Intercepted Email Attempts to Steal Payments

Published: 2014-01-08
Last Updated: 2014-01-08 18:14:47 UTC
by Kevin Shortt (Version: 1)
17 comment(s)

A reader sent in details of a incident that is currently being investigated in their environment.  (Thank you Peter for sharing! )   It appears to be a slick yet elaborate scam to divert a customer payment to the scammers.   It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers.  

Here is a simple breakdown of the flow:

  • Supplier sends business email to customer, email mentions a payment has been received and asks when will next payment arrive.
     
  • Scammer intercepts and slightly alters the email.
     
  • The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it:

             "KIndly inform when payment shall be made so i can provide you with our offshore trading account as our account department has just informed us that our regular account is right now under audit and government taxation process as such we cant recieve funds through it our account dept shall be providing us with our offshore trading account for our transactions.  Please inform asap so our account department shall provide our offshore trading account for your remittance."
     
  • Scammer sets up a fake domain name with similar look and feel.  i.e. If the legitimate domain is  google.us, then the fake one could be  google-us.com.
       
  • An email is sent to the Customer from the fake domain indicating the new account info to channel the funds:

    "Kindly note  that our account department has just informed us that our regular account is right now under audit and government taxation process as such we can't receive funds through it. Our account department has provided us with our Turkey offshore trading account for our transactions. Kindly remit 30% down payment for invoice no. 936911 to our offshore trading account as below;

    Bank name: Xxxxx Xxxx
    Swift code:XXXXXXXX
    Router: 123456
    Account name: Xxx XXX Xx
    IBAN:TR123456789012345678901234
    Account number:1234567-123
    Address: Xxxxxxxxx Xxx Xx xxx Xxxxxxxx xxxxx Xxxxxxxx, Xxxxxx"
     
  • The Customer is very security conscious and noticed the following red flags to avert the fraud: 

        - Email was sent at an odd time (off hour for the time zones in question)
        - The domain addresses in spoofed email were incorrect. (ie.  google-us.com vs. google.us)
        - The email contained repeated text which added to the "spammy" feel of it.
        

This scam was averted by the security consciousness business staff and properly analyzed by talented tech staff.  We appreciate them sharing it with us.  

The flags that indicate this is elaborate, is the email appeared to be fully intercepted and targeted because of the mentioning of a payment was requested.  Also, the fake domain that was created for this incident was created hours before the fraudulent email with the account information was sent.  The technical analysis showed the fake domain email was sent from an IP not owned by the supplier or the customer.

This incident is still under investigation and we will provide more obfuscated details as they become available.  Please comment and discuss with us if this has happened to your environment and what was done to mitigate and investigate things further.

 

-Kevin

--
ISC Handler on Duty

Keywords: email scam fraud
17 comment(s)

Comments

This was a hijack of an INTERCEPTED legit email? I'd be *REALLY* interested to know how that was done w/o somehow sniffing the network.
in some cases, the e-mails are "intercepted" by forwarding them to a third party (e.g. by adding forwarding rules to gmail accounts). This way, the attacker may learn enough about the pending transactions to craft a convincing email.
This doesn't make any sense. The attacker intercept the email and alters it ("The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it")... Why would the attacker then go through the trouble of registering a fake domain and sending a second email? The attacker could just insert the whole "scam text" right into the intercepted email. Further, if the attacker is in a position to intercept emails, it seems they would have plenty of access to launch much more sophisticated attacked.
[quote=comment#29081]in some cases, the e-mails are "intercepted" by forwarding them to a third party (e.g. by adding forwarding rules to gmail accounts). This way, the attacker may learn enough about the pending transactions to craft a convincing email.[/quote]

If that was the case here, the attacker would not be able to be "altered by the Scammer with the following text slipped into it".
Wouldn't an interception of this kind (prevention of receipt of original e-mail, complete replacement with altered e-mail) indicate a compromise of either the sender or recipient's e-mail servers? Seems to me that this is more than just eavesdropping and spamming an e-mail, otherwise they would have received two e-mails (one altered, one not).

Seems to me that they have bigger problems.
Ryan...

Keep in mind that the investigation is still on going. There are various scenarios that can explain why the fake domain was created. The fake domain was to spoof the Supplier. Just because the email chain of the Customer is breached at some level, it does NOT mean full access to all systems is available to the attacker. A fake domain is an easy way for the attacker to get inserted into the communication (with ease), once the trust with the victim gets established.

