Intercepted Email Attempts to Steal Payments

Published: 2014-01-08
Last Updated: 2014-01-08 18:14:47 UTC
by Kevin Shortt (Version: 1)
17 comment(s)

A reader sent in details of a incident that is currently being investigated in their environment.  (Thank you Peter for sharing! )   It appears to be a slick yet elaborate scam to divert a customer payment to the scammers.   It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers.  

Here is a simple breakdown of the flow:

  • Supplier sends business email to customer, email mentions a payment has been received and asks when will next payment arrive.
     
  • Scammer intercepts and slightly alters the email.
     
  • The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it:

             "KIndly inform when payment shall be made so i can provide you with our offshore trading account as our account department has just informed us that our regular account is right now under audit and government taxation process as such we cant recieve funds through it our account dept shall be providing us with our offshore trading account for our transactions.  Please inform asap so our account department shall provide our offshore trading account for your remittance."
     
  • Scammer sets up a fake domain name with similar look and feel.  i.e. If the legitimate domain is  google.us, then the fake one could be  google-us.com.
       
  • An email is sent to the Customer from the fake domain indicating the new account info to channel the funds:

    "Kindly note  that our account department has just informed us that our regular account is right now under audit and government taxation process as such we can't receive funds through it. Our account department has provided us with our Turkey offshore trading account for our transactions. Kindly remit 30% down payment for invoice no. 936911 to our offshore trading account as below;

    Bank name: Xxxxx Xxxx
    Swift code:XXXXXXXX
    Router: 123456
    Account name: Xxx XXX Xx
    IBAN:TR123456789012345678901234
    Account number:1234567-123
    Address: Xxxxxxxxx Xxx Xx xxx Xxxxxxxx xxxxx Xxxxxxxx, Xxxxxx"
     
  • The Customer is very security conscious and noticed the following red flags to avert the fraud: 

        - Email was sent at an odd time (off hour for the time zones in question)
        - The domain addresses in spoofed email were incorrect. (ie.  google-us.com vs. google.us)
        - The email contained repeated text which added to the "spammy" feel of it.
        

This scam was averted by the security consciousness business staff and properly analyzed by talented tech staff.  We appreciate them sharing it with us.  

The flags that indicate this is elaborate, is the email appeared to be fully intercepted and targeted because of the mentioning of a payment was requested.  Also, the fake domain that was created for this incident was created hours before the fraudulent email with the account information was sent.  The technical analysis showed the fake domain email was sent from an IP not owned by the supplier or the customer.

This incident is still under investigation and we will provide more obfuscated details as they become available.  Please comment and discuss with us if this has happened to your environment and what was done to mitigate and investigate things further.

 

-Kevin

--
ISC Handler on Duty

Keywords: email scam fraud
17 comment(s)
ISC StormCast for Wednesday, January 8th 2014 http://isc.sans.edu/podcastdetail.html?id=3764

Comments


Diary Archives