alters the email.
-
The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it:
"KIndly inform when payment shall be made so i can provide you with our offshore trading account as our account department has just informed us that our regular account is right now under audit and government taxation process as such we cant recieve funds through it our account dept shall be providing us with our offshore trading account for our transactions. Please inform asap so our account department shall provide our offshore trading account for your remittance."
-
Scammer sets up a fake domain name with similar look and feel. i.e. If the legitimate domain is google.us, then the fake one could be google-us.com.
-
An email is sent to the Customer from the fake domain indicating the new account info to channel the funds:
"Kindly note that our account department has just informed us that our regular account is right now under audit and government taxation process as such we can't receive funds through it. Our account department has provided us with our Turkey offshore trading account for our transactions. Kindly remit 30% down payment for invoice no. 936911 to our offshore trading account as below;
Bank name: Xxxxx Xxxx
Swift code:XXXXXXXX
Router: 123456
Account name: Xxx XXX Xx
IBAN:TR123456789012345678901234
Account number:1234567-123
Address: Xxxxxxxxx Xxx Xx xxx Xxxxxxxx xxxxx Xxxxxxxx, Xxxxxx"
-
The Customer is very security conscious and noticed the following red flags to avert the fraud:
- Email was sent at an odd time (off hour for the time zones in question)
- The domain addresses in spoofed email were incorrect. (ie. google-us.com vs. google.us)
- The email contained repeated text which added to the "spammy" feel of it.
This scam was averted by the security consciousness business staff and properly analyzed by talented tech staff. We appreciate them sharing it with us.
The flags that indicate this is elaborate, is the email appeared to be fully intercepted and targeted because of the mentioning of a payment was requested. Also, the fake domain that was created for this incident was created hours before the fraudulent email with the account information was sent. The technical analysis showed the fake domain email was sent from an IP not owned by the supplier or the customer.
This incident is still under investigation and we will provide more obfuscated details as they become available. Please comment and discuss with us if this has happened to your environment and what was done to mitigate and investigate things further.
-Kevin
--
ISC Handler on Duty
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago