Hello All, I have a windows based family member who is sending out going invoices via email, I think using a Telstra Bigbond email account. Somehow somebody is copying my relatives outgoing emails, replacing the contact details with their (very similar) contact details, and replacing the bank account details with their bank account details. All the other unique details in the invoice are the same and customized for the client. The attacker responds to emails to the new (but almost identical) email address that was in the email, and impersonates my relative in email conversations. I think (need to check) the client gets two copies of the invoice, one good and one bad. This results the clients paying the wrong account. My relative has changed his email password, had a complete virus scan of his computer; however the issue is still occurring. It seems like a very much targeted attack. It is becoming somewhat expensive. Any ideas? Apart from sending invoices postal? Which may or may not work depending on what access the attacker has? Is there anyone I could refer my relative to in order sort out this mess? Unfortunately, I think "use GPG" isn't an option. Even if his emails had signatures, it is unlikely his clients would know how to check them. Obviously this goes to show how insecure email is, however I am speculating that the intruder doesn't have access to the network to monitor the SMTP sessions. Regards
Brian May wrote:
Hello All,
I have a windows based family member who is sending out going invoices via email, I think using a Telstra Bigbond email account.
Somehow somebody is copying my relatives outgoing emails, replacing the contact details with their (very similar) contact details, and replacing the bank account details with their bank account details. All the other unique details in the invoice are the same and customized for the client. The attacker responds to emails to the new (but almost identical) email address that was in the email, and impersonates my relative in email conversations.
Brian, I assume closing the BigPond account and openning a newone is not an option, because the old one has extensive circulation ? You're certain the attacker couldn't have just cracked the email adrress and altered configuration settings, to achieve the current exploit ? I did a quick google for "Big Pond email man-in-the-middle " nothing came up; perhaps you could you check the header details on a faked email (by getting the relative to send you an invoice); with those, on some much older email from the same relative prior to the scam ? regards Rohan McLeod
Just a quick answer.... the most likely culprit would be your relative using untrusted WiFi and also using insecure POP3 without SSL. Of course, there are other considerations, but the very first thing I would do is ensure that POP3 is NOT used without SSL and if there is no choice in that matter, then it is essential that your relative only use known trusted networks that cannot easily scan for passwords in clear text (which POP3 without SSL will give). Anyone using email these days should, at bare minimum, use SSL (or really TLS). Kind Regards AndrewM
I would suggest checking the Bigpond account settings in their web portal for any email forwarding rules setup on that account. Perhaps the account was compromised and setup to forward-copy all email to another server where it is then tampered with. Even if you change the password that mail rule would still operate. On Tue, Sep 29, 2015 at 3:35 PM, Brian May <brian@microcomaustralia.com.au> wrote:
Hello All,
I have a windows based family member who is sending out going invoices via email, I think using a Telstra Bigbond email account.
Somehow somebody is copying my relatives outgoing emails, replacing the contact details with their (very similar) contact details, and replacing the bank account details with their bank account details. All the other unique details in the invoice are the same and customized for the client. The attacker responds to emails to the new (but almost identical) email address that was in the email, and impersonates my relative in email conversations.
I think (need to check) the client gets two copies of the invoice, one good and one bad.
This results the clients paying the wrong account.
My relative has changed his email password, had a complete virus scan of his computer; however the issue is still occurring.
It seems like a very much targeted attack. It is becoming somewhat expensive.
Any ideas? Apart from sending invoices postal? Which may or may not work depending on what access the attacker has? Is there anyone I could refer my relative to in order sort out this mess?
Unfortunately, I think "use GPG" isn't an option. Even if his emails had signatures, it is unlikely his clients would know how to check them.
Obviously this goes to show how insecure email is, however I am speculating that the intruder doesn't have access to the network to monitor the SMTP sessions.
Regards
_______________________________________________ luv-talk mailing list luv-talk@luv.asn.au http://lists.luv.asn.au/listinfo/luv-talk
On Tue, 29 Sep 2015 at 16:37 Vaughan Lapsley <vaughan.lapsley@gmail.com> wrote:
I would suggest checking the Bigpond account settings in their web portal for any email forwarding rules setup on that account. Perhaps the account was compromised and setup to forward-copy all email to another server where it is then tampered with.
