Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Intercepted Email Attempts to Steal Payments - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Intercepted Email Attempts to Steal Payments

A reader sent in details of a incident that is currently being investigated in their environment.  (Thank you Peter for sharing! )   It appears to be a slick yet elaborate scam to divert a customer payment to the scammers.   It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers.  

Here is a simple breakdown of the flow:

  • Supplier sends business email to customer, email mentions a payment has been received and asks when will next payment arrive.
     
  • Scammer intercepts and slightly alters the email.
     
  • The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it:

             "KIndly inform when payment shall be made so i can provide you with our offshore trading account as our account department has just informed us that our regular account is right now under audit and government taxation process as such we cant recieve funds through it our account dept shall be providing us with our offshore trading account for our transactions.  Please inform asap so our account department shall provide our offshore trading account for your remittance."
     
  • Scammer sets up a fake domain name with similar look and feel.  i.e. If the legitimate domain is  google.us, then the fake one could be  google-us.com.
       
  • An email is sent to the Customer from the fake domain indicating the new account info to channel the funds:

    "Kindly note  that our account department has just informed us that our regular account is right now under audit and government taxation process as such we can't receive funds through it. Our account department has provided us with our Turkey offshore trading account for our transactions. Kindly remit 30% down payment for invoice no. 936911 to our offshore trading account as below;

    Bank name: Xxxxx Xxxx
    Swift code:XXXXXXXX
    Router: 123456
    Account name: Xxx XXX Xx
    IBAN:TR123456789012345678901234
    Account number:1234567-123
    Address: Xxxxxxxxx Xxx Xx xxx Xxxxxxxx xxxxx Xxxxxxxx, Xxxxxx"
     
  • The Customer is very security conscious and noticed the following red flags to avert the fraud: 

        - Email was sent at an odd time (off hour for the time zones in question)
        - The domain addresses in spoofed email were incorrect. (ie.  google-us.com vs. google.us)
        - The email contained repeated text which added to the "spammy" feel of it.
        

This scam was averted by the security consciousness business staff and properly analyzed by talented tech staff.  We appreciate them sharing it with us.  

The flags that indicate this is elaborate, is the email appeared to be fully intercepted and targeted because of the mentioning of a payment was requested.  Also, the fake domain that was created for this incident was created hours before the fraudulent email with the account information was sent.  The technical analysis showed the fake domain email was sent from an IP not owned by the supplier or the customer.

This incident is still under investigation and we will provide more obfuscated details as they become available.  Please comment and discuss with us if this has happened to your environment and what was done to mitigate and investigate things further.

 

-Kevin

--
ISC Handler on Duty

Kevin Shortt

81 Posts
ISC Handler
This was a hijack of an INTERCEPTED legit email? I'd be *REALLY* interested to know how that was done w/o somehow sniffing the network.
Anonymous
in some cases, the e-mails are "intercepted" by forwarding them to a third party (e.g. by adding forwarding rules to gmail accounts). This way, the attacker may learn enough about the pending transactions to craft a convincing email.
Johannes

3508 Posts
ISC Handler
This doesn't make any sense. The attacker intercept the email and alters it ("The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it")... Why would the attacker then go through the trouble of registering a fake domain and sending a second email? The attacker could just insert the whole "scam text" right into the intercepted email. Further, if the attacker is in a position to intercept emails, it seems they would have plenty of access to launch much more sophisticated attacked.
Ryan

2 Posts
Quoting Johannes:in some cases, the e-mails are "intercepted" by forwarding them to a third party (e.g. by adding forwarding rules to gmail accounts). This way, the attacker may learn enough about the pending transactions to craft a convincing email.


If that was the case here, the attacker would not be able to be "altered by the Scammer with the following text slipped into it".
Ryan

2 Posts
Wouldn't an interception of this kind (prevention of receipt of original e-mail, complete replacement with altered e-mail) indicate a compromise of either the sender or recipient's e-mail servers? Seems to me that this is more than just eavesdropping and spamming an e-mail, otherwise they would have received two e-mails (one altered, one not).

Seems to me that they have bigger problems.
Ryan
1 Posts
Ryan...

