Scammed by a Hacked email account
Discussion
Du1point8 said:
I get emails from <myname>@<mycompany>.co.uk
However, if you do a reply on them it will not be my email at all.
.
Is it possible to explain how this works? I really don't understand how the return address and the from address can be hacked.However, if you do a reply on them it will not be my email at all.
.
As you can tell, I am not an IT expert.
siremoon said:
hkp57 said:
We already checked and the email with instructions to me did come from the builders email address but from an IP address in Slough.
Possible but more probable is that it didn't come from the builder's email account at all and the true sender of the email faked the sender address as unfortunately that is not very difficult to do. That means you cannot rely on the sender address to confirm definitively the origin of an email. I hope you get this resolved but a lesson for the future is never act on account change information received by email without checking with the supposed originator that they did in fact send it. I think the number of hacked email accounts is a lot more than many realise, I've had phishing/viral/scam emails from a good number of clients of mine personal emails, obviously I'm on their contacts list.
And I still do paper invoicing ftw.
Microsoft removed the password entry limit from O365 around 12 months ago, which means you can brute force MSFT accounts very easily.
2FA can be circumvented by using a different MUA - O365 will skip 2FA if it thinks that an app is connecting to it for e.g.
I'd put money on the builders account being compromised, the bad-actor will be logging into said account regularly.
They'll either have sent the account change email from the genuine account, then deleted it from the sent-box, or they'll have simply spoofed the 5322.From using their own MTA.
This type of attack is a problem as they can be literally identical to a legitimate business email, and therefore AI, machine learning and big-data are all, unless the bad-actor is an idiot (which is not actually unusual I have to say), ineffective.
The builder needs to ensure that there are no rules configured in his inbox, that his password reset mechanism is correct and not going to another compromised account, and then change his passwords, after ensuring that his phone and laptop are free of RAT's, key-loggers etc. It's likely they'll need to pay someone to help them with this lot.
They should really use DMARC to secure their sending domain, but that's also complex and, if they lock the crooks out of their account in the first place, probably not needed.
2FA can be circumvented by using a different MUA - O365 will skip 2FA if it thinks that an app is connecting to it for e.g.
I'd put money on the builders account being compromised, the bad-actor will be logging into said account regularly.
They'll either have sent the account change email from the genuine account, then deleted it from the sent-box, or they'll have simply spoofed the 5322.From using their own MTA.
This type of attack is a problem as they can be literally identical to a legitimate business email, and therefore AI, machine learning and big-data are all, unless the bad-actor is an idiot (which is not actually unusual I have to say), ineffective.
The builder needs to ensure that there are no rules configured in his inbox, that his password reset mechanism is correct and not going to another compromised account, and then change his passwords, after ensuring that his phone and laptop are free of RAT's, key-loggers etc. It's likely they'll need to pay someone to help them with this lot.
They should really use DMARC to secure their sending domain, but that's also complex and, if they lock the crooks out of their account in the first place, probably not needed.
I very nearly got scammed at work when a suppliers' email was hacked. I'd been waiting for an invoice from supplier, which hadn't appeared, phoned them to chase it up, and they emailed it on the Monday, I was then on leave until Thursday. On Tuesday I picked up an email from them (or not) asking to pay into a different account as they were having problems with online banking with the account details we held. Email was sent from their account, etc etc. All seemed legit so I emailed back to say I'd do it on Thursday when i returned. I wouldn't have given it a second thought, but on Wednesday they emailed to say "just checking you're still okay to settle on Thursday?" Which set an alarm bell ringing in my head. Why would they suddenly need to chase this when I was the one who'd prompted them to send the invoice in the first place? So I phoned them and sure enough, it was a scam. Their greed was their undoing, because I'm embarrassed to say if it hadn't been for that last email, I would have paid it on the Thursday.
Lesson learned!!!
Lesson learned!!!
I very nearly got scammed at work when a suppliers' email was hacked. I'd been waiting for an invoice from supplier, which hadn't appeared, phoned them to chase it up, and they emailed it on the Monday, I was then on leave until Thursday. On Tuesday I picked up an email from them (or not) asking to pay into a different account as they were having problems with online banking with the account details we held. Email was sent from their account, etc etc. All seemed legit so I emailed back to say I'd do it on Thursday when i returned. I wouldn't have given it a second thought, but on Wednesday they emailed to say "just checking you're still okay to settle on Thursday?" Which set an alarm bell ringing in my head. Why would they suddenly need to chase this when I was the one who'd prompted them to send the invoice in the first place? So I phoned them and sure enough, it was a scam. Their greed was their undoing, because I'm embarrassed to say if it hadn't been for that last email, I would have paid it on the Thursday.
