1

Today our customer replied to a mail supposedly sent by one of our employees requesting a wire transfer to a spanish bank account. Our employee did not send this mail, nor can I find it anywhere in our Exchange mail server. It simply did not get sent by us.

The mail address that sent this fake mail is identical to our employee. The only difference is that the displayed contact name for our real employee is;

"lastname, firstname [mailto:firstname.lastname@domain.com]"

For the fake account/interceptor this is;

"lastname firstname [mailto:firstname.lastname@domain.com]"

see the missing comma?

Our customer replied asking me if the mails are legitimate. I replied saying no. After doing this I have been receiving spam from the mail address "kalkaramerina@gmail.com" every 2-3 minutes.

I have no idea what is going on and where the issue lies. Can anyone help me in the right direction? Help would be VERY much appreciated!

Kevv
  • 111
  • 2
  • 2
  • 11
  • I've seen a couple of emails that sound similar to this. As far as I could make out they were clever forgeries and did not actually alter an existing email. In what form did you communicate with your client when confirming? By email or by phone? If by email, you may have inadvertently also contacted the spammer. – Jaydee Oct 21 '16 at 09:55
  • Have a look at the message headers; they'll tell you where the message actually originated from, and which route it took to your customer's mailbox. – Massimo Oct 21 '16 at 10:00
  • Hi Jaydee and Massimo, thanks for your responses. In reply: we were communicating by mail. The mails were only sent to the client. The header for the kalkaramerina mail is from gmail. But I'm more worried about the altered mail that was communicated to the client. I cannot see the header for that, as it was sent to them. – Kevv Oct 21 '16 at 10:04
  • That was very likely not altered, but forged; i.e. it doesn't really come from your mail server, but from someone pretending to be your company. Have the client forward you a copy of the message, and have a look at its headers; this will prove where the message actually came from. – Massimo Oct 21 '16 at 10:21
  • Hi Massimo, doesn't this show the header from the client then? Also, we just discovered these forged mails were sent from firstname.lastname@domain.cf, note the CF.. so it is a fake domain. However, 2 questions remain: How did this malicious person access the mail chain sent between the client and the employee? Why did we suddenly start receiving spam from a random Gmail account when I sent a mail to the client? I am afraid they have access to our mail server. Thanks for your help & input so far. – Kevv Oct 21 '16 at 10:33
  • I don't think your mail server is involved at all. Everyone can forge a fake sender address, I could send a message *now* to *anyone*, stating it comes from you address (assuming I knew it). The only thing proving that the message is fake would be its headers, which would clearly show that the message originated form *my* mail server, not yours. – Massimo Oct 21 '16 at 10:51
  • Hi Massimo, You're right about that. However, this doesn't explain how the malicious mailer was able to "inject" himself into the mail conversation/chain. Employee mailed customer Customer mailed Employee Malicious-forger mailed Customer How would a malicious user discover the mail conversation and just join in like that? – Kevv Oct 21 '16 at 10:59
  • From your post, it seems the spammer emailed your customer without any previous knowledge of the previous conversation that was already taking place; is this the case, or did the spammer actually reply to (or dipslayed knowledge of) something specific the employee and the customer were talking about? – Massimo Oct 21 '16 at 12:01
  • 1
    I don't understand what you mean about the spammer "injecting" their message into the chain. They spoofed one of your email addresses and sent the customer a spam email and the customer replied to it. That's how backscatter works. Why are you thinking they injected the spoofed email into an email "chain"? – joeqwerty Oct 21 '16 at 12:14
  • Massimo, not only did they display knowledge. They were responding to earlier mails. (So a RE: mail). Joeqwerty, because they were responding to earlier mails that were sent. The customer and employee were communicating in back and forth mails, and the malicious party removed my colleague's legitimate e-mail addressand added himself instead, using the same address. I'd also like to mention we have set up SPF records. Isn't that supposed to stop spoofing? Thanks again for your help and apologies if I'm not clear. – Kevv Oct 21 '16 at 13:03
  • @Kevv, this is a completely different issue than a spoofed sender or spam/phishing. You should have mentioned it in the question. – Massimo Oct 21 '16 at 13:15
  • Sorry Massimo, I should've been more clear. The part about the gmail spammer seems irrelevant, I just found it extremely odd. – Kevv Oct 21 '16 at 13:22
  • Your domain smtp server may be acting like an open smtp relay or you haven't applied filtering policies – Arjun sharma Oct 21 '16 at 16:06
  • I'd like to thank you all for your help. It turns out the recipient's mailbox was compromised. The spoofer used that knowledge to set up a spoofed version of one of our mailboxes and interacted with the recipient. We are setting up strict SPF records for the future. I want to mark an answer but cannot as you've all commented! – Kevv Oct 27 '16 at 13:30
  • This happening to us too, with similar method – mding5692 Sep 27 '18 at 14:46

0 Answers0