Can a spoofer intercept my email, insert text and send it on?

Question

I send money to a charity in Africa. Recently my contact gave money to a third party, he said at my request. As proof, he forwarded back my email, and sure enough, some text had been added instructing him to give money to this pastor. Of course it would be very easy for him to add this text in the process of forwarding it back to me, so it is not proof. However, to remove any further doubt, I would like to know if it would be possible for a hacker to do this? Or wouold a hacker have to send him a whole email? And if it is my contact who is tricking me, he would not be able to send a whole email, because he doesn't really have access to my account. There has been no other suspicious action on my account that I know of.

Answer 1

Email is not secure. It is very easy to send a completely fake email. Moreover, someone who can eavesdrop on an email while in transit can most often alter the transmission at will, in particular blocking the email, modifying it, and/or adding extra emails in the stream.

A classic method for email interception, at the network level, is DNS poisoning. Through some fake DNS responses, the attacker induces then sending email server to talk to him instead of the genuine destination server. The attacker can thus not only see all the data, but it is entirely up to him to decide what he will forward to the actual destination server.

Another vulnerable place is the incoming mailbox for the recipient. That mailbox must exist as some file on some server. Any server admin, or any of his interns, or any attacker who got access to that server (e.g. the server also hosts a vulnerable Web application, or whatever), can at will read and write emails in mailboxes.

Technically, you could have sent the fake email yourself, in order to later claim that there was abuse, fraud and deceit. Emails, by themselves, cannot decently serve as proof in either way.

(Emails occasionally do serve as proof, but only in contexts where involved parties don't feel that they could make a strong defending case. Emails are invoked in courts as data elements which were seized by police services on actual machines. In your case, you have full control on the machines on your side, and your adversary has full control on the machines on his side; and legal seizure is unlikely to occur in a cross-continents dispute.)

Answer 2

Your question is a bit confusing. I assume that «my contact» is the one working for the charity. I am not sure if by «hacker» you mean a good hacker that figures out if your contact is deceiving you or an evil hacker who modified your email before it arrives to your contact.

In any case, yes: a spoofer can intercept your email, insert text and send it on. He will need access to tamper with it, such as your computer, your account, your contact account, the internet between both of you… (perhaps even the place where your contact accesses his email)

As a solution, you would need to digitally sign all your emails (PGP / S/MIME) and request your recipients to not accept anything not signed by your public key¹

¹ This in turn leads to the problem of verifying that the key is really yours, as you're unlikely to visit Africa soon for that. Maybe you could include the fingerprint in the bank transaction.

However, your contact is unlikely -like most people- to have the technical expertise and will to verify these things. ☹

Plus, I wouldn't be surprised that the most simple solution (that he kept the money himself) is really the true one, since he would profit much more from slipping “following the customer orders” than a spoofer would (once per charity, perhaps). Although you are in a better position to evaluate how believable is what he told you (and if it was really easy to be deceived in the way he claims he was) and how much trust you have in that person.