Lesson learned!!!
Lesson learned!!!
Edited by Jinba Ittai on Thursday 17th January 19:29
Dammit said:
Microsoft removed the password entry limit from O365 around 12 months ago, which means you can brute force MSFT accounts very easily.
2FA can be circumvented by using a different MUA - O365 will skip 2FA if it thinks that an app is connecting to it for e.g.
I'd put money on the builders account being compromised, the bad-actor will be logging into said account regularly.
They'll either have sent the account change email from the genuine account, then deleted it from the sent-box, or they'll have simply spoofed the 5322.From using their own MTA.
This type of attack is a problem as they can be literally identical to a legitimate business email, and therefore AI, machine learning and big-data are all, unless the bad-actor is an idiot (which is not actually unusual I have to say), ineffective.
The builder needs to ensure that there are no rules configured in his inbox, that his password reset mechanism is correct and not going to another compromised account, and then change his passwords, after ensuring that his phone and laptop are free of RAT's, key-loggers etc. It's likely they'll need to pay someone to help them with this lot.
They should really use DMARC to secure their sending domain, but that's also complex and, if they lock the crooks out of their account in the first place, probably not needed.
Once again, this is very interesting, but totally irrelevant to stopping the scam. It's the receiver of these emails that needs to change their procedures and engage some common sense.2FA can be circumvented by using a different MUA - O365 will skip 2FA if it thinks that an app is connecting to it for e.g.
I'd put money on the builders account being compromised, the bad-actor will be logging into said account regularly.
They'll either have sent the account change email from the genuine account, then deleted it from the sent-box, or they'll have simply spoofed the 5322.From using their own MTA.
This type of attack is a problem as they can be literally identical to a legitimate business email, and therefore AI, machine learning and big-data are all, unless the bad-actor is an idiot (which is not actually unusual I have to say), ineffective.
The builder needs to ensure that there are no rules configured in his inbox, that his password reset mechanism is correct and not going to another compromised account, and then change his passwords, after ensuring that his phone and laptop are free of RAT's, key-loggers etc. It's likely they'll need to pay someone to help them with this lot.
They should really use DMARC to secure their sending domain, but that's also complex and, if they lock the crooks out of their account in the first place, probably not needed.
The more we talk about TFA, keyloggers and other tech BS, the more muddy the conversation gets.
Escapegoat said:
Once again, this is very interesting, but totally irrelevant to stopping the scam. It's the receiver of these emails that needs to change their procedures and engage some common sense.
The more we talk about TFA, keyloggers and other tech BS, the more muddy the conversation gets.
This...The more we talk about TFA, keyloggers and other tech BS, the more muddy the conversation gets.
And this again...
I can send anybody an email and pretend it to be Elvis, Donald Trump or anyone else, because when you send an email the system just attaches whatever reply email address you ask it to, I can also put whatever "from" name on it I want to.
If anybody asks you to change bank details then if alarm bells aren't ringing loudly after all the stories like this then they should be.
The best story I heard when I used to investigate this sort of thing was where a finance clerk knew the CFO hadn't sent her the email telling her to urgently transfer 100k to a bogus bank account was because the fictitious email ended with "Thanks"... and he never did that
matjk said:
Banks should implement the name checking immediately. Also banks could offer 2 types of transfer , a free one that clearly states “if you get scammed it’s down to you we do absolutely no checking at all, we simply shift the cash” or one with extended liability where you get a bit more protection but the bank does a bit of due diligence, checks out the bank it’s being paid too, checks the persons/business name and chanrge for this service. It’s madness that £££ is simply transferred on the strength of a few numbers
On an individual level it seems absurd that 'anyone' can request a fraudulent payment...and then receive funds via BACS or similar and no comebacks.Except that's the price of these freedoms - not everybody plays by the rules. We are constantly evolving payment types (mostly for 'convenience') that allow quicker, less hands-on transactions, thereby opening up the potential for more money to change hands.
Simply put the number of legit transfers is so large that the fraudulent stuff is 'a price worth paying' to enable the economics to continue. Might not be 'right' but it is the prevailing system. A quick perusal of credit card history and the shortcomings it introduced against the enormous 'freedoms' it unleashed illustrates the general idea.
Or I could be completely wrong and talking out of my hat. Again.
