Mail fraud with Outlook implication

[Larry Sabo]

I have a customer who is the victim of mail fraud and I've tried searching for a thread we had a while back about the same issue but can't seem to find it. My customer provides engineering services and one of their customers received a bogus e-mail, purportedly from this engineer, asking the customer who he should be dealing with on changes to their (the engineering company's) payment processes and accounts. The customer asked for account details and the fraudster, masquerading as the engineer, provided bogus account details. They don't even deal with the bank whose account details were provided by the fraudster.

My recollection is there is an Outlook account setting where the fraudster insinuates his e-mail address so he receives a copy of all mail, and the fraudster uses copies of the mail to familiarize himself with the business, which makes it easier to impersonate the customer and request account changes for payment for services.

GoDaddy hosts their domain and provides mail services. I've referred them to GoDaddy for assistance in tracking down the breach, as I'm out of my depth on this. Any suggestions on where to go next in making this customer sane? They have changed their mail password but the thread I mentioned indicated that there was no way to rectify the breach.

Can anyone recall the thread in question?

 

[mikeroq]

Your customer might not have had a breach but their customer might have.

Look for rules in outlook/owa. See if anything is being forwarded.

Is this 365 or godaddys own email? In 365 you can see the login history, run mail traces, etc.

 

[callthatgirl]

I'd search for fraud in the search box, I found a few emails threads that might be what you're looking for.

 

[callthatgirl]

If they are on 365, log into office.com
open Outlook
Go to the settings area
look in the forwarding section.
you will see any outside emails in there
Microsoft has a new alert now tho that tells you when an outsider turns that on and tries to forward

 

[timeshifter]

I'd try to get a copy of the fraud email that was received by your customer's customer. It could be that it didn't actually originate from your customer - may have been spoofed. A little bit of scanning the email headers can help determine that.

I had one last year where the email was impersonated and there were lots of red flags in the headers, such that the receiving company (a medium sized CPA firm) should have never let it through.

Another one I was privy to had a domain name that looked just like the customer's but was one letter off.

You'll also want to change his password and set up two factor authentication.

 

[nlinecomputers]

I have a customer who is the victim of mail fraud and I've tried searching for a thread we had a while back about the same issue but can't seem to find it. My customer provides engineering services and one of their customers received a bogus e-mail, purportedly from this engineer, asking the customer who he should be dealing with on changes to their (the engineering company's) payment processes and accounts. The customer asked for account details and the fraudster, masquerading as the engineer, provided bogus account details. They don't even deal with the bank whose account details were provided by the fraudster.

My recollection is there is an Outlook account setting where the fraudster insinuates his e-mail address so he receives a copy of all mail, and the fraudster uses copies of the mail to familiarize himself with the business, which makes it easier to impersonate the customer and request account changes for payment for services.

GoDaddy hosts their domain and provides mail services. I've referred them to GoDaddy for assistance in tracking down the breach, as I'm out of my depth on this. Any suggestions on where to go next in making this customer sane? They have changed their mail password but the thread I mentioned indicated that there was no way to rectify the breach.

Can anyone recall the thread in question?

Not enough information here. Is the fake email actually being sent by the engineering firm‘s or is it just spoofed? People can spoof email without ever hacking into mail servers just by Googling information and making some social engineering phone calls. Need to examine the headers of the phishing emails to track the real source. Most likely it’s not a real breach just a clueless client that was tricked into revealing information and an invoice.

 

[Markverhyden]

I have a customer who is the victim of mail fraud and I've tried searching for a thread we had a while back about the same issue but can't seem to find it. My customer provides engineering services and one of their customers received a bogus e-mail, purportedly from this engineer, asking the customer who he should be dealing with on changes to their (the engineering company's) payment processes and accounts. The customer asked for account details and the fraudster, masquerading as the engineer, provided bogus account details. They don't even deal with the bank whose account details were provided by the fraudster.

My recollection is there is an Outlook account setting where the fraudster insinuates his e-mail address so he receives a copy of all mail, and the fraudster uses copies of the mail to familiarize himself with the business, which makes it easier to impersonate the customer and request account changes for payment for services.

