Need help defeating wire fraud.
March 30, 2014 1:21 AM   Subscribe

My company and industry is under widespread and sophisticated B2B wire fraud attack. Help me locate the vector or mechanism, please.

Since the beginning of January, attackers have attempted fake invoice fraud on my company twice and at least five other companies (some multiple times). The attacks have increased in frequency in the last week. The amounts of money are not inconsiderable with each transaction valued between USD low six to mid seven figures.

The attacks are all identical. The attacker intercepts an email with an invoice to a client to be paid in the near future. Very soon after (+/- one to two hours) the attacker sends a spoofed email resending the invoice that has been doctored to contain "new" banking instructions. In most cases the attacker advises the client to see the "new" banking details giving some plausible reason for the change, and in at least one case the attacker has waited a few hours then sent another spoofed email with the "new" banking details in the body of the email rather than in the attachment. I've found four recipient banks across Asia and Europe.

For background, our industry is a specialized commodities industry operating internationally and that works on 30 days unsecured credit terms issuing invoices via emailed pdf. The six of us that have been attacked have little in common; we range in size from Fortune 50-size companies to companies with 20 employees. The identified target companies are in the US and the EU. Our IT infrastructures are doubtless dissimilar but obviously have at least one thing in common, the presumptive proximal vector (e.g., Outlook). The distal vector could be any number of industry associations or vendors with our collective email addresses, if my presumptions are correct.

However, my IT systems - computers, servers of various sorts, hosted email - are squeaky clean as are those of at least one of our much larger competitors, and we did full scale pen testing the first time it happened. No one has isolated the mechanism of attack. My best guess is a malware package inserted by email that dials home, sucks up all email traffic, and then deploys some a sorting algorithm to select timely targets. But who the hell knows.

We'll probably never find the original vector, but any guesses welcome. The main thing I want to do is figure the mechanism of attack. Where to look? What to look for? What kind of credentials would a consultancy need to help us?

Sock puppet account of long-term user for obvious reasons. I'll be around to answer questions as much as I can without threadsitting or compromising what little anonymity this askme has.
posted by Hosiery Exegesis Association to Computers & Internet (15 answers total) 5 users marked this as a favorite
Does the spoofed email contain any unique identifiers, the correct invoice no etc, or could they be generic copies of an old invoice?

What do the email headers look like, do they show the spoof emails arriving via a different route to a genuine email?
posted by Lanark at 3:09 AM on March 30, 2014

Are your outbound emails going through an aggregation point anywhere -- like if your upstream ISP is sending all outbound SMTP through a proxy in an attempt to detect spammers?

Alternatively, are there any network commonalities between the people who are receiving the "amended" invoices?
posted by sldownard at 5:13 AM on March 30, 2014

How clean are the recipients' systems? Something/someone malicious at their end could be quietly forwarding e-mail to an outside party, who is sending the forged e-mail back.

I'm guessing the PDF invoices are not cryptographically signed?
posted by scruss at 5:25 AM on March 30, 2014

Best answer: If you're asking these questions, you need professionals. Call Mandiant. Get a consultant on site. Pay the money. Then call the FBI. The FBI doesn't do response and cleanup for you, they just catch the bad guys.

There are enough red flags here (and not enough supporting information to the contrary) that you should be proceeding assuming that you have an active intruder with access to your corporate network until you have evidence suggesting otherwise.

Checking the email headers from the message is a good idea. If they are coming from your network, you really need professional forensics services yesterday.

Suggesting your systems are squeaky clean because of a pen test is ridiculous. A pen test isn't going to catch that one of your admins clicked on a bogus link in an email and now is running a reverse tunnel through your firewall back to the attackers. That's just one of a thousand that it won't catch. A clean pen test is a _baseline_ for your security practice, not a target condition.

If you have more information than this and more reason to believe that this isn't you but don't want to put details out there for everyone, memail me and let's set up some time to chat. Incident response is my thing, and I may have ideas. But based on what's given, you sound like you need a professional response firm to confirm that an attacker doesn't own your infrastructure.
posted by bfranklin at 6:34 AM on March 30, 2014 [40 favorites]

The above post is one of the most outstandingly helpful replies I've ever seen on AskMeFi.

Do what bfranklin says, and buy the man(?) a beer if you encounter him in the future.
posted by Sphinx at 7:02 AM on March 30, 2014 [1 favorite]

Yes, a pen test just tells you whether it's trivial to break into your networks or not. It won't tell you whether someone has done so already - you need a full forensic shakedown of your network to even begin to have a hope of doing that.

If I had to guess, I'd suggest that your entire industry has been compromised by a series of spear-fishing emails that have installed malware on the computers of the finance people in each company. Said malware is either exfiltrating emails as they are being written, or else has been used to keylog the passwords to email accounts which are then being accessed directly in order to copy the invoices shortly after they're sent. Guarding against this kind of attack requires constant vigilance - the occasional pen test won't cut it.
posted by pharm at 8:33 AM on March 30, 2014 [1 favorite]

This happened at my company as well. It was due to the fact that the companies we deal with in Asia used an email domain ( which apparently is kinda like a gmail address in China. Regardless of our IT security, it was their infrastructure being compromised, and we enforced double confirmations, email and fax, of all Invoice requests in addition to notifying the authorities in the US and Asia on each request until these companies could transfer to their own email domains.