Interesting idea. Have got my relative to search the settings, see if he can find anything.
Several people have asked me privately about police involvement. My relative has contacted the police and filled in a form; according to him the police aren't interested in following up.
On Tue, September 29, 2015 5:48 pm, Brian May wrote:
Several people have asked me privately about police involvement.
My relative has contacted the police and filled in a form; according to him the police aren't interested in following up.
You need to contact a specialist group. http://www.police.vic.gov.au/content.asp?document_id=21537 ACORN seems to be the right body. (copied to luv-talk in case others might encounter the need) -- Lev Lafayette, BA (Hons), GradCertTerAdEd (Murdoch), GradCertPM, MBA (Tech Mngmnt) (Chifley) mobile: 0432 255 208 RFC 1855 Netiquette Guidelines http://www.ietf.org/rfc/rfc1855.txt
On Tue, Sep 29, 2015 at 05:35:02AM +0000, Brian May wrote:
Somehow somebody is copying my relatives outgoing emails, replacing the contact details with their (very similar) contact details, and replacing the bank account details with their bank account details. All the other unique details in the invoice are the same and customized for the client. The attacker responds to emails to the new (but almost identical) email address that was in the email, and impersonates my relative in email conversations.
Recommendations for your relative; - Gather as much evidence as possible - Report the crime to their State/Territory Police - Consider one of the following compromised + Their mail client and/or desktop OS + Their credentials for POP/IMAP + The path to their SMTP server - From a fresh up-to-date install + Ensure they have TLS enabled for SMTP on their mail client + Ensure they have TLS enabled for POP3/IMAP + Verify that TLS has been enabled and verify that it's working + Update their password again, making sure not to "remember password" - If the Windown MUA du juor verifies S/MIME signatures by default, perhaps they could investigate the use of S/MIME rather than GPG? + Note: This would probably require a 3rd party certificate, which may or may not have a financial cost associated) ~ Joel
On 29 September 2015 3:35:02 pm AEST, Brian May <brian@microcomaustralia.com.au> wrote:
Hello All,
I have a windows based family member who is sending out going invoices via email, I think using a Telstra Bigbond email account.
Somehow somebody is copying my relatives outgoing emails, replacing the contact details with their (very similar) contact details, and replacing the bank account details with their bank account details. All the other unique details in the invoice are the same and customized for the client. The attacker responds to emails to the new (but almost identical) email address that was in the email, and impersonates my relative in email conversations.
I think (need to check) the client gets two copies of the invoice, one good and one bad.
This results the clients paying the wrong account.
My relative has changed his email password, had a complete virus scan of his computer; however the issue is still occurring.
It seems like a very much targeted attack. It is becoming somewhat expensive.
Any ideas? Apart from sending invoices postal? Which may or may not work depending on what access the attacker has? Is there anyone I could refer my relative to in order sort out this mess?
Unfortunately, I think "use GPG" isn't an option. Even if his emails had signatures, it is unlikely his clients would know how to check them.
Obviously this goes to show how insecure email is, however I am speculating that the intruder doesn't have access to the network to monitor the SMTP sessions.
Regards
------------------------------------------------------------------------
_______________________________________________ luv-talk mailing list luv-talk@luv.asn.au http://lists.luv.asn.au/listinfo/luv-talk
Brian This has been hinted at already, but Can you set up an alternate smtp server, at least till the problem is fixed (like gmail)? Keith Bainbridge -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Tue, 29 Sep 2015 03:35:02 PM Brian May wrote:
My relative has changed his email password, had a complete virus scan of his computer; however the issue is still occurring.
Virus scans are not reliable in this regard. The ones that check for signatures of known malware don't work with unknown malware (EG anything compiled specifically for the target). The ones that look for patterns of operation are more prone to false alarms. I suggest that the best first step is to get them to use a new computer that's freshly installed for the sole purpose of sending invoices (not playing games, surfing porn, etc). Why not just give them an old Linux PC that you setup for them? After getting the new PC online change the password for Bigpond and disable any email forwarding etc that may have been enabled. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Brian May wrote:
[$user sends outgoing invoices via cleartext email.] [$AR receives original invoice, and spoofed invoice, pays wrong one.] [GPG is too hard.] [targeted attack?]
