29 Sep
2015
29 Sep
'15
3:35 p.m.
Hello All,
I have a windows based family member who is sending out going invoices via
email, I think using a Telstra Bigbond email account.
Somehow somebody is copying my relatives outgoing emails, replacing the
contact details with their (very similar) contact details, and replacing
the bank account details with their bank account details. All the other
unique details in the invoice are the same and customized for the client.
The attacker responds to emails to the new (but almost identical) email
address that was in the email, and impersonates my relative in email
conversations.
I think (need to check) the client gets two copies of the invoice, one good
and one bad.
This results the clients paying the wrong account.
My relative has changed his email password, had a complete virus scan of
his computer; however the issue is still occurring.
It seems like a very much targeted attack. It is becoming somewhat
expensive.
Any ideas? Apart from sending invoices postal? Which may or may not work
depending on what access the attacker has? Is there anyone I could refer my
relative to in order sort out this mess?
Unfortunately, I think "use GPG" isn't an option. Even if his emails had
signatures, it is unlikely his clients would know how to check them.
Obviously this goes to show how insecure email is, however I am speculating
that the intruder doesn't have access to the network to monitor the SMTP
sessions.
Regards
29 Sep
29 Sep
4:23 p.m.
Brian May wrote:
Hello All,
I have a windows based family member who is sending out going invoices
via email, I think using a Telstra Bigbond email account.
Somehow somebody is copying my relatives outgoing emails, replacing
the contact details with their (very similar) contact details, and
replacing the bank account details with their bank account details.
All the other unique details in the invoice are the same and
customized for the client. The attacker responds to emails to the new
(but almost identical) email address that was in the email, and
impersonates my relative in email conversations.
Brian,
I assume closing the BigPond account and openning a newone is not an option,
because the old one has extensive circulation ?
You're certain the attacker couldn't have just cracked the email
adrress and altered configuration settings,
to achieve the current exploit ?
I did a quick google for "Big Pond email man-in-the-middle " nothing
came up;
perhaps you could you check the header details on a faked email (by
getting the relative to send you an invoice);
with those, on some much older email from the same relative prior to
the scam ?
regards Rohan
McLeod
4:29 p.m.
Just a quick answer.... the most likely culprit would be your relative
using untrusted WiFi and also using insecure POP3 without SSL.
Of course, there are other considerations, but the very first thing I
would do is ensure that POP3 is NOT used without SSL and if there is no
choice in that matter, then it is essential that your relative only use
known trusted networks that cannot easily scan for passwords in clear
text (which POP3 without SSL will give).
Anyone using email these days should, at bare minimum, use SSL (or
really TLS).
Kind Regards
AndrewM
4:36 p.m.
I would suggest checking the Bigpond account settings in their web portal
for any email forwarding rules setup on that account. Perhaps the account
was compromised and setup to forward-copy all email to another server where
it is then tampered with.
Even if you change the password that mail rule would still operate.
On Tue, Sep 29, 2015 at 3:35 PM, Brian May <brian(a)microcomaustralia.com.au>
wrote:
Hello All,
I have a windows based family member who is sending out going invoices via
email, I think using a Telstra Bigbond email account.
Somehow somebody is copying my relatives outgoing emails, replacing the
contact details with their (very similar) contact details, and replacing
the bank account details with their bank account details. All the other
unique details in the invoice are the same and customized for the client.
The attacker responds to emails to the new (but almost identical) email
address that was in the email, and impersonates my relative in email
conversations.
I think (need to check) the client gets two copies of the invoice, one
good and one bad.
This results the clients paying the wrong account.
My relative has changed his email password, had a complete virus scan of
his computer; however the issue is still occurring.
It seems like a very much targeted attack. It is becoming somewhat
expensive.
Any ideas? Apart from sending invoices postal? Which may or may not work
depending on what access the attacker has? Is there anyone I could refer my
relative to in order sort out this mess?
Unfortunately, I think "use GPG" isn't an option. Even if his emails had
signatures, it is unlikely his clients would know how to check them.
Obviously this goes to show how insecure email is, however I am
speculating that the intruder doesn't have access to the network to monitor
the SMTP sessions.
Regards
_______________________________________________
luv-talk mailing list
luv-talk(a)luv.asn.au
http://lists.luv.asn.au/listinfo/luv-talk
4:45 p.m.
On Tue, 29 Sep 2015 at 16:37 Vaughan Lapsley <vaughan.lapsley(a)gmail.com>
wrote:
I would suggest checking the Bigpond account settings
in their web portal
for any email forwarding rules setup on that account. Perhaps the account
was compromised and setup to forward-copy all email to another server where
it is then tampered with.
