Hacker email cloning issue

Recently a client was the subject of a security breach where an email instructing a payment be made to a supplier, sent from a staff member on a home laptop to an office computer, was intercepted, cloned and re-sent as a follow-up email saying that the first email had incorrect bank account details but here are the new ones etc. etc.  Unfortunately payment was made and a substantial amount of money sent to fraudsters inadvertently.

Once the crime came to light, we acted quickly, as follows:-

1.  All computers had their hard drives removed and scanned via an uninfected computer.  One computer was found to be infected with a serious virus.  This computer was scrapped and a new system installed in its place.  Several computers had low-threat viruses, these were cleaned and the hard drives re-installed.

2. A more secure router was installed to replace the ISP's generic one

3. The passwords on all mailboxes were changed to random ones, generated using a secure password generator - they are all essentially random strings of punctuation symbols, dual-case letters and numbers.

After all this, cloned emails are still occasionally arriving to try and trap the unwary and we're at a loss as to how the perpetrators are intercepting the emails - does anyone have any suggestions?
frasierphilipsAsked:
Who is Participating?
 
LBTechSolOperations DirectorCommented:
Intercepting mail in Transit is not the usual way that this happens, i find that the following happens more often:

1) Spoofed email address (pretends to be from the person internally but domain name slightly different)
2) Compromised account (User give out email addresses and password)

For the Spoofed email addresses the best way forward is User Education, ensure that they review who mail comes from and never click links unless they are expected and/or confirmed - If you have a shared file by Dropbox from an internal employee but it is not a business tool... Dont open it! For compromised accounts i would again educate users on how and when passwords are requested with 3rd party tools, pages may look like your email server (or 365) but this does not mean that they are etc..

- Look into tools like OpenDNS (Umbrella) this will kill both bad know links and prevent users opening web pages that are not Trusted
- MFA on email, ensure that MFA is enabled for external access to emails, this is free from within 365 and very easy to implement and should be available with other services.
- AV Web protection, ensure this is configured with some default settings to block pages that are known bad
- Email Spam Filtering, turn this on, increase the settings and implement warnings for mails that seem to originate outside of the business
- Email Relay, make sure that you do not have an open relay allowing people to send email from a server you manage.
- Edge Firewall - Ensure you have an enterprise tool with IPS/IDS/DLP etc... and ensure this is configured to protect your network

If you have headers available i would review these to see where your emails originated from (inside the network or out) this will help you highlight where your security let you down on this occasion. If this is a compromised account ensure you check the Rules within Outlook as they may still be forwarding all emails on to an external email address or you will find rules that move mail directly to the deleted items (when some one responds "Are you sure" the real user will never actually see this).

For user Education there are tools out there like Sophos Phishing Tool kit, you can get a trial of this and test your user estate and where possible run a rolling campaign all year testing your employees and providing training when they fail the tests.

So... there is not a single fix here:
-Locate the source of the breech
-Patch/Secure/Train and re-test
-Education, users are the weak point in +90% of cases

Remember the more security layers your business has the harder it is for an attacker to penetrate but the only need 1 hole and they are in
0
 
btanExec ConsultantCommented:
1. It is strange the AV on your machine did not caught the virus. Update the signature and do another thorough scan and best to rebuild all infected or suspected to be infected machine. Include all the portable external media like USB drive to be scanned and reformatted to err on safe side. May be good to leave the clone HDD of the infected machine and have the virus (file) sent to the Virustotal for scanning too..if there is connection to any file server also inpect those servers for trace of the virus...

2. Default password is the weakness that attacker exploit on. Change to a strong password and if possible, do not even expose to internet on the administrative login. All remote admin access should be via VPN and 2FA supported (not userid/password only). Check the device configuration, esp the DNS setting as it may be pointing to some foreign server that can control, hijack and intercept your device traffic by returning an A record to route through a compromised or attacker controlled system.

