4

My company has been the target of a mail fraud attempt for the second time this year.

The fraud goes as followed:

  1. My company sends an invoice to a customer from the email address alice@mycompany.com (alice is responsible for invoicing).

  2. alice@mycompany.comsends a reminder because the invoice hasn't been paid yet. The reminder has a pdf attachment with the invoice and payment information.

  3. Shortly after alice@evil.com also sends a reminder mail to the customer. In this reminder there is also a pdf attachment that's nearly identical to the one Alice send, only the payment information has been altered.

The customer also has a conversation with Alice about the change of bank account and always receives answers. My boss is cc'ed in all the emails but he never receives the emails.

The @mycompany.com email addresses are hosted on o365.

In January we had this for the first time. Recently we had the same thing but with a different client. The first time the emails were sent from alicemycompany@evil.com the second time from alice@evil.com.

How does this fraud work?

What can I do to prevent this from happening?

I checked Alice's account and there are no rules of any kind for forwarding.

Microsoft checked the account and said there is no indication of it being compromised.

UPDATE:

I got some new information that I included in the question, all our mails were received by the customer!

J_rite
  • 141
  • 6
  • 2
    The fact that your boss does not receive the emails is very interesting. It suggests the problem is in your email systems and not the customer's. I think you need to use the email logs to trace the mail flow. – schroeder Aug 08 '19 at 13:15
  • Check your outbound logs and your inbound logs to confirm your mails are leaving your org correctly and the inbound mails are not arriving, just to be certain. Then I think your customer needs to look into their mail logs. It could be that your customer's mail system is pwned or it could be the one individual account. The behaviour described is very similar to what I've seen when a gmail account is compromised, so the evidence points to your customer being compromised, though there are other possibilities. – Unicorn Tears Aug 09 '19 at 08:31
  • The fact the customer did receive the e-mails makes it very open ended. Other than the payment information, are all details really the same, including invoice numbers, amounts, etc? It could be a breach on the customer's end (though the fact that two of your customers have had the issue makes it a troubling coincidence). – jcaron Aug 09 '19 at 16:01

2 Answers2

1

I don't think that there is a standard way that this type of fraud is perpetrated, but I can tell you what I have seen and what I do when this happens to us, when about once every two months we get "change my bank account" emails sent to suppliers "from" our mail systems.

Our first thought is that the scenario didn't happen and that we have fraudulent staff working in collusion with the supplier. We have to rule that out, so we may review the staff emails looking for anything suspicious. This invariably turns out to be a dead end.

Then we ask if our own mail system or user accounts have been compromised: we have had this where a bad actor had access to an email account and could intercept, reply and delete mails as they arrived. It was very cheeky so don't underestimate these criminals. We spotted this as a users was logged in from two places at one, which is normal because of our business and use of VPNs etc. Because we have an immutable store of all messages we can see the deleted ones. We put in two-step verification to mitigate this risk and now we are very confident that an email account with 2SV is not compromised. Not 100% confident of course and it is still an option.

Then we look at the mails outbound from our domain and look for bounces and we ask the recipient email team to look in their logs for our mail. This has mixed results. In your case you say that your outbound mail never arrives, so I'd be looking at our outbound logs for mails to the domain and I would be checking the MX record of the recipient domain. If the message really did go out from our system, I'd get the message ID from the header and ask the recipient mail team to tell me if they have received it. The results are mixed because often the recipient organisation does not have an IT team and they don't know how emails get routed, delivered etc. It would be quite unusual for all emails to mydomain.com not be be delivered at all and quite unusual for a man-in-the-middle to be capturing all the mydomain.com mails and forwarding them, but I guess it's possible. If the recipient organisation never gets the mails then that spins off another query: why. Of course trying to do this over email when the recipient email system might be compromised is flawed to say the least. But the fact that your emails do not hit the recipient is a big indicator to me and I would want to get to the bottom of why. My hypothesis is that the recipient has shared their web-email password and a bad actor is logging into their account because that is a simple approach. Bad actors can get the password through various ways but one way that i have seen is they send a link to an online O365 doc or Google Doc that required a login and the user logs in using that link and the bad actor then has the password. There are other ways, I'm just saying this is what I have seen.