Interesting idea. Have got my relative to search the settings, see if he
can find anything.
4:48 p.m.
Several people have asked me privately about police involvement.
My relative has contacted the police and filled in a form; according to him
the police aren't interested in following up.
4:54 p.m.
On Tue, September 29, 2015 5:48 pm, Brian May wrote:
Several people have asked me privately about police
involvement.
My relative has contacted the police and filled in a form; according to
him the police aren't interested in following up.
You need to contact a specialist group.
http://www.police.vic.gov.au/content.asp?document_id=21537
ACORN seems to be the right body.
(copied to luv-talk in case others might encounter the need)
--
Lev Lafayette, BA (Hons), GradCertTerAdEd (Murdoch), GradCertPM, MBA (Tech
Mngmnt) (Chifley)
mobile: 0432 255 208
RFC 1855 Netiquette Guidelines
http://www.ietf.org/rfc/rfc1855.txt
4:54 p.m.
On Tue, Sep 29, 2015 at 05:35:02AM +0000, Brian May wrote:
Somehow somebody is copying my relatives outgoing emails, replacing
the contact details with their (very similar) contact details, and
replacing the bank account details with their bank account details.
All the other unique details in the invoice are the same and
customized for the client. The attacker responds to emails to the new
(but almost identical) email address that was in the email, and
impersonates my relative in email conversations.
Recommendations for your relative;
- Gather as much evidence as possible
- Report the crime to their State/Territory Police
- Consider one of the following compromised
+ Their mail client and/or desktop OS
+ Their credentials for POP/IMAP
+ The path to their SMTP server
- From a fresh up-to-date install
+ Ensure they have TLS enabled for SMTP on their mail client
+ Ensure they have TLS enabled for POP3/IMAP
+ Verify that TLS has been enabled and verify that it's working
+ Update their password again, making sure not to "remember password"
- If the Windown MUA du juor verifies S/MIME signatures by default,
perhaps they could investigate the use of S/MIME rather than GPG?
+ Note: This would probably require a 3rd party certificate, which may
or may not have a financial cost associated)
~ Joel
6:43 p.m.
On 29 September 2015 3:35:02 pm AEST, Brian May <brian(a)microcomaustralia.com.au>
wrote:
Hello All,
I have a windows based family member who is sending out going invoices
via
email, I think using a Telstra Bigbond email account.
Somehow somebody is copying my relatives outgoing emails, replacing the
contact details with their (very similar) contact details, and
replacing
the bank account details with their bank account details. All the other
unique details in the invoice are the same and customized for the
client.
The attacker responds to emails to the new (but almost identical) email
address that was in the email, and impersonates my relative in email
conversations.
I think (need to check) the client gets two copies of the invoice, one
good
and one bad.
This results the clients paying the wrong account.
My relative has changed his email password, had a complete virus scan
of
his computer; however the issue is still occurring.
It seems like a very much targeted attack. It is becoming somewhat
expensive.
Any ideas? Apart from sending invoices postal? Which may or may not
work
depending on what access the attacker has? Is there anyone I could
refer my
relative to in order sort out this mess?
Unfortunately, I think "use GPG" isn't an option. Even if his emails
had
signatures, it is unlikely his clients would know how to check them.
Obviously this goes to show how insecure email is, however I am
speculating
that the intruder doesn't have access to the network to monitor the
SMTP
sessions.
Regards
------------------------------------------------------------------------
_______________________________________________
luv-talk mailing list
luv-talk(a)luv.asn.au
http://lists.luv.asn.au/listinfo/luv-talk
Brian
This has been hinted at already, but
Can you set up an alternate smtp server, at least till the problem is fixed (like gmail)?
Keith Bainbridge
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
11:06 p.m.
On Tue, 29 Sep 2015 03:35:02 PM Brian May wrote:
My relative has changed his email password, had a
complete virus scan of
his computer; however the issue is still occurring.
Virus scans are not reliable in this regard. The ones that check for
signatures of known malware don't work with unknown malware (EG anything
compiled specifically for the target). The ones that look for patterns of
operation are more prone to false alarms.
I suggest that the best first step is to get them to use a new computer that's
freshly installed for the sole purpose of sending invoices (not playing games,
surfing porn, etc). Why not just give them an old Linux PC that you setup for
them?
After getting the new PC online change the password for Bigpond and disable
any email forwarding etc that may have been enabled.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
30 Sep
30 Sep
11:05 a.m.
Brian May wrote:
[$user sends outgoing invoices via cleartext email.]
[$AR receives original invoice, and spoofed invoice, pays wrong one.]