3. The mail server to server may not be encrypted (RSA/ECC) or authenticated (TLS) hence susceptible to Man in the middle interception. It is best the email enforce the use of SPF, DKIM and DMARC so that spoofed sender and validated domain are inspected for all email.
0
 
Tom CieslikIT EngineerCommented:
Open email you talking about and analyze header. Check who was a sender of this email. If this was your internal account, you must change password for this account and investigate user computer. If user is using smartphone to check emails also check smarphone and maybe home computer.
If you have Exchange, turn on authentication logging so you can see what account was used. Sometimes email header is telling that mail was sent from user X but if you dig dipper, you'll see that other account was authenticated.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
frasierphilipsAuthor Commented:
Done all that - each comes from a generic IP address which isn't associated with an obvious ISP.  Also had 1and1 (our hosting company) look at the source of a couple of emails and they're definitely not from within their system.
0
 
frasierphilipsAuthor Commented:
@btan - can a "man in the middle attack" occur on the internet or is it just an LAN related issue?  How are data packets trapped once they're onto the internet, surely each goes via the quickest route available at the time of transmission?
0
 
btanExec ConsultantCommented:
MitM can occur in the internet  e.g. ssl strip, hence the demand for EV SSL certificate and enforce HSTS
Instead of the victim connecting directly to a website; the victim would connect to the attacker, and the attacker would initiate the connection back to the website. This attack is known Man-in-the-Middle attack.


The magic of SSLStrip was that whenever it would spot a link to a HTTPS webpage on an unencrypted HTTP connection, it would replace the HTTPS with a HTTP and sit in the middle to intercept the connection. The interceptor would make the encrypted connection to back to the web server in HTTPS, and serve the traffic back to the site visitor unencrypted (logging any interesting passwords or credit card information in the process).

In response, a protocol called HTTP Strict Transport Security (HSTS) was created in 2012 and specified in RFC 6797. The protocol works by the server responding with a special header called Strict-Transport-Security which contains a response telling the client that whenever they reconnect to the site, they must use HTTPS. This response contains a "max-age" field which defines how long this rule should last for since it was last seen.
https://blog.cloudflare.com/performing-preventing-ssl-stripping-a-plain-english-primer/
0
 
frasierphilipsAuthor Commented:
How is the transmission hijacked in the first place?  Does the hacker need to amend settings on the user PC?
0
 
btanExec ConsultantCommented:
It is opportunistic. Attacker needs to listen for attempt to make HTTPS connection and before it establish, strip it off to downgrade into HTTP. Another means is brute force into the router and have the A record point to attacker machine and traffic will then route through it
0
 
frasierphilipsAuthor Commented:
So do they listen on the IP address of the broadband connection at the user's end?
0
 
btanExec ConsultantCommented:
Not exactly. Instead more often, they would have reconnaissance of service port of routers, modems etc (as somr  examples) and check if it is vulnerable...
According to Shodan search, around 41 Million devices leave port 7547 open, while about 5 Million expose TR-064 services to the outside world.

According to an advisory published by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploit code every 5-10 minutes for each target IP.
https://www.wordfence.com/blog/2017/04/check-your-router/

Other vulnerability can be exposed to attacker interest.

https://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/
0
 
serialbandCommented:
What are you using as your mail server?  Can you turn on 2 factor authentication?
0
 
frasierphilipsAuthor Commented:
@serialband we're using a 1and1 mail server hosted on the internet
0
 
LBTechSolOperations DirectorCommented:
The use of the Free email solutions out there like 1and1 are good free options when linked small starting businesses but for the £3 per month i would fire them over to 365 and get some good protection enabled like MFA, this will solve your issues and also allow for a plethora of additional security tools to be turned on.
0
 
frasierphilipsAuthor Commented:
1and1 isn't free, they provide our dedicated web server and email services for £50 per month.  Their security has always been excellent and they seem to be constantly upgrading and refining it.
0
 
frasierphilipsAuthor Commented:
Excellent common sense advice - it was rules which had been transferred with the .PST file from the scrapped machine to the new one.
0
 
btanExec ConsultantCommented:
I would have hope my replies have been helpful. It seems they are not.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.