[astralliquid]

Hi All

I need some expert advice.

We sent out an email with attached invoice in pdf to a client. The pdf consist of in bank details for the client to bank in.

Upon arrival, the pdf has been clearly tampered with a change to the bank in details, to another bank.

Checking the recipient email header, the mail was not sent by our mail server. This can be overcome by implementing SPF but the more serious question is how could the attacker know we are sending this mail and spoof the original mail content and tamper it.

It looks more likely an hijacking case than a random spoof, phishing, spam case.

the recipient did not receive 2 emails, our legit mail and the fake one. they only received ONE fake mail. This indicated it was not someone logged into our acct and resend tampered mail. The original mail just when missing.

What possible technique is being deployed here? and where should we start looking?

thanks

[coastie65]

astralliquid, on 19 January 2012 - 01:14 AM, said:

Hi All

I need some expert advice.

We sent out an email with attached invoice in pdf to a client. The pdf consist of in bank details for the client to bank in.

Upon arrival, the pdf has been clearly tampered with a change to the bank in details, to another bank.

Checking the recipient email header, the mail was not sent by our mail server. This can be overcome by implementing SPF but the more serious question is how could the attacker know we are sending this mail and spoof the original mail content and tamper it.

It looks more likely an hijacking case than a random spoof, phishing, spam case.

the recipient did not receive 2 emails, our legit mail and the fake one. they only received ONE fake mail. This indicated it was not someone logged into our acct and resend tampered mail. The original mail just when missing.

What possible technique is being deployed here? and where should we start looking?

thanks

Hi and welcome to the forums. WOW!!!!! That is the first time I have heard of something like that. The only thing that I can think of is that the email was hijacked. If that was the case and it wasn't encrypted, then your banking information has been compromised. I would definitely keep an eye on any and all transactions on that account. There could have been a Hijacker of some sort put into the computer, but more than likely a Keylogger program, but that wouldn't explain what happened to the original email. The people on the other end of this did in fact spoof the original letter to divert funds apparently. Phising is an outright attempt at gleaning personal information and they hope you will provide it. In some cases it involves Spoofing in that the letterhead will have the actual Registered Trademark / LOGO of the bank / company on it, Those I report, others ( which are most ) I trash. They can be easily identified due to grammatical / spelling errors. As I said, this is the first I have heard of this kind of activity. It would seem that someone has been able to divert outgoing mail and switch it with something of their own. I would say that any and all information of this type be encrypted before it is sent as long as the receipient knows this they will be able to unencrypt it on their end as long as they what was used ( windows has this ability ).

[A41202813]

@astralliquid

Can You Tell Us The Original Mail Intended Sender And Recipient Services ?

EX: @GOOGLEMAIL.COM >>> @HOTMAIL.COM

---

This post has been edited by A41202813: 19 January 2012 - 08:50 AM

[astralliquid]

sender mail server is from a typical web hosting provider. the receipient email is @yahoo.com

with the corporation of the client, we got is yahoo acct login n send some mails to him. and waited in the yahoo. mo mail arrive even after 3 hours.

sending the same emails to another new@yahoo.com acct, it arrived instantly.

our hosting provider also confirm no abnormal activity in their mail server n the logs clearly show the mail was sent out to yahoo.com. they ask us to write to yahoo but i doubt yahoo will entertain.

so we are narrowing down to an isolated particular account of yahoo but this is still not helping neither will any spf implementation. spf only deter sending from fake server. it dont explain why mails to this yahoo acct never arrive.

initially we thought the yahoo acct login was compromise that the attacker when in, saw the invoice, download and delete. then modify the invoice and resend out later. but the subsequent mails to the same yahoo acct never arrive or arrive late shows this is more than a manual job.

how do we take this up to yahoo?