GoDaddy hosts their domain and provides mail services. I've referred them to GoDaddy for assistance in tracking down the breach, as I'm out of my depth on this. Any suggestions on where to go next in making this customer sane? They have changed their mail password but the thread I mentioned indicated that there was no way to rectify the breach.

Can anyone recall the thread in question?

Figuring out how the breach happened? Like almost all other breaches. Either they let someone remote/access their computer or they used, actually re-used, credentials. Have them go to https://haveibeenpwned.com/ to check email addresses.

As far as email flow is concerned. The scammers don't need to monitor new emails. They can just setup the account and all IMAP/Exchange folders will appear.

My experience so far indicates that when the black hats want to start targeting they'll setup rules to move outbound emails, with the victims address, to another folder like Spam, Junk, Drafts, RSS Feeds, etc. In other words folders the EU is not normally looking at. So they need to look at mail flow rules. Another thing they'll do is setup a copy rule to be alerted when the victim get's emails from the provider, like password resets.

On the new password? It can't be anything close to what the old one is. And @Larry Sabo also be aware that your customer may not have been pwnd. If none of the evidence mentioned above a present it's entirely possible the other part may have been hacked and their using forged headers. Since they're with Godaddy they should be able to see recent login locations.

 

[britechguy]

People can spoof email without ever hacking into mail servers just by Googling information and making some social engineering phone calls.

This, this, this!!

I have actually grown bone-tired of all the panic calls about "my email being hacked" for spoofed email messages. If you've had any given email address long enough to have sent a number of messages with it you can almost be guaranteed it will be spoofed at one point or another.

 

[Sky-Knight]

Most of the time this happens because the person being scammed is being foolish, not the person being impersonated.

You need a sample of the mail in question, and I'm willing to bet it's a gmail address or some other free online email and not your customer's actual email address.

People fix this crap by using a PHONE to call the individuals in question to find out if it's real or not. Too bad everyone South of 40 seems afraid of these evil things called phone calls... but that's what you do.

Also, unless the person being impersonated is being monumentally silly (like not using MFA), the odds of them being compromised directly are minuscule. And if they are, you do what callthatgirl suggests, clear the forwards, then reset the password and for the love of all that is good and right in the world... setup MFA and enable phone sign on.

 

[Larry Sabo]

Your customer might not have had a breach but their customer might have.

Look for rules in outlook/owa. See if anything is being forwarded.

Is this 365 or godaddys own email? In 365 you can see the login history, run mail traces, etc.

Yeah, I told them it might be the customer who has been breached and that they should have their IT staff check it out. I checked settings in Outlook and didn't see any delegation or forwarding but that was looking at Outlook 2016 settings on his laptop, not OWA. It's his own domain e-mail. I assume GoDaddy will check login history as the customer probably doesn't know how. I don't know who maintains/supports their site; probably GoDaddy.

 

[Larry Sabo]

I'd search for fraud in the search box, I found a few emails threads that might be what you're looking for.

I did search but couldn't find the thread I'm thinking of. Thanks.

 

[Larry Sabo]

If they are on 365, log into office.com
open Outlook
Go to the settings area
look in the forwarding section.
you will see any outside emails in there
Microsoft has a new alert now tho that tells you when an outsider turns that on and tries to forward

I am embarrassed to admit that I don't know if they are on 365. They have MSO Pro 2016 installed on the laptop and I assume other computers. It's a small company but I have no idea how many staff are involved. I'll have to ask but I assume they are not on 365 or they would be on a more-current version of Office.

 

[mikeroq]

I'll have to ask but I assume they are not on 365 or they would be on a more-current version of Office.

Only if you get the plan with desktop apps. My customers were a mix. Couple just email only on basic, one with apps on standard, and one on business premium.

Also you can lookup their mail servers for their domain on a site like mxtoolbox and it can point you to who the email provider is, for reference.

 

[Larry Sabo]

I'd try to get a copy of the fraud email that was received by your customer's customer. It could be that it didn't actually originate from your customer - may have been spoofed. A little bit of scanning the email headers can help determine that.