You say that your client sends mails cc to a manager but those don't arrive? That sounds like an interesting avenue to pursue. I would want the sender to check their logs for mails to the manager and our system for mails inbound for the manager. My hypothesis being that one or other of the mail systems is compromised. In the investigations I have run, the compromise has usually (well always now) been with the recipient email systems, the reason for this is that our systems have many defences in depth but we deal with small suppliers who don't have an IT engineering function. But we keep an open mind always as we really do not know until we have the data.

So now alice.smith@outlook.com sends an email to the recipient. If Alice Smith's corporate email account were under the control of the bad actor then my assumption would be that they would not bother with the @outlook.com address, but that's just an assumption. I'd ask myself why the recipient is dealing with @outlook.com rather than the real company, but perhaps the bad actor has changed the FROM address. We get that too of course. If the email sent out does match the email that was sent back with minor changes the obviously someone has intercepted that mail. I would want to confirm that though as the scams I have seen often have the email signature of one of our staff, it has a PO number etc but it's totally fake, but looks plausible. We know this because there is no exact match in the immutable email store that has been altered, but the human sender misreads the situation and says that it is the same email.

We now realise that it's a fool's errand to try to stop these scams most of which now originate with the recipient: their mails are compromised, they answer a fake email and change details etc. Some of the controls we have put in place to prevent a successful scam include:

  • 2SV on all email accounts
  • immutable storage for all emails so we can search actual content without the users being aware (we have governance for the process)
  • Constant communication to staff "don't change bank account details based on an email" and "no, the CEO will never write to you telling you they want you to make a secret payment"
  • Our internal payroll teams don't (or shouldn't) accept a "change my bank account" email, they should use a form on the intranet so that deals with message spoofing, but not account hijack. We have so many payroll teams though it does not always get through
  • SPF, DMARC, DKIM. These are great ideas and I am sure they work well for small organisations. If you have these in place then the idea is that the recipient mail servers will use these to identify fraudulent mails. In practice for a big enterprise it's a big old effort and we realised that implementing DMARC and DKIM would kill our business because of the vast number of email sending domains, devices, third parties etc and we would need to employ a team just to deal with that. SPF works OK for us, most of the time. If you are not aware of these then Wikipedia will guide you but as I say we found them a great idea but simply too complicated for us to use in our enterprise. O365 may well come with these in place already?
  • Mail inbound rules that flag spam from known bad domains. We know about legitimate service providers that host spam sending servers that our mail spam engine allows through, so we flag all mails from, for example, GoDaddy servers. It's whack-a-mole and we really let our cloud email service provider deal with spam

We have not implemented any third party tools that do "email security" because of the cost and because we have protection from Google, which isn't perfect but it's good enough.

When i look into these issues I find these tools useful

I have not answered your question directly for your specific case because I don't have enough data, though others may have come across this exact scenario, but I thought it might be helpful to share what I do although I accept it's not a perfect process and I make assumptions that are not 100% proven.

Unicorn Tears
  • 1,189
  • 4
  • 6
  • 1
    While I think there is some information here that can be helpful, I think there is also a lot that is not applicable to the OP and may cause confusion. In particular, since the attacker is using an external email address to communicate with the victims, SPF/DMARC/DKIM won't help and neither will flagging spam from known bad domains. Moreover, the issue is their end-users getting emails about changing bank accounts - not their staff. – Conor Mancone Aug 08 '19 at 12:12
  • so sorry, I changed the email addresses for greater clarity – schroeder Aug 08 '19 at 13:16
  • Updated the question with some additional information I received – J_rite Aug 09 '19 at 08:07
1

Compromised Email Accounts

Unfortunately it is clear that your mail systems have been compromised. That's the biggest take away here. If your emails are never reaching the customer then at some point in time someone gained (and probably still have) access to at least the alice@mycompany.com email, if not your entire email system.

