In this Barracuda Research post, we examine a recent attack against an organization that had no spear phishing protection in place. This incident demonstrates the dangers of using unauthenticated email for financial transactions.
The PC used by the controller at the company was infected with malware that echoed a copy of every email he received to an email address at a “free email” domain.
The thief at this unauthorized email account watched the controller’s emails for a short period of time before acting on them. Soon, there was an email concerning a transaction that was big enough to tempt the thief to strike.
Using information from the emails he’d been monitoring, the thief created a forged email “from” the supplier, with a “Reply‑To” header to divert the replies to him.
From: firstname.lastname@example.org Subject: Our revised invoice with updated bank info Reply-To: email@example.com <firstname.lastname@example.org> To: email@example.com Please find revised Invoice with our updated bank details for payment transfer. 1 attachment: Updated-Invoice.pdf
Flush with this success, over the next two weeks, the thief inserted himself into conversations about other financial transactions, impersonating first one party, then the other, carefully diverting replies to his own email address. The actual email conversation between the company and its supplier was quoted in the thief’s email.
When there was a question about why this supplier’s account would be in an unlikely foreign bank, the thief attached images of signed documents “authorizing” the change. The authorization letters and the signatures had been lifted from similar documents that had been attached to previous emails the controller had received.
Eventually, some of the employees got a copy of one of the thief’s impersonations of them in the email conversations, and the alarm was raised. But the thief got a significant amount of money before his ruse was discovered.
Multiple vulnerabilities were at work here. First, the malware in the controller’s PC provided the thief with a wiretap into the company’s financial workings that gave him the information necessary to carry out the scheme. Second, the ability to impersonate company employees and the people they regularly corresponded with gave him the ability to reach his targets.You can learn more about this type of attack on our spear phishing and cyber fraud blog here, and our Threat Spotlight post here.
Barracuda Sentinel uses Domain-based Message Authentication Reporting and Conformance (DMARC) capabilities to combat this type of crime. This service examines information from multiple signals to learn the unique communications patterns of each company and to analyze the content of the messages for sensitive information. Barracuda Sentinel then combines this messaging intelligence to determine with a high degree of accuracy whether an email is part of a spear phishing attack like this one. Learn more about Barracuda Sentinel on our corporate site here.