frasierphilips
asked on
Hacker email cloning issue
Recently a client was the subject of a security breach where an email instructing a payment be made to a supplier, sent from a staff member on a home laptop to an office computer, was intercepted, cloned and re-sent as a follow-up email saying that the first email had incorrect bank account details but here are the new ones etc. etc. Unfortunately payment was made and a substantial amount of money sent to fraudsters inadvertently.
Once the crime came to light, we acted quickly, as follows:-
1. All computers had their hard drives removed and scanned via an uninfected computer. One computer was found to be infected with a serious virus. This computer was scrapped and a new system installed in its place. Several computers had low-threat viruses, these were cleaned and the hard drives re-installed.
2. A more secure router was installed to replace the ISP's generic one
3. The passwords on all mailboxes were changed to random ones, generated using a secure password generator - they are all essentially random strings of punctuation symbols, dual-case letters and numbers.
After all this, cloned emails are still occasionally arriving to try and trap the unwary and we're at a loss as to how the perpetrators are intercepting the emails - does anyone have any suggestions?
Once the crime came to light, we acted quickly, as follows:-
1. All computers had their hard drives removed and scanned via an uninfected computer. One computer was found to be infected with a serious virus. This computer was scrapped and a new system installed in its place. Several computers had low-threat viruses, these were cleaned and the hard drives re-installed.
2. A more secure router was installed to replace the ISP's generic one
3. The passwords on all mailboxes were changed to random ones, generated using a secure password generator - they are all essentially random strings of punctuation symbols, dual-case letters and numbers.
After all this, cloned emails are still occasionally arriving to try and trap the unwary and we're at a loss as to how the perpetrators are intercepting the emails - does anyone have any suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open email you talking about and analyze header. Check who was a sender of this email. If this was your internal account, you must change password for this account and investigate user computer. If user is using smartphone to check emails also check smarphone and maybe home computer.
If you have Exchange, turn on authentication logging so you can see what account was used. Sometimes email header is telling that mail was sent from user X but if you dig dipper, you'll see that other account was authenticated.
If you have Exchange, turn on authentication logging so you can see what account was used. Sometimes email header is telling that mail was sent from user X but if you dig dipper, you'll see that other account was authenticated.
ASKER
Done all that - each comes from a generic IP address which isn't associated with an obvious ISP. Also had 1and1 (our hosting company) look at the source of a couple of emails and they're definitely not from within their system.
ASKER
@btan - can a "man in the middle attack" occur on the internet or is it just an LAN related issue? How are data packets trapped once they're onto the internet, surely each goes via the quickest route available at the time of transmission?
MitM can occur in the internet e.g. ssl strip, hence the demand for EV SSL certificate and enforce HSTS
Instead of the victim connecting directly to a website; the victim would connect to the attacker, and the attacker would initiate the connection back to the website. This attack is known Man-in-the-Middle attack.https://blog.cloudflare.com/performing-preventing-ssl-stripping-a-plain-english-primer/
The magic of SSLStrip was that whenever it would spot a link to a HTTPS webpage on an unencrypted HTTP connection, it would replace the HTTPS with a HTTP and sit in the middle to intercept the connection. The interceptor would make the encrypted connection to back to the web server in HTTPS, and serve the traffic back to the site visitor unencrypted (logging any interesting passwords or credit card information in the process).
In response, a protocol called HTTP Strict Transport Security (HSTS) was created in 2012 and specified in RFC 6797. The protocol works by the server responding with a special header called Strict-Transport-Security which contains a response telling the client that whenever they reconnect to the site, they must use HTTPS. This response contains a "max-age" field which defines how long this rule should last for since it was last seen.
ASKER
How is the transmission hijacked in the first place? Does the hacker need to amend settings on the user PC?
It is opportunistic. Attacker needs to listen for attempt to make HTTPS connection and before it establish, strip it off to downgrade into HTTP. Another means is brute force into the router and have the A record point to attacker machine and traffic will then route through it
ASKER
So do they listen on the IP address of the broadband connection at the user's end?
Not exactly. Instead more often, they would have reconnaissance of service port of routers, modems etc (as somr examples) and check if it is vulnerable...
Other vulnerability can be exposed to attacker interest.
https://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/
According to Shodan search, around 41 Million devices leave port 7547 open, while about 5 Million expose TR-064 services to the outside world.https://www.wordfence.com/blog/2017/04/check-your-router/
According to an advisory published by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploit code every 5-10 minutes for each target IP.
Other vulnerability can be exposed to attacker interest.
https://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/
What are you using as your mail server? Can you turn on 2 factor authentication?
ASKER
@serialband we're using a 1and1 mail server hosted on the internet
The use of the Free email solutions out there like 1and1 are good free options when linked small starting businesses but for the £3 per month i would fire them over to 365 and get some good protection enabled like MFA, this will solve your issues and also allow for a plethora of additional security tools to be turned on.
ASKER
1and1 isn't free, they provide our dedicated web server and email services for £50 per month. Their security has always been excellent and they seem to be constantly upgrading and refining it.
ASKER
Excellent common sense advice - it was rules which had been transferred with the .PST file from the scrapped machine to the new one.
I would have hope my replies have been helpful. It seems they are not.
2. Default password is the weakness that attacker exploit on. Change to a strong password and if possible, do not even expose to internet on the administrative login. All remote admin access should be via VPN and 2FA supported (not userid/password only). Check the device configuration, esp the DNS setting as it may be pointing to some foreign server that can control, hijack and intercept your device traffic by returning an A record to route through a compromised or attacker controlled system.
3. The mail server to server may not be encrypted (RSA/ECC) or authenticated (TLS) hence susceptible to Man in the middle interception. It is best the email enforce the use of SPF, DKIM and DMARC so that spoofed sender and validated domain are inspected for all email.