Not sure if the problem country is the same for you, but apparently this is now a "thing" to watch out for.
posted by Debaser626 at 9:41 AM on March 30, 2014 [1 favorite]

Response by poster: "What do the email headers look like..."

Unfortunately, I have not been able to get all of these from the clients who alerted us. I was able to get a truncated version during the first attack on us that led to a nest of immediately shut down Amazon cloud servers.

" sound like you need a professional response firm to confirm that an attacker doesn't own your infrastructure."

Agreed, but then what falls out from that is that someone has root at multiple companies and is using that for identical attacks. I find this implausible given the highly disparate IT infrastructures of the six companies thus far identified.

That said, my company is proceeding as if the attacker has root. It's back to fax (although if they have root...) and courier for us for now. But that will cripple our cash flow in the long run.

Many thanks for the advice so far. As far as calling the feds, they are not going to be of much use stopping the attacks. This latter is not second hand supposition.
posted by Hosiery Exegesis Association at 11:59 AM on March 30, 2014

Can your clients start using email software capable of verifying PGP signatures? It may not help if the actual client end-user machine is compromised to the extent that the email verification can be subverted, but if the documents being passed can be signed that's a start to "did this document come from me?"
posted by straw at 12:18 PM on March 30, 2014

I was able to get a truncated version during the first attack on us that led to a nest of immediately shut down Amazon cloud servers.

That does sound like the problem is at your customers end. I guess one workaround would be to setup a bunch of gmail or accounts for them to use and pass over the login credentials via FAX. That will only work if its just their web based email thats been owned, if they are on a compromised machine/network then they have bigger problems.
posted by Lanark at 1:59 PM on March 30, 2014

Email is inherently insecure - it could be being intercepted after it's left your systems. What do all of the companies have in common - geography? Use the same outbound email route?

Temporary fix: some kind of public key system, e.g. PGP to ensure that the documents can't be altered in the middle.

And, as bfranklin said, a pentest will never prove the absence of security problems - just reduce the likelihood.
posted by Ashlyth at 11:14 PM on March 30, 2014

I am not a security expert, and bfranklin's advice absolutely should be followed. However, I wonder why sensitive information is being entrusted to email, if it's a known vector for attack?

Presumably, your clients are repeat customers? When it's time to get paid, an email should go out that says "your latest statement is now available." They then log into your (professionally maintained secure) website to review the amount (and perhaps even pay it).

Obviously, they could be sent a spoof email with a link to a phishing site, but that is relatively easy to educate clients about ("never click on a link, go to and click on my account" or whatever).

Also, presumably your clients know what they ordered and what the expected invoice amount will be. If they are expecting to be billed for 10,000 widgets and instead see an invoice for 25,000 gadgets on the spoof site, they will be at least likely to call their rep and find out what's going on.

Of course, running a secure web server isn't for amateurs, but there are lots of expert companies who can do that part for you. I think you are ultimately fighting a losing battle if you're sending your sensitive information in plaintext.
posted by maxwelton at 2:17 AM on March 31, 2014

Hosiery: When you say that
The attacker intercepts an email with an invoice to a client to be paid in the near future.
do you mean that the original email never reaches the intended recipient, or is the original reaching the recipient but being followed up by an altered version shortly afterwards?

NB. I find it completely plausible that someone has root (or equivalent) at multiple companies in the same industry. You're all emailing pdf invoices to each other & Adobe acrobat is notoriously full of security holes even if it is kept up to date. If I were of a criminal mindset, I'd send spoof invoices or query emails with malware-laden pdf attachments to the finance people in each company (probably easily discoverable via LinkedIn or even the company webpages). I bet the hit rate would be fairly high, especially if having compromised one individual I can use their account to a) discover other plausible targets and b) use all that information to send them plausibly crafted emails in turn.

If approach was sufficiently lucrative then it would be justifiable to buy Acrobat 0-days on the black-market, but I bet the hit rate would be fairly high just exploiting known security holes in old versions of Acrobat. According to Forbes, the cost of a 0-day for Acrobat back in 2012 was $5,000-$30,000. It seems likely that an organised criminal gang using this approach to penetrate many companies could easily justify that kind of investment. Plan accordingly.
posted by pharm at 4:29 AM on March 31, 2014

Response by poster: Pharm you asked:

...the original reaching the recipient but being followed up by an altered version shortly afterwards?

Yep that's the case.

Also, as fate would have it, one of the most well known attorneys in our industry published a paper in a high profile trade publication yesterday on exactly this problem. He didn't mention my company's situation, but he did mention some interesting variants on this same attack.

As you (and others) wrote, Pharm, this does appear to be an attack planned and targeted at our industry.

I've had some help from some very kind people, and I think my company is on our way to tightening up.
posted by Hosiery Exegesis Association at 12:17 AM on April 1, 2014

Even if you're totally secure, that doesn't mean that your partner firms are & a criminal gang can just as easily retrieve an invoice to spoof from the recipient as it can the sender.

Which in turn means tightening up the whole invoice delivering procedure, not just individual company networks. But I suspect you've worked that much out already!
posted by pharm at 3:18 AM on April 1, 2014

« Older everyday carry, but actually interesting?   |   Retro educational short about bees made by a... Newer »
This thread is closed to new comments.