Some time ago I had the chance to manage a fraud security incident using a technique based on the classic Man in the Middle, but the rare thing is that the attack was not carried in the network or transport layers but in the application layer, more specifically by email. The case was as follows …
The company “A” used to make major purchases of raw materials from suppliers established in other countries. To begin with the transaction, company “A” was asked a first payment and when the order was entirely at their facilities, before delivery, company “A” proceeded to pay the remaining amount.
All these transactions and arrangements were made by email, in which both parties comment the quantities requested, shipping status, prices and bank accounts to pay transfers. Notably, the company staff “A” was used to working in this way and managed dozens of orders with suppliers from various countries of the world.
In one of the email exchanges with one of the Asian suppliers and right in the middle of a thread of replies (the typical n+1 subject Re: email), the employee of the company “A” received an email from an address with the same user name to that he was used to email, but with a domain belonging to Yahoo! This address corresponded with huyin@yahoo.com. That is:
The body of the mail addressed to the employee of “A” from huyin@yahoo.com contained the whole content of the previous conversation in emails, and urged him (the company “A” employee) to change the contact email from huyin@companyA.com to huyin@yahoo.com. The attacker alleged s/he had problems with corporate email and that he was forced to use his personal account.
This request did not raised any alarm, as s/he could see in the email the whole previous conversation, and that the person knew details of the activities and managements carried. Then the attacker requested a bank account change where company “A” had to make the bank transfer. The employee initially suspected, but finally he accepted and proceeded to transfer the remaining amount from the operation. This transfer was necessary in order to pick up the remaining material. When the company “A” employee asked the required paperwork to collect the material to the attacker, s/he not only agreed, but also asked the advanced payment of another order.
Shocked, the company “A” employee phoned the supplier and he discovered that he knew nothing of the e-mail from Yahoo!, or even that they had received made any payments. Moreover, the provider showed him several emails sent from an address “employeeA@yahoo.es”, which of course the employee “A” had not written. These emails showed that the provider had been also misleaded with the same trap: he had been suggested to use a new mail contact, thus completing a perfect man in the middle via email.
The attacker, who had access to the outsourced email server of the company “A”, looked for mailboxes, until s/he found one that had some responsibility in purchasing matters. At that point s/he just had to get in the way of the communication by telling the employee from “A” to use a new email controlled by him/her and the same to the provider. In this way, all emails that were not important to the attacker, were just forwarded, waiting to get to the billing and transfer phase, when he got in the middle, introducing their own bank account.
During the investigation it was found that the scammers used a kind-like TOR network located in Nigeria to consult Webmail their Yahoo! accounts created. We identified over 100 different IPs all geolocated in Lagos (Nigeria). Here is a little sample for you if you find them for your logs. I hope you don’t …
- 41.138.180.104 : Nigeria (Lagos)
- 41.138.191.3: Nigeria (Lagos)
- 41.71.172.3 : Nigeria (Lagos)
- 41.71.176.164: Nigeria (Lagos)
- 41.138.181.105: Nigeria (Lagos)
- 41.71.150.227: Nigeria (Lagos)
- 41.138.172.30: Nigeria (Lagos)
- 41.71.178.215 : Nigeria (Lagos)
- 41.71.171.78: Nigeria (Lagos)
We are aware that these scams are being made to other companies, so watch your mail server closely, especially if you have it outsourced in large service providers that offer incredibly cheap prices, but do not take seriously the security of the customer data.