Email phishing attempt against one of our vendors was successful ...
-
@JasGot said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Subsequently and on the same day, the vendor received another email that he thought was from one of our accountants directing him to ACH to a different (bogus) account.
What makes me also think it was a directed phish attack on your vendor, is that you say the vendor received an e-mail regarding another ACH account number on the same day, but you didn't say the message had any indication it was a follow up or correction to the earlier message.
Thanks everyone for the feedback. It does appear it was on the vendor end but it was a more sophisticated attack that did involve us being fooled as well even though the target was our vendor. From our investigation this is what we believe actually happened:
- Vendor owed us and was going to pay by ACH and requested details. These details were sent to him by our head of finance in an encrypted email which the vendor did receive.
- The attacker then spoofed our accounting team by sending us a phishing email that appeared to come from the vendor (the domain name used against us left an "s" off of the end of the domain name, thus appeared valid to our accounting team) stating that he had not received the ACH info (which the vendor had, this was the attacker phishing us). One of our accountants responded (to the wrong domain) once again giving the correct ACH details.
- At this point the attacker had all he needed to spoof an email that appeared to come from the accountant that had responded to him. The attacker used that info to send a phishing attack email to the vendor which appeared to come from our accountant but using the wrong domain name and contained the attackers ACH info.
- Vendor was fooled by this email and sent payment to the wrong account.
- Vendor ignored (for some reason, don't know why) the fact that when he went to ACH the money the company name appearing on his bank portal as the destination for the payment was not our company name.
One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.
Wow! Good work. That's a dedicated scammer. What was his payday? If you don't mind making the story more fun...
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
-
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
-
-
Dont give vendor any details about your IT infrastructure, it is their problem not yours. Give them minor details that make sense that are relevant to investigation, but certainly dont reveal any infrastructure to them.
-
This is most certainly an insider attack or a compromised account. In either situation, you have to assume they havent resolved it yet. Hopefully its a compromised account which is more easily fixed, but if its an insider they may be hard to detect.
-
-
@JaredBusch said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
If they let the email system do the encryption (not end to end) then maybe. But if they were truly encrypting the email end to end, getting into the email system would not provide that info.
-
@IRJ said in Email phishing attempt against one of our vendors was successful ...:
This is most certainly an insider attack or a compromised account.
Every chance that this was an insider, especially if the person encrypted the mail rather than using an encryption service.
-
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
If they let the email system do the encryption (not end to end) then maybe. But if they were truly encrypting the email end to end, getting into the email system would not provide that info.
True, but knowing users.... they probably decrypted it and sent it to another employee as plain text!
-
@JasGot said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.
Wow! Good work. That's a dedicated scammer. What was his payday? If you don't mind making the story more fun...
Enough to sting but not crippling to us or the vendor involved.
-
@IRJ said in Email phishing attempt against one of our vendors was successful ...:
- Dont give vendor any details about your IT infrastructure, it is their problem not yours. Give them minor details that make sense that are relevant to investigation, but certainly dont reveal any infrastructure to them.
We haven't and they haven't asked. They don't seem to have any internal IT resources and are flying blind a little I think.
- This is most certainly an insider attack or a compromised account. In either situation, you have to assume they havent resolved it yet. Hopefully its a compromised account which is more easily fixed, but if its an insider they may be hard to detect.
Are you saying a compromised account or insider at our vendor or do you think it points to a compromised account/insider on our side?
-
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
@JaredBusch said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
If they let the email system do the encryption (not end to end) then maybe. But if they were truly encrypting the email end to end, getting into the email system would not provide that info.
The email system did do the encryption. We use Office 365 and a handful of users who need it have encryption capability by sending an email with the word "Encrypt" in the subject and the Office 365 system will do the encryption from there. The initial email in the chain of events that we sent to the vendor said to the effect of "click here to get your encrypted document"
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Are you saying a compromised account or insider at our vendor or do you think it points to a compromised account/insider on our side?
I think he is saying that there is no way to tell. Although knowing exactly what "encrypted an email" means and if it was stored or shared with anyone might give some direction to investigate.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
@JaredBusch said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
If they let the email system do the encryption (not end to end) then maybe. But if they were truly encrypting the email end to end, getting into the email system would not provide that info.
The email system did do the encryption. We use Office 365 and a handful of users who need it have encryption capability by sending an email with the word "Encrypt" in the subject and the Office 365 system will do the encryption from there. The initial email in the chain of events that we sent to the vendor said to the effect of "click here to get your encrypted document"
That actually means that no email was involved. That's different from encrypting an email (e.g. with GPG.) They call it that to confuse people, but it's not email at all. It's just a private message on an encrypted web server. That's fine, but it's important not to refer to it as encrypted email to IT people as it means something very different.
If your EMAIL was encrypted, you'd be protected from O365 having been compromised. But in this case, it was not encrypted until later, so if O365 was compromised, it would have a copy of the message without encryption.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Enough to sting but not crippling to us or the vendor involved.
Thankfully!