Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

Email Compromise

Aug 11, 2016 1:50PM PDT

Firstly guys, I've just signed up so thanks for having me. Sorry to start by asking for help.

I work as I.T. support for a small business. I received a call from them today in relation to an attempted email fraud possibly using “spoofing”. Below I outline the scenario and my questions. Please appreciate the use of my simplified language is only to break things down so as there nothing lost in the communication.

Scenario:

Two separate businesses called A & B are in email communications in relation to a business transaction. B calls A in relation to an email from them informing them that A had changed bank account details to a new account given in the email. Being suspicious B wanted to confirm this information as the email came from them (or so it appears).

Alarmed at this news A asked B to fax them a copy of the communication so they could look into this further. They made all the relevant authorities aware such as police, action fraud, bank etc before calling me to check their computers & network. Company A log into their email using Microsoft 365 online portal and emails are not downloaded on to their computers, they are kept on ISP’s servers.

I have this company change their email password every few months and I carry out all the relevant precautions regularly such as virus/malware scanning, wireless network password change and ensuring all machines are updated as best as possible. All computers in the office are behind a router and AV software and whilst I appreciate this doesn’t mean it’s Fort Knox safe it is reasonable and I much doubt their systems have been compromised given the novice approach used by the would be hacker.

Upon receipt of the faxed copy of the email company A notices that the email does indeed appear to come from them yet they didn’t send it. They also notice on the fax the email in question was a reply to an earlier email from B dated the 5th August which company A never received but company B did send. The email dated the 5th contained an attachment which confirmed the completion of a business transaction between A & B with B making note that all remaining monies had been paid to A’s bank account number ********. This email was responded to by the would be hacker asking company B to make note of company A’s new account details.

So in my view there are two possible scenarios.
1. A’s email account security was compromised (company I offer I.T. support to)
2. B’s email account was compromised

So…

1. For either of the two above scenarios to happen someone would need access to the password of either account. Is this correct?

2. Assuming someone had access to B’s email account. How could they intercept an email from B to A before reaching A? How could they then send an email back to B from A’s account? This scenario makes less sense to me unless I am missing something.

3. Assuming the would be hacker had access to company A’s computer. This would explain the email intercept from B and the sending of an email from their account. But how could this be possible given that the email password is regularly changed and even I don’t know it and assuming all staff members are trustworthy? They have all worked in the same company for 10+ years each. Why this one email wherein the business dealings had concluded and not another deal from A’s computers that hadn’t concluded?

4. There are 4 days between the genuine email dated the 5th august from B to A and the fraudulent response. If company A’s email was compromised how could the genuine email from B that A claimed they never received be kept on the server for 4 days without the staff being aware of this? I get that an email could be sent from their account and deleted but how could one be received and unnoticed?

I would appreciate any feedback on my enquiry that may shed light on this scenario.

Best Regards

Discussion is locked

- Collapse -
Answer
Imagine if
Aug 11, 2016 2:02PM PDT

The email was as you write is at the ISP. Let's say the sender or receiver's account name and password was no longer secure by whatever you want to guess how that happened.

I could read the emails that are at the ISP before the receiver, then delete it before they read this email. And I could make a new email.

If these folk are using Outlook or even the ISP web email, it would all seem like a mystery.

This is not an offer of free forensics. This is a story that isn't that uncommon and most of the time is just the old story of some folk that used their PCs on some free wifi spot. That's the most common hack I know of today.

- Collapse -
Re
Aug 11, 2016 2:50PM PDT

Hi, thanks for your input.

[quote]The email was as you write is at the ISP. Let's say the sender or receiver's account name and password was no longer secure by whatever you want to guess how that happened.

I could read the emails that are at the ISP before the receiver, then delete it before they read this email. And I could make a new email.[/quote]

Yes I get that OK but how could someone hold an email from the 5th of August (date of legit email from B to A that A didn't receive) to the 11th when they replied to it without either side knowing? Unless of course the fraudulent email of the 11th just included a copy and paste of the 5th's email? I suppose that could be possible. I should pursue further enquiry along that route.

[quote]If these folk are using Outlook or even the ISP web email, it would all seem like a mystery.[/quote]

Not really if the would be hacker had access to either side's email password. BT Business uses 365 so if someone knows an email password they are in.

[quote]This is not an offer of free forensics. This is a story that isn't that uncommon and most of the time is just the old story of some folk that used their PCs on some free wifi spot. That's the most common hack I know of today.[/quote]

Yeah that was a concern of mine hence why I ensured all devices were connected to the right network and passwords were and security were changed.

Still baffles me as to why if the exploit was at my client's end (A) this one particular email was selected that was in connection to a transaction that had already completed. Why not try their hands at the emails to other companies that hadn't completed, is what I am asking myself.

I think what I'm trying to do here is ensure that I am doing all that I can possibly can to secure their emails. I don't want leaks at my end.

Thanks again though.

- Collapse -
Very few reveal they shared the password.
Aug 11, 2016 2:59PM PDT

ISP email systems are not that secure. And secure email is a fantasy here in the USA.

Example? Read https://en.wikipedia.org/wiki/Lavabit

Since our government is not going to allow secure email, you know if you are dealing in money, you never leave it just to emails.

But as in my title, I find most folk won't reveal they used their laptop at an open WiFi. With what I know, I don't.