Keep in mind that the investigation is still on going. There are various scenarios that can explain why the fake domain was created. The fake domain was to spoof the Supplier. Just because the email chain of the Customer is breached at some level, it does NOT mean full access to all systems is available to the attacker. A fake domain is an easy way for the attacker to get inserted into the communication (with ease), once the trust with the victim gets established.

We are hoping others had some experience in a similar attack, so that any details shared could assist this incident and the general community.

Thanks for all comments. It keeps the topic relevant.

-Kevin
Kevin Shortt

81 Posts
ISC Handler
Quoting Anonymous:<snip>...
Seems to me that they have bigger problems.


I would agree. As they continue to look into it, they are likely to find a breach some where.

-Kevin
Kevin Shortt

81 Posts
ISC Handler
Hello Kevin,

I have seen the very first version in the wild in August of 2013, it seems a new Nigerian 419 variant:
All the details you have provided is similar to what i have dealt with 5+ cases in India.

According to my Forensic Analysis and Incident Handling, here is the flow how it works:
1>Scammers somehow lure by sending Emails with phishing / Spear phishing links
2>They get their piece of keylogger installed on the PC's of the supplier/customer
3>They keep a tab on transactions like "shipping", "stuffment","vehicle number","Invoice","DHL Tracking"...etc
4>The scammers then create a fake email by registering a similar domain name with "TypoSquatting trick" which looks almost identical/similar, and goes un-noticed for a casual reader.
5>The newly created domain name lies as it is unused, however the FQDN is used for the creation of email id's which are later used for correspondence between the supplier/customer
6>Important key points are that, the TO,CC fields in the Email messages containing the legitimate email id's are also faked and are marked in this process
7>The Body of Email/ Message in the email is so poorly drafted in English, and with Capital letters which are normally not used, so the easy way to catch is to just check for semantic and grammar of the email content, "like every starting alphabet is capitalized".
8>The machines which were infected were managed by centralized AV monitoring tool, which could not detect this.
9>I myself have worked on 3 of these cases, and I have seen employers sacking their own trusted staff, because they were the only ones which dealt with financial trading information within their respective organizations.

I will try to find some more facts from my cases and if possible i will try to provide more insight into it.
we could not obtain a forensically sound image for the cases i handled, but because it was identified very late in December 2013

Another interesting point was, all three of the clients/cases had atleast either of the supplier or customer based at Nigeria/South Africa.

All the concerned staff either at supplier or customer end was identified by name and similar fake email id's with their names were used for further chain of mail exchange.

I cannot say for sure, if they had compromised majority of PC's or turned them into botnets.
however,this is something almost a year old.

Hope this helps someone.

Regards,

Nitin Kushwaha, CISSP

JNCIA.ACA.ACSP.RHCSA.RHCE.CHFI.CEH.SCSECA.ITIL.CIW-SA.
CIW-SP.CCP.CLOUDU.CCSA.CCWA.CCLA.CCHA.MCSE.MCSA.MCS.MCP
Kevin Shortt
1 Posts
This is far simpler than you think.

What took place is an intercept of the outgoing messages from the source, not the customer.

The batch was copied off from the server by changing the spool directory so it never sends, then used with the new domain from the phishing server or in some cases the actual server that was compromised using standard find and replace UNIX tools.

Sadly, a child can do this.
Al of Your Data Center

80 Posts
Hi

I am from a Web company from Malaysia designing and hosting (using third party services, i.e Hostgator and our local provider) for manufacturers.

Recently we are getting complains exactly like the nature of this thread and I couldn't find any information on email interception.

Scenario 1 :

1) Our client (Seller) send email to its customer yahoo mail(Buyer) with prices
2) Buyer send back acknowledge email to Seller
3) Buyer then receive an email from Seller with an attached PDF invoice, WHICH THE BANKING DETAILS HAS BEEN ALTERED to some China bank account.
4) The email header clearly shows it is being spoof and it is NOT from the original sender server
5) The "reply to email" field still shows the the Seller email address.

