I would suggest checking the Bigpond account settings in their web portal for any email forwarding rules setup on that account. Perhaps the account was compromised and setup to forward-copy all email to another server where it is then tampered with.

Even if you change the password that mail rule would still operate.

On Tue, Sep 29, 2015 at 3:35 PM, Brian May <brian@microcomaustralia.com.au> wrote:
Hello All,

I have a windows based family member who is sending out going invoices via email, I think using a Telstra Bigbond email account.

Somehow somebody is copying my relatives outgoing emails, replacing the contact details with their (very similar) contact details, and replacing the bank account details with their bank account details. All the other unique details in the invoice are the same and customized for the client. The attacker responds to emails to the new (but almost identical) email address that was in the email, and impersonates my relative in email conversations.

I think (need to check) the client gets two copies of the invoice, one good and one bad.

This results the clients paying the wrong account.

My relative has changed his email password, had a complete virus scan of his computer; however the issue is still occurring.

It seems like a very much targeted attack. It is becoming somewhat expensive.

Any ideas? Apart from sending invoices postal? Which may or may not work depending on what access the attacker has? Is there anyone I could refer my relative to in order sort out this mess?

Unfortunately, I think "use GPG" isn't an option. Even if his emails had signatures, it is unlikely his clients would know how to check them.

Obviously this goes to show how insecure email is, however I am speculating that the intruder doesn't have access to the network to monitor the SMTP sessions.

Regards

_______________________________________________
luv-talk mailing list
luv-talk@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-talk