We are hoping others had some experience in a similar attack, so that any details shared could assist this incident and the general community.

Thanks for all comments. It keeps the topic relevant.

-Kevin
[quote=comment#29090]<snip>...
Seems to me that they have bigger problems.[/quote]

I would agree. As they continue to look into it, they are likely to find a breach some where.

-Kevin
Hello Kevin,

I have seen the very first version in the wild in August of 2013, it seems a new Nigerian 419 variant:
All the details you have provided is similar to what i have dealt with 5+ cases in India.

According to my Forensic Analysis and Incident Handling, here is the flow how it works:
1>Scammers somehow lure by sending Emails with phishing / Spear phishing links
2>They get their piece of keylogger installed on the PC's of the supplier/customer
3>They keep a tab on transactions like "shipping", "stuffment","vehicle number","Invoice","DHL Tracking"...etc
4>The scammers then create a fake email by registering a similar domain name with "TypoSquatting trick" which looks almost identical/similar, and goes un-noticed for a casual reader.
5>The newly created domain name lies as it is unused, however the FQDN is used for the creation of email id's which are later used for correspondence between the supplier/customer
6>Important key points are that, the TO,CC fields in the Email messages containing the legitimate email id's are also faked and are marked in this process
7>The Body of Email/ Message in the email is so poorly drafted in English, and with Capital letters which are normally not used, so the easy way to catch is to just check for semantic and grammar of the email content, "like every starting alphabet is capitalized".
8>The machines which were infected were managed by centralized AV monitoring tool, which could not detect this.
9>I myself have worked on 3 of these cases, and I have seen employers sacking their own trusted staff, because they were the only ones which dealt with financial trading information within their respective organizations.

I will try to find some more facts from my cases and if possible i will try to provide more insight into it.
we could not obtain a forensically sound image for the cases i handled, but because it was identified very late in December 2013

Another interesting point was, all three of the clients/cases had atleast either of the supplier or customer based at Nigeria/South Africa.

All the concerned staff either at supplier or customer end was identified by name and similar fake email id's with their names were used for further chain of mail exchange.

I cannot say for sure, if they had compromised majority of PC's or turned them into botnets.
however,this is something almost a year old.

Hope this helps someone.

Regards,

Nitin Kushwaha, CISSP

JNCIA.ACA.ACSP.RHCSA.RHCE.CHFI.CEH.SCSECA.ITIL.CIW-SA.
CIW-SP.CCP.CLOUDU.CCSA.CCWA.CCLA.CCHA.MCSE.MCSA.MCS.MCP
This is far simpler than you think.

What took place is an intercept of the outgoing messages from the source, not the customer.

The batch was copied off from the server by changing the spool directory so it never sends, then used with the new domain from the phishing server or in some cases the actual server that was compromised using standard find and replace UNIX tools.

Sadly, a child can do this.
Hi

I am from a Web company from Malaysia designing and hosting (using third party services, i.e Hostgator and our local provider) for manufacturers.

Recently we are getting complains exactly like the nature of this thread and I couldn't find any information on email interception.

Scenario 1 :

1) Our client (Seller) send email to its customer yahoo mail(Buyer) with prices
2) Buyer send back acknowledge email to Seller
3) Buyer then receive an email from Seller with an attached PDF invoice, WHICH THE BANKING DETAILS HAS BEEN ALTERED to some China bank account.
4) The email header clearly shows it is being spoof and it is NOT from the original sender server
5) The "reply to email" field still shows the the Seller email address.

Scenario 2 :
1) Another client (Seller) send email to its customer gmail (Buyer)
2) Along the line, Seller stop receiving replies from Buyer
3) Call up Buyer, Buyer said he is still responding to Seller email (WHICH THE SCAMMER HAVE TOOK OVER!)
4) Seller logs into this webmail (he usually uses outlook) to find a newly added Filtering rule to automatically move the Buyer email to Trash.

Scenario 3 :
1) When Seller forward an to email another account, some random message from China got attached to the email.


We checked with the local email provider and the normal response are spyware, password is not strong, someone internal hacked in. As a web company with a few clients facing the same issue, we do not believe it is some internal job but sophisticated interception is going on and I believe a lot companies are facing this problem.

Can someone please point me to some websites with technical explanation on this? I need to answer our clients.

Thanks

Diary Archives