I had one last year where the email was impersonated and there were lots of red flags in the headers, such that the receiving company (a medium sized CPA firm) should have never let it through.

Another one I was privy to had a domain name that looked just like the customer's but was one letter off.

You'll also want to change his password and set up two factor authentication.

Thanks. I did that and received one today, with headers. I pasted the header into Email Header Analyzer but I have no idea how to interpret the analysis. I'm not sure how much I can post here without revealing private info.

The domain name is correct in the sample I received. I advised him to immediately change his password and I think he said he had already done that. I'm not sure whether fraudulent e-mails continued after doing so and will have to ask. I forget whether he said he had 2FA enabled or not and will ask.

 

[Larry Sabo]

Need to examine the headers of the phishing emails to track the real source. Most likely it’s not a real breach just a clueless client that was tricked into revealing information and an invoice.

See my previous reply, where I mention that I have run the header through Email Header Analyzer. As mentioned, I don't know how much of the header I can share without violating private info.

 

[nlinecomputers]

See my previous reply, where I mention that I have run the header through Email Header Analyzer. As mentioned, I don't know how much of the header I can share without violating private info.

I’ll be happy to look at it via a PM.

 

[Larry Sabo]

Figuring out how the breach happened? Like almost all other breaches. Either they let someone remote/access their computer or they used, actually re-used, credentials. Have them go to https://haveibeenpwned.com/ to check email addresses.

Thanks for the link. It shows their address has not been pwned.

As far as email flow is concerned. The scammers don't need to monitor new emails. They can just setup the account and all IMAP/Exchange folders will appear.

Of course, thanks for reminding me.

My experience so far indicates that when the black hats want to start targeting they'll setup rules to move outbound emails, with the victims address, to another folder like Spam, Junk, Drafts, RSS Feeds, etc. In other words folders the EU is not normally looking at.

Sorry but you lost me there. The user (engineer) should monitor Spam, Junk, Drafts, RSS Feeds, etc. for unusual mail?

So they need to look at mail flow rules. Another thing they'll do is setup a copy rule to be alerted when the victim get's emails from the provider, like password resets.

I'm not sure where to look for mail flow rules as I don't use Outlook myself. Re. rule to be alerted when victim gets emails re. password reset: Who is they, the blackhat, customer or provider? Sorry, I must be thick today.

On the new password? It can't be anything close to what the old one is. And @Larry Sabo also be aware that your customer may not have been pwnd. If none of the evidence mentioned above a present it's entirely possible the other part may have been hacked and their using forged headers. Since they're with Godaddy they should be able to see recent login locations.

Yes, I mentioned that to them (that it may not be them). I did an offline scan with Kaspersky (which they also use) as well as Emsisoft Emergency Kit and neither found any malware. I'll update the thread when I have any info about what GoDaddy found.

 

[Larry Sabo]

Most of the time this happens because the person being scammed is being foolish, not the person being impersonated.

You need a sample of the mail in question, and I'm willing to bet it's a gmail address or some other free online email and not your customer's actual email address.

Not this time, based oon the header of the sample I received.

People fix this crap by using a PHONE to call the individuals in question to find out if it's real or not. Too bad everyone South of 40 seems afraid of these evil things called phone calls... but that's what you do.

Agreed. Maybe we should go back to faxing, like the medical system here. LOL

Also, unless the person being impersonated is being monumentally silly (like not using MFA), the odds of them being compromised directly are minuscule. And if they are, you do what callthatgirl suggests, clear the forwards, then reset the password and for the love of all that is good and right in the world... setup MFA and enable phone sign on.

I'll have to verify that they have 2FA but I think so.

 

[Larry Sabo]

Also you can lookup their mail servers for their domain on a site like mxtoolbox and it can point you to who the email provider is, for reference.

Thanks; for MX record, I get <their domain>.mail.protection.outlook.com. I have no idea what that tells me or how to cross-check that with the header I received.

 

[Larry Sabo]

I’ll be happy to look at it via a PM.

Thanks so much. Will PM in a few seconds.