The bank accounts are often staging ones, the money gets transferred in, and then out by western union transfer which is (or at least was) near impossible to trace, by the time the account is investigated, the banks requiring police crime numbers etc the money has long gone and the account holder is sitting there with no cash in the bank going as they fell for some stupid scam themselves (i'm a company in country X doing business int he UK, if you let us use your bank account you can keep 1%, its no risk, the money will be cleared funds in your bank account, you just need to send it to us). Tackle WU transfers and put maybe a 4 day window on those, or ban them all together except with additional security controls and it would slow a few people down.
Heres Johnny said:
Escapegoat said:
Once again, this is very interesting, but totally irrelevant to stopping the scam. It's the receiver of these emails that needs to change their procedures and engage some common sense.
The more we talk about TFA, keyloggers and other tech BS, the more muddy the conversation gets.
This...The more we talk about TFA, keyloggers and other tech BS, the more muddy the conversation gets.
And this again...
I can send anybody an email and pretend it to be Elvis, Donald Trump or anyone else, because when you send an email the system just attaches whatever reply email address you ask it to, I can also put whatever "from" name on it I want to.
If anybody asks you to change bank details then if alarm bells aren't ringing loudly after all the stories like this then they should be.
The best story I heard when I used to investigate this sort of thing was where a finance clerk knew the CFO hadn't sent her the email telling her to urgently transfer 100k to a bogus bank account was because the fictitious email ended with "Thanks"... and he never did that
Both sides are right - securing accounts AND educating end-users to be more suspicious (especially where transfers of funds are involved) is the way to mitigate against these types of scams.
The problem with email in general really is that efforts like DMARC, SPF, DKIM, etc really only work to imbue messages with more technical credibility, they don't actually protect anyone against what is actually in them, and even then you can't really set them to be aggressive because chances are almost everyone who emails you isn't going to be adhering to the same standards, implementing them properly or at all.
So what happens is that all of this stuff is set to "soft fail" so that stuff doesn't get blocked at the mail server and people still get their emails.
And then there is also the issue that in some cases these systems would actually validate phishing emails, because they check that they have been sent by the correct servers etc. So if someone hacks your email account, logs into your webmail and sends emails DMARC, SPF, DKIM et al would happily report that the email is safe because it came from the server that was authorised to send it, etc.
Email fundamentally should not be considered trustworthy.
So what happens is that all of this stuff is set to "soft fail" so that stuff doesn't get blocked at the mail server and people still get their emails.
And then there is also the issue that in some cases these systems would actually validate phishing emails, because they check that they have been sent by the correct servers etc. So if someone hacks your email account, logs into your webmail and sends emails DMARC, SPF, DKIM et al would happily report that the email is safe because it came from the server that was authorised to send it, etc.
Email fundamentally should not be considered trustworthy.
Escapegoat said:
Once again, this is very interesting, but totally irrelevant to stopping the scam. It's the receiver of these emails that needs to change their procedures and engage some common sense.
The more we talk about TFA, keyloggers and other tech BS, the more muddy the conversation gets.
I totally disagree. Responsibilities are on both parties, and the providers of the infrastructure. The more we talk about TFA, keyloggers and other tech BS, the more muddy the conversation gets.
The OP is liable for this scam- unless his bank takes pity on him he’ll haev to pay the builder (effectively) twice.
If the builder doesn’t change his practices this will happen again and again, and each time it will be the victim who loses his or her money.
Dammit said:
If the builder doesn’t change his practices this will happen again and again, and each time it will be the victim who loses his or her money.
Not a bad little sideline if the builder turned out to be the scammer. Getting paid double for every job would ensure future work, as he could undercut all other local builders in the knowledge he will be getting paid twice as much as his quote.Dammit said:
I totally disagree. Responsibilities are on both parties, and the providers of the infrastructure.
The OP is liable for this scam- unless his bank takes pity on him he’ll haev to pay the builder (effectively) twice.
If the builder doesn’t change his practices this will happen again and again, and each time it will be the victim who loses his or her money.
The more tech you (the IT industry and its interested parties) throw at security, the worse it gets. Two things happen:The OP is liable for this scam- unless his bank takes pity on him he’ll haev to pay the builder (effectively) twice.
If the builder doesn’t change his practices this will happen again and again, and each time it will be the victim who loses his or her money.
- It gets far more difficult to install/maintain/train
- People - techs, bankers, consumers - think it must be secure, and fail in using their common sense
If banks start to compensate for the senders' errors, we all pay (moral hazard).