I'm not clear on your threat model: * if this is an APT, game over, you lose. * if not, are they watching mail pass through a system they control, or what? e.g. are they a Bigpond employee, or did they just crack his email password and set up a simple CC? If they don't have permanent (legitimate) access, and just broke in and configured bigpond to send them a copy of outbound mail, then changing the bigpond config & using improving password discipline should be enough. If the current cleartext email method is fundamentally compromised, there are other alternatives for B2B, that are more secure than cleartext email, but more convenient than GPG. For example: - get AR to set up an SFTP (or FTP) upload point, with keys (or passwords). $user uploads invoice.pdf using filezilla or winscp. Don't transmit the upload details over email. I suppose dropbox would be roughly equivalent. - 'password protect' invoice.pdf with a pre-shared key, that is never sent via the compromised channel. The attacker will then have to brute-force the key, which is probably easy, but if their attack tool doesn't support it, they'll have to submit a feature request &c. - Joel suggested S/MIME. I expect this to be too painful for B2B, but it's worth investigating. IME it's primarily used for INTRA-org mail within large organizations, where cert setup is handled by the org's provisioning infrastructure, which you don't have access to in this case.
Trent W. Buck wrote: > Brian May wrote: > > [$user sends outgoing invoices via cleartext email.] > > [$AR receives original invoice, and spoofed invoice, pays wrong one.] > - get AR to set up an SFTP (or FTP) upload point, PS: maybe I meant "accounts payable" not "accounts receivable". I always get them mixed up. There's currently too much blood in my caffeine stream to grok Wikipedia's descriptions of the two.
On Wed, September 30, 2015 12:07 pm, Trent W. Buck wrote:
PS: maybe I meant "accounts payable" not "accounts receivable". I always get them mixed up.
There's currently too much blood in my caffeine stream to grok Wikipedia's descriptions of the two.
Accounts payable = money you owe to others Accounts receivable = money people owe to you. -- Lev Lafayette, BA (Hons), GradCertTerAdEd (Murdoch), GradCertPM, MBA (Tech Mngmnt) (Chifley) mobile: 0432 255 208 RFC 1855 Netiquette Guidelines http://www.ietf.org/rfc/rfc1855.txt
Ok, so hopefully here is a summary of the responses. * Don't rely on virus scan - just because it says system is clean doesn't mean it is clean. * Use a clean OS install on computer. * Ensure OS has all security updates installed. * Don't use Outlook, however if Outlook must be used, ensure it is using TLS for SMTP and POP. Seems obvious: check the servers are the correct servers. * I think the problems with Outlook: could have security vulnerabilities, and stores credentials locally. * If continue to using Bigpond: * Ensure email is not forwarded to malicious address. * probably should change his email password from the clean OS install, and never use it any other system. * Use an email provider that can help debug these issues. I had at least one person volunteering for such a service via private email. * OR: Use an email provider like gmail that is accessible using HTTPS (plus gmail has good 2nd factor authentication) * Report to ACORN police department. * Person must change his habits. "He _must_ acknowledge that security is a process, not a product, and that his behaviours and understanding are crucial. If he will not change, he will not have the monies from the invoices he sends out. That might seem harsh, but it is also living inn the real world." Knowing the person in question - and also considering the many months this has been happening, that is probably a fair assessment. Not sure how to guide him on doing so however. * Use S/MIME??? Probably not possible with webmail cloud provider like gmail. There were some other responses I don't consider so likely: * Check WIFI security. * Check router not compromised. sidenote 1: I think this computer will be dedicated to work, and not used for playing games, surfing porn, or other dodgy stuff; person suspects it is a virus distributed via PDF file, which I can't comment on; suspect Outlook might be most vulnerable here. sidenote 2: If local computer is compromised, attacker could access invoices before they are even emailed. One thing nobody mentioned, mobile phones, including any lost or missing phones. Suspect not an issue here, however that is an assumption on my part. Should check. Was there anything I missed?
participants (9)
-
Andrew McGlashan -
Brian May -
Joel W. Shea -
Keith Bainbridge -
Lev Lafayette -
Rohan McLeod -
Russell Coker -
Trent W. Buck -
Vaughan Lapsley