Email phishing attempt against one of our vendors was successful ...
-
Our accounting department just let me know that one of our vendors payments to us was apparently hijacked and sent to an account that was not our own. Here are the facts as I have them so far
-
Our head of finance sent an encrypted email to the vendor giving them an account of ours to ACH funds to. Vendor states that they did receive this email.
-
Subsequently and on the same day, the vendor received another email that he thought was from one of our accountants directing him to ACH to a different (bogus) account.
-
Upon closer inspection we can see that this is a phishing email he received. The from field spoofed our domain by replacing the characters "il" with "ll" in one spot and thus was difficult to spot unless looking closely.
-
This secondary email, though obviously spoofed, had the correct email signature that we use as a corporate standard for the user that it was impersonating, which gave the email an extra measure of authenticity in the eyes of the vendor.
My question is how likely was this caused by a breach on our network? The thing that is concerning is that the attacker had the correct email signature, though, this could have come from anyone that had ever received an email from us since it is standard what we use. Furthermore from what I have been told (I haven't seen to be able to verify) the phished email was received immediately after the original valid email.
Anything in particular that I should be checking? We are on O365 for our email and so we don't host our own email server.
-
-
@BraswellJay The phish'd e-mail came from another domain, correct?
-
@JasGot said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay The phish'd e-mail came from another domain, correct?
That's correct.
-
I see that either side could be infected.
Your user's computer could be - and the hacker setup a secondary email to follow once seeing the outbound email - though if that was the case, it seems more likely they would have tried to use your user's own machine to send a second email with the fake ACH account number in it coming from a completely legit email address.
option 2 - the recipient's computer is compromised, and when the other email from your client came in - again the hacker used that information to send a fake email, this time spoofing that faked domain name.
But I'm sure there are many more options too.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
My question is how likely was this caused by a breach on our network?
No indication whatsoever that it is related to you.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Anything in particular that I should be checking?
Nope. There's not the slightest indication of any breach on either side. No reason to suspect a breach in any way.
-
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
I see that either side could be infected.
Sure, either side, or both, COULD be infected. But there's absolutely nothing in the situation to suggest that that is the case. They had to resort to phishing because there was no infection.
It's like finding your window broken with a brick and then wondering if that means that they picked your door lock. Can you pick a door lock and then throw a brick through the window to be a jerk? Sure. But finding a brick thrown through a window gives you no reason to suspect that the door was picked.
-
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
But I'm sure there are many more options too.
Could just be fortuitous timing.
-
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
But I'm sure there are many more options too.
Could just be fortuitous timing.
Could be, but I doubt it.
-
I think you should get an infosec dude that can investigate it asap.
I think the vendors O365 account has been breached. Could be something simple as having used the same password somewhere else.
-
@Pete-S said in Email phishing attempt against one of our vendors was successful ...:
I think you should get an infosec dude that can investigate it asap.
I think the vendors O365 account has been breached. Could be something simple as having used the same password somewhere else.
Most likely thing is just a single user, not the org. We see users get hacked regularly.
-
@JaredBusch said in Email phishing attempt against one of our vendors was successful ...:
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
But I'm sure there are many more options too.
Could just be fortuitous timing.
Could be, but I doubt it.
I agree, this seems way to close in timing to just be fortuitous.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Subsequently and on the same day, the vendor received another email that he thought was from one of our accountants directing him to ACH to a different (bogus) account.
What makes me also think it was a directed phish attack on your vendor, is that you say the vendor received an e-mail regarding another ACH account number on the same day, but you didn't say the message had any indication it was a follow up or correction to the earlier message.
I would say your vendor fell victim to a phishing scam that used your company info. They used your company info because at some point an e-mail address book was compromised at your vendor.
Remember, these phishers are very smart, their written English poor (but getting better), but they can extrapolate a lot of correct information just from an address book, like who the vendors are, and who the finance people are.
There is a chance the compromise was at your end, but more likely at the vendor.
-
@JasGot said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Subsequently and on the same day, the vendor received another email that he thought was from one of our accountants directing him to ACH to a different (bogus) account.
What makes me also think it was a directed phish attack on your vendor, is that you say the vendor received an e-mail regarding another ACH account number on the same day, but you didn't say the message had any indication it was a follow up or correction to the earlier message.
Thanks everyone for the feedback. It does appear it was on the vendor end but it was a more sophisticated attack that did involve us being fooled as well even though the target was our vendor. From our investigation this is what we believe actually happened:
- Vendor owed us and was going to pay by ACH and requested details. These details were sent to him by our head of finance in an encrypted email which the vendor did receive.
- The attacker then spoofed our accounting team by sending us a phishing email that appeared to come from the vendor (the domain name used against us left an "s" off of the end of the domain name, thus appeared valid to our accounting team) stating that he had not received the ACH info (which the vendor had, this was the attacker phishing us). One of our accountants responded (to the wrong domain) once again giving the correct ACH details.
- At this point the attacker had all he needed to spoof an email that appeared to come from the accountant that had responded to him. The attacker used that info to send a phishing attack email to the vendor which appeared to come from our accountant but using the wrong domain name and contained the attackers ACH info.
- Vendor was fooled by this email and sent payment to the wrong account.
- Vendor ignored (for some reason, don't know why) the fact that when he went to ACH the money the company name appearing on his bank portal as the destination for the payment was not our company name.
One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.
Wow! Good work. That's a dedicated scammer. What was his payday? If you don't mind making the story more fun...
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
-
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
-
-
Dont give vendor any details about your IT infrastructure, it is their problem not yours. Give them minor details that make sense that are relevant to investigation, but certainly dont reveal any infrastructure to them.
-
This is most certainly an insider attack or a compromised account. In either situation, you have to assume they havent resolved it yet. Hopefully its a compromised account which is more easily fixed, but if its an insider they may be hard to detect.
-
-
@JaredBusch said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
If they let the email system do the encryption (not end to end) then maybe. But if they were truly encrypting the email end to end, getting into the email system would not provide that info.
-
@IRJ said in Email phishing attempt against one of our vendors was successful ...:
This is most certainly an insider attack or a compromised account.
Every chance that this was an insider, especially if the person encrypted the mail rather than using an encryption service.