[GPG is too hard.]
[targeted attack?]
I'm not clear on your threat model:
* if this is an APT, game over, you lose.
* if not, are they watching mail pass through a system they control, or what?
e.g. are they a Bigpond employee, or did they just crack his email password and set up
a simple CC?
If they don't have permanent (legitimate) access, and just broke in
and configured bigpond to send them a copy of outbound mail,
then changing the bigpond config &
using improving password discipline should be enough.
If the current cleartext email method is fundamentally compromised,
there are other alternatives for B2B,
that are more secure than cleartext email,
but more convenient than GPG.
For example:
- get AR to set up an SFTP (or FTP) upload point,
with keys (or passwords).
$user uploads invoice.pdf using filezilla or winscp.
Don't transmit the upload details over email.
I suppose dropbox would be roughly equivalent.
- 'password protect' invoice.pdf with a pre-shared key,
that is never sent via the compromised channel.
The attacker will then have to brute-force the key,
which is probably easy, but if their attack tool doesn't support it,
they'll have to submit a feature request &c.
- Joel suggested S/MIME.
I expect this to be too painful for B2B, but it's worth investigating.
IME it's primarily used for INTRA-org mail within large organizations,
where cert setup is handled by the org's provisioning infrastructure,
which you don't have access to in this case.
11:07 a.m.
Trent W. Buck wrote:
Brian May wrote:
PS: maybe I meant "accounts payable" not "accounts receivable".
I always get them mixed up.
There's currently too much blood in my caffeine stream to grok
Wikipedia's descriptions of the two.
[$user sends outgoing invoices via cleartext
email.]
[$AR receives original invoice, and spoofed invoice, pays wrong one.]
- get AR
to set up an SFTP (or FTP) upload point,
12:06 p.m.
On Wed, September 30, 2015 12:07 pm, Trent W. Buck wrote:
PS: maybe I meant "accounts payable" not "accounts receivable".
I always get them mixed up.
There's currently too much blood in my caffeine stream to grok
Wikipedia's descriptions of the two.
Accounts payable = money you owe to others
Accounts receivable = money people owe to you.
--
Lev Lafayette, BA (Hons), GradCertTerAdEd (Murdoch), GradCertPM, MBA (Tech
Mngmnt) (Chifley)
mobile: 0432 255 208
RFC 1855 Netiquette Guidelines
http://www.ietf.org/rfc/rfc1855.txt
6 Oct
6 Oct
4:28 p.m.
Ok, so hopefully here is a summary of the responses.
* Don't rely on virus scan - just because it says system is clean doesn't
mean it is clean.
* Use a clean OS install on computer.
* Ensure OS has all security updates installed.
* Don't use Outlook, however if Outlook must be used, ensure it is using
TLS for SMTP and POP. Seems obvious: check the servers are the correct
servers.
* I think the problems with Outlook: could have security vulnerabilities,
and stores credentials locally.
* If continue to using Bigpond:
* Ensure email is not forwarded to malicious address.
* probably should change his email password from the clean OS install,
and never use it any other system.
* Use an email provider that can help debug these issues. I had at least
one person volunteering for such a service via private email.
* OR: Use an email provider like gmail that is accessible using HTTPS (plus
gmail has good 2nd factor authentication)
* Report to ACORN police department.
* Person must change his habits. "He _must_ acknowledge that security is a
process, not a product, and that his behaviours and understanding are
crucial. If he will not change, he will not have the monies from the
invoices he sends out. That might seem harsh, but it is also living inn the
real world." Knowing the person in question - and also considering the many
months this has been happening, that is probably a fair assessment. Not
sure how to guide him on doing so however.
* Use S/MIME??? Probably not possible with webmail cloud provider like
gmail.
There were some other responses I don't consider so likely:
* Check WIFI security.
* Check router not compromised.
sidenote 1: I think this computer will be dedicated to work, and not used
for playing games, surfing porn, or other dodgy stuff; person suspects it
is a virus distributed via PDF file, which I can't comment on; suspect
Outlook might be most vulnerable here.
sidenote 2: If local computer is compromised, attacker could access
invoices before they are even emailed.
One thing nobody mentioned, mobile phones, including any lost or missing
phones. Suspect not an issue here, however that is an assumption on my
part. Should check.
Was there anything I missed?
2733
days inactive
2740
days old
13 comments
9 participants
participants (9)
-
Andrew McGlashan -
Brian May -
Joel W. Shea -
Keith Bainbridge -
Lev Lafayette -
Rohan McLeod -
Russell Coker -
Trent W. Buck -
Vaughan Lapsley