There's an important distinction to note here: if your customers were receiving the email from both alice@mycompany.com and the attacker, then it might be that your "leak" has happened somewhere else and the attacker might simply be using information gleaned from elsewhere to follow up on your legitimate billing emails. However, if your own billing emails are never reaching your customer, then the only explanation is that the hacker has managed to compromise your mail system to stop your emails from going out. Note though that these options are not mutually exclusive. You definitely have compromised email systems. The hacker may have also penetrated other systems. Indeed, since an email address can so often be used to reset passwords in other web-based systems, it's quite possible that you have more than one compromised system now. Here is a question from another company that had a similar problem:

Outlook rule to forward all emails - is that a common scam?

Note that in that case the attacker with access to the email system both perpetrated this kind of fraud, and also tried to use the email access to gain access to further systems. Once this company discovered their email systems had been hacked they changed the password for the account, but it didn't help because the attacker had setup mail filters and forwarding rules in outlook that the hacked company didn't discover until later. Something similar could be happening here.

Compromised Email System

The bigger concern would be that not just the alice@mycompany.com account has been compromised, but rather that the user account which manages email for your entire company has been compromised. If that were the case the attacker would be able easily to take over communications throughout your company, perhaps even giving themselves some additional persistence options to return later as needed (i.e. check the list of users allowed to manage email accounts in o365 and make sure another one hasn't been added).

Next steps

Unfortunately determining the root cause of this can be difficult, which means that making sure it doesn't happen again can be even harder. If you made me guess I would assume it is because the alice@mycompany.com account or the account which manages your email for your company has a weak password and was guessed by hackers, or one of your accounts fell victim to a phishing attack. Here are the steps I would take:

  1. Immediately have all users change to a strong password (>12 characters, and double check that the password is not on HIBP).
  2. Check for extra filters or forwarding rules on all email accounts
  3. Enable 2FA on the account which manages your email services (although even better would be to put it on all accounts)
  4. Review the list of email addresses and user accounts for your organization, and make sure that there isn't anything suspicious
  5. Start training your employees about identifying and reporting phishing emails and other kinds of scam emails.
  6. Hire a professional company to come review your systems and help plan out next steps and better security training for your users

Numbers 5 & 6 there can be expensive, and most businesses won't do it. However, I wouldn't dismiss them easily. You've been hacked twice in one year! Lax security can absolutely bankrupt a business. The fact that this has happened twice in one year and you are still in business means you're very lucky. Even just one hacking incident can be enough to bankrupt many small businesses. You can't afford to let this happen again. To help, here's what this looks like from the other side:

https://money.stackexchange.com/q/106081

In particular, it's worth pointing out that all the answers to that question say the same thing: sue the company (in this case, you) who originally had the compromised systems that resulted in the attack. And honestly, that's quite reasonable. If lax security on your part leads to compromised accounts which result in your customer paying thousands of dollars to a hacker, it only makes sense that your company should be the one that ends up paying the costs to fix it.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • Agreed the fact the customer does not receive the email is key. The reason for that needs to be determined. – Unicorn Tears Aug 08 '19 at 13:31
  • @UnicornTears Indeed. My *guess* would be mail filters on the o365 account. Although I've never tried to set them up in o365, so I'm less sure of their capabilities. But for instance in gmail you can setup rules-based filters to do just about anything, aka "When I send an email with a subject of 'Invoice for your order' don't send it instead to `alice@evil.com`'. and "If I receive an email with subject of 'Re: Invoice for your order' then delete it immediately". Such filter rules could have the effect that the OP is seeing, but other methods could do it too. – Conor Mancone Aug 08 '19 at 13:37
  • @ConorMancone I had a look at the mail history and now it seems that all our emails were received by the customer. (I edited it in the question) – J_rite Aug 09 '19 at 08:03