[astralliquid]

@coastie65 it is clearly not a random phishing with fake writings case because the original email content, subject title, cc list n pdf content are all the same. only the part of the bankin info inside the pdf was changed. the font type of that part is different from the other text in the pdf.

and really, the original mail was no where be seen.

all the our hosting provider can do is recommend spf which imo is not the essence of this problem.

we r now doubting all our emails to clients especially new ones who do not us well although it is one yahoo email that is affected. if it can be done for one, it can be done for others.

how to get yahoo to work with us on this?

[A41202813]

@astralliquid

Sorry For The Insistence, But Can You Tell Us The Sender Service ?

If You Can Not, Just Say So.

[LincolnSpector]

Hi, astralliquid, and welcome to the forums.

First, contact all parties, by phone if possible. This includes your client and, even more importantly, your bank. Discuss with them the possibility of changing your banking number ASAP.

Second, never, ever send this sort of information in an unencrypted email. An email is a postcard, not a letter. A whole bunch of people can read the contents if they want to. See Send Secure Info Over the Internet.

Lincoln

[A41202813]

Well, There Are, At Least, 2 Teams With 3 Suspects Each, In This Order:

Team A, The Team Of The Sender ( S ):

A1 - The ( S ) Computer ( With A Possible Client Mail Service ),

A2 - The ( S ) ISP,

A3 - The ( S ) Mail Service ( ? ).

Team B, The Team Of The Recipient ( R ):

B1 - The ( R ) Mail Service ( YAHOO ),

B2 - The ( R ) ISP,

B3 - The ( R ) Computer ( With A Possible Client Mail Service ).

Did I Forgot Any Other Suspect ?

[astralliquid]

@axx2183 yes I do not wish to disclose the sender services. its just one of the standard hosting provider with its own mail server.

@lincoln fortunately the client knew us and notice the change and inform us. no transaction occurred.

question
1. in yr opinions, is this a problem on yahoo side or is a sophisticated hijacking along the line through some known techniques?

2. what i want to know at this point is, is this do-able? or common? (mail arrived late n just MIA for a few hours = hijacked and arrived from a different mail server) assumming its not keylogging, account hacked, n no spf implemented.

3. how to encrypt our pdf in future mails? should the service provider provide this (auto encrypt with some server side software) or its from our own computer before email out? please point me to some directions

i will try to write to yahoo security@yahoo-inc.com later.

thanks


thanks

[astralliquid]

@lincoln oh sorry i just notice the link u sent.. thanks

[A41202813]

@astralliquid

Why Are You So Tempted To Point Fingers At YAHOO ?

Did YAHOO Ever Done This Kind Of Thing In The Past ?

[astralliquid]

i don't know thats why i am here to ask where to start. the provider ask us to check with yahoo because thats the affected account.

if you think it is not yahoo problem then where do you propose i should check to resolve this?

sorry for the lowercase.. typing from mobile..

[astralliquid]

you hv listed all the possible parties but i m not sure contacting the isp would help. the most probable contactable party is the receipient mail server.

i m here to get some opinion is such hijacking possible and not to tarnish yahoo image as u might implied.

[A41202813]

@astralliquid

Forget The Case, I Am Guilty Of That Myself.

As Was Pointed Out Earlier, This Is Very Weird.

YAHOO Is An Established Service For Many Years, With Premium Accounts, And If The Problem Were Theirs, This Would Really Not Be Good For Them.

If This Happened To You, It Can Also Happen To Everybody Else - If And When You Find Out What Really Happened, Please, Post The Culprit In This Thread, Because These Forums Serve As A Future Reference For Anybody With Similar Problems.

Good Luck.

[coastie65]

What I find particularly interesting was the fact that the information was intercepted and banking info changed and continued on. That having been said, if this is the case, then when it was forwarded on to the receipient, there would be an IP address, other than the Company that sent it originally. Unfortunately this come come up with nothing as they tend to be behind proxies in a lot of cases. It is imperative that you change the bank account number though, as it has apparently been compromised.

[A41202813]

@astralliquid

This Article Was Written Today.

See If It Makes Any Sense To Your Situation.

http://www.pcworld.c...n_tell_you.html