Scenario 2 :
1) Another client (Seller) send email to its customer gmail (Buyer)
2) Along the line, Seller stop receiving replies from Buyer
3) Call up Buyer, Buyer said he is still responding to Seller email (WHICH THE SCAMMER HAVE TOOK OVER!)
4) Seller logs into this webmail (he usually uses outlook) to find a newly added Filtering rule to automatically move the Buyer email to Trash.

Scenario 3 :
1) When Seller forward an to email another account, some random message from China got attached to the email.


We checked with the local email provider and the normal response are spyware, password is not strong, someone internal hacked in. As a web company with a few clients facing the same issue, we do not believe it is some internal job but sophisticated interception is going on and I believe a lot companies are facing this problem.

Can someone please point me to some websites with technical explanation on this? I need to answer our clients.

Thanks
Al of Your Data Center
1 Posts
Our company has been the victim of this type of fraud just this week.

I found this ongoing discussion to be exactly what we are facing.

Their modified phishy email asking for money to be sent to their bank account is almost identically worded.

My questions are:
1) any update and conclusion and resolution of your investigations you can share?

2) how do I get their bogus spoofed website pulled?

3) any insight how the email was intercepted? Other than changing passwords I'm at a loss of where the problem occurred.
Al of Your Data Center
1 Posts
This scam is still ongoing, just happened to a friend of mine and it cost him $11k in funds he sent to a fraudulent account.

Coincidentally, the wording of the scam message included the words "under audit". (A native English speaking person would probably say "being audited")

We are now checking to see if someone in the email chain has a compromised email account, with BCC rules setup etc.
Al of Your Data Center
1 Posts
A similar incident happened to us, we are in an argument with our supplier as an email was intercepted, altered, ie bank details altered, and we paid into a bogus bank account, we were aware they were setting up a new bank account, and confirmed this with them in a reply, which also went to the bogus email address. Our question is, whose email was intercepted?
The supplier sent it to 2 independent emails, one was altered, and was received, the other one which had been "cc" in we later found out had bounce back to the original sender and had been altered.
Is there anyway we can find out the who's email was hacked.
Al of Your Data Center
1 Posts
I came across the same type of scam very recently. One party was based in India and the other supplier in China. Somehow the scammer came into the two parties' conversation. He then created a similar domain but on v90.us and changed the bank account details. The bank account was located in Poland. Unfortunately, our client wasn't much security conscious and paid about $20k to the bogus account.

-- Anirudh R
AnirudhR

2 Posts
Is there any way to find out what is compromised? The email server or the user's PC or what?? We have been targeted by this type of scam 3 times in the last 4-5 months. Twice of which took place within the last week itself.
AnirudhR
1 Posts
+1
AnirudhR
1 Posts
Hey all,

I know this thread is several years old, but I feel it worthwhile to add a compromised situation that I recently encountered. (This thread actually helped secure the email accounts again.)

If you encounter persistent email hijacking or intercepted emails, ** make sure your email auto-forwarding settings are not compromised **. This would apply to the recipients' accounts as well.

What happened to us... One of our email accounts was compromised via a successful phishing attempt. We use G Suite / Gmail for our company mail. The scammer set up mail forwarding on the hacked account, so they had a copy of all correspondence sent to that account. Changing the password on the account (which we did immediately) did nothing, since the forwarding was still in place. Very simple hack, and I spent hours on it until I finally encountered this thread.


Details:

1. We received a request to wire money. This by itself wasn't suspect, as we normally do business via wire payments with our overseas suppliers.

2. They quoted previous emails in the reply. Slipstreamed! This made it seem even more legit.

3. They copied all the details of the email recipient list, formatting and all.

4. The scammer used domain names that were very close to our suppliers'. It was off by 1 letter.

5. Sender email was forged; it was the legit email address. But when you hit Reply, it would use the fake domain (set in the reply-to field, not visible in Gmail unless you View Original, or actually hit Reply and inspect the email you're replying to).


We almost wired $40,000 the first time. Actually, the wire was submitted but we were able to cancel it after we realized what happened. The second time, several months later (after changing passwords but not checking the forwarding), it was for a different supplier, but using the exact same tactic. Replies inline with details copied, asking for the wire transfer.

Good luck to all, hope this info helps.


- Sushi
Anonymous

Sign Up for Free or Log In to start participating in the conversation!