I can almost guarantee this is what happened:
Builder would have gotten an email asking him to log in to his email account for one of a few possible reasons (releasing emails, verify account, or something along those lines), this would have been a fake email, on entering his account details his account has now been phished. With account access the 'hacker' trawls through sent emails, looks for previous invoices, alters the email/invoice with new bank details, sets up a rule to delete any emails which would alert the builder to the fact his account has been compromised.
Customer gets new invoice with new bank details, from builders email address. Fails to confirm with builder via another method of contact that he has in fact changed bank details before sending payment.
'Hacker' receives money.
Both builder and customer are at fault, builder for trusting a dodgy email, and not having enough account security, and customer for not checking before sending payment to an unknown bank.
I deal with this sort of thing every day working in IT, and it's not going away any time soon. Some of the phishing emails are terrible, but some are very very clever and take a minute or so to work out if they're genuine or dodgy. Still - it's common sense, anyone saying please use my new bank account for this payment should raise alarm bells.
Edit: and not forgetting that the builders account would have also been used to send the new phishing emails to other people, hence continuing the loop.
Builder would have gotten an email asking him to log in to his email account for one of a few possible reasons (releasing emails, verify account, or something along those lines), this would have been a fake email, on entering his account details his account has now been phished. With account access the 'hacker' trawls through sent emails, looks for previous invoices, alters the email/invoice with new bank details, sets up a rule to delete any emails which would alert the builder to the fact his account has been compromised.
Customer gets new invoice with new bank details, from builders email address. Fails to confirm with builder via another method of contact that he has in fact changed bank details before sending payment.
'Hacker' receives money.
Both builder and customer are at fault, builder for trusting a dodgy email, and not having enough account security, and customer for not checking before sending payment to an unknown bank.
I deal with this sort of thing every day working in IT, and it's not going away any time soon. Some of the phishing emails are terrible, but some are very very clever and take a minute or so to work out if they're genuine or dodgy. Still - it's common sense, anyone saying please use my new bank account for this payment should raise alarm bells.
Edit: and not forgetting that the builders account would have also been used to send the new phishing emails to other people, hence continuing the loop.
Edited by Tall_Paul on Thursday 17th January 14:34
Dammit said:
I totally disagree. Responsibilities are on both parties, and the providers of the infrastructure.
The OP is liable for this scam- unless his bank takes pity on him he’ll haev to pay the builder (effectively) twice.
If the builder doesn’t change his practices this will happen again and again, and each time it will be the victim who loses his or her money.
You're failing to acknowledge that this scam can work without the builder having any knowledge or involvement or be compromised. The OP is liable for this scam- unless his bank takes pity on him he’ll haev to pay the builder (effectively) twice.
If the builder doesn’t change his practices this will happen again and again, and each time it will be the victim who loses his or her money.
Here's a couple of ways:
- you know the person having the work done, you see the builders van, you find out the builders name through legitimate means, you send an email to the person you know to use different bank details, you drop lucky, low hit rate, but far from impossible.
- the recipient has been hacked themselves, the hacker sees the builders email come in, spoofs a new one asking to change details. No involvement ont the builders side at all.
With current technology, the recipient has to do their homework..Yes the builder needs to protect what they're doing, but do you think the HMRC emails you get asking you to pay a fine or whatever have anything to do with the HMRC being hacked? Its the same here, the builder can just close down one of the avenues for this to happen.
And on a lighter note, the OP should have known it was a scam as every builder I've know wants paying in cash...
I was the technical lead on the HMRC DMARC project, funnily enough. You can't receive spoofed emails from their domains if you have a decent provider.
Anyway - there's always going to be "maybe this, maybe that", and I agree the OP should check to see if they are compromised, but that's as well as, rather than instead of. Also, FWIW, in the majority of cases that our threat analysts see, it's the originator that is compromised.
Anyway - there's always going to be "maybe this, maybe that", and I agree the OP should check to see if they are compromised, but that's as well as, rather than instead of. Also, FWIW, in the majority of cases that our threat analysts see, it's the originator that is compromised.
NDA said:
Du1point8 said:
I get emails from <myname>@<mycompany>.co.uk
However, if you do a reply on them it will not be my email at all.
.
Is it possible to explain how this works? I really don't understand how the return address and the from address can be hacked.However, if you do a reply on them it will not be my email at all.
.
As you can tell, I am not an IT expert.
And it will send. They're just headers in the message. I could put your email address in the From field, or Theresa May's or Elon Musk's. It's not validated.
If your email service provider is on the ball, it may do a reverse DNS lookup on my IP address, determine that it does not belong to heaven.com and block the email, but that's not mandatory.
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff