
How Cybercriminals Profit by Tapping Your Email - StuntPope
https://easydns.com/blog/2019/11/20/how-cybercriminals-profit-by-tapping-your-email/
======
timtamsoup
I've accidentally executed this tactic on myself - no red flags were raised
and funds were received.

Being owed a sizable wire from a corporate entity, I requested payment to an
account via my personal email (<name>@<name>.co). As they were
validating/processing that, I opened up a new bank account that can receive
wires with no fees. I then sent them an email with the new information, and a
couple weeks later received the funds in my new bank account without any
friction. What no one brought up was the fact that the email with the new
information was from <name>@<name>.com, as I had transitioned from .co to .com
in the meantime. The attack vector highlighted in this article is definitely
under-guarded.

~~~
tehwebguy
So many in tech were speaking up about how bad of an idea it would be to add
.co when it was announced, totally foreseeable problem.

~~~
tome
They were speaking up about adding a TLD for Colombia?

~~~
StuntPope
OP did: [https://easydns.com/blog/2014/03/28/the-new-tlds-are-here-
em...](https://easydns.com/blog/2014/03/28/the-new-tlds-are-here-email-guru-
holdings-blah-blah-blah/)

------
sowbug
Why not just use the approach that banks use? Rather than admit that you got
tricked, invent the concept of "identity theft" and blame the intended
recipient.

------
Nextgrid
This is why all my invoices and my first contact with my clients’ accountants
always make them aware of the problem and ask them to confirm any account
details changes out-of-band via another medium (Slack, phone, etc).

It won’t help if the attacker spoofs the first invoice but hopefully will
raise alarms if future invoices are spoofed and contain different bank
details. I guess it could also give me a legal argument that I’ve explicitly
made them aware of this risk and that they should’ve known better and that
they still owe me money and should pay again (as the first time they haven’t
actually paid _me_ but the attacker).

------
mlacks
Forwarded this to my boss because I’m not sure how to handle this. There are
many - maybe hundreds of cash real estate transactions happening in my state
daily.

I think perhaps in the signature line of our email, we need to implore that
last minute or unexpected changes to the original plan- especially involving
wire transfers - be verified over the phone.

~~~
btrettel
I wonder whether asking for verification over the phone would lead to SIM
swaps. Though faking someone's voice would be more difficult.

~~~
alexcnwy
Faking someone's voice isn't as difficult as you'd think:
[https://github.com/andabi/deep-voice-
conversion](https://github.com/andabi/deep-voice-conversion)
[https://www.theverge.com/2019/9/5/20851248/deepfakes-ai-
fake...](https://www.theverge.com/2019/9/5/20851248/deepfakes-ai-fake-audio-
phone-calls-thieves-trick-companies-stealing-money)

------
joncp
Never ever wire money without second-channel verification of the destination
account. You can lose all of it with no recourse.

~~~
parliament32
Wires can be reversed in most circumstances, especially in cases of fraud,
although it's a bit painful and can take some time.

~~~
ksaj
Can you describe the process? As far as I've known, up until the moment the
transfer occurs, the bank can indeed reverse it if they are suspicious. But
the moment the other bank accepts the transfer, it is game over, and the
delivery is complete and permanent.

~~~
parliament32
The UCC[1] requires that wire transfers are reversible for 60 days, although
only in very special circumstances (only fraud and bank error basically). The
receiving (beneficiary's) bank is on the hook for collecting the money back
from them.

In cases other than fraud and bank error, the timeline and process depends.
Basically ask your bank really nicely, they'll ask the receiving bank really
nicely, and if everyone agrees with your reasons (and the money is still
there) you'll most likely get it back.

There has to be a way to reverse wires, otherwise if the teller fat-fingers an
extra zero onto the end of your requested amount you'd be SOL.

[1][https://en.wikipedia.org/wiki/Uniform_Commercial_Code](https://en.wikipedia.org/wiki/Uniform_Commercial_Code)

~~~
ksaj
Thanks for the description and the link. I recall being told bank criminals
typically used transfers because they couldn't be reversed once completed -
especially if the transfer went overseas. Maybe it came from an armchair
expert, or confusion over the old Swiss numbered accounts, and just became
"common knowledge" from there.

------
air7
How do the criminals handle the banking aspect? It's one thing to sit
somewhere and cyber-phish/attack someone through email. But they need a bank
account. In Canada. They then need to move 800k out quickly to another account
somewhere. At least some aspects of this had to be done in person, using some
kind of id?

~~~
toxik
There are many ways to trick people into “washing” money for you — criminal
organizations that are sophisticated enough to spearphish on this level surely
are sophisticated enough to do that laundering too.

I’m convinced that a lot of the money is in fact reversed.

------
upofadown
>If you’re running a law firm, real estate agency, investment bank or any
entity that routinely shuffles large chunks of funds around, you should have a
mechanism in place that can detect lookalike domains as they become
registered.

That's not the obvious technical solution and would not be very effective. The
most obvious technical solution would be to insist their customers sign any
emails that involve the movement of large sums of money.

------
_trampeltier
We talked today about such problems in the office. Why for ex. is it not
possible to allow VBA just inside from the document, but not access other
files etc.

Why you have to accept "the document can do everything what it want", if you
like to print a PDF from Adobe Acrobat Reader or do Fullscreen mode?

~~~
yjftsjthsd-h
So a permission system:) I approve, and indeed would like for every
"executable" "thing" (JavaScript, CSS?, VBA, .exes, ELF binaries, Python, ...)
to have a fine-grained permission system similar to Android or iOS.

~~~
_trampeltier
Maybe yes, something like this. For ex. I do share an Excel Document (with
VBA) with a very high person in our company. I could write everything in there
and it would executed when he open it with his account with access to all this
fancy information. I joke about this all the time.

I mean just VBA is not a problem, just if you start to do things outside of
the document.

I think it wouldn't be even hard to implement it.

------
senectus1
I've witnessed someone else getting stung (well pieced it together after she
realized)

My friend wasn't compromised but the person she was dealing with was.
evidently they were reading the other guys mail and when mention of invoicing
came up they made a fake email address that was almost the same as his
(swapped a l for a 1) and sent through a new banking detail.

the woman at this end didn't realize the email didn't come from who she
thought it did and sent a 10k payment directly into the thieves bank account.

She was mortified afterwards.

------
onlyarant
From the article is not very clear how the cybercriminals exactly pulled this
off (i.e. by simply changing the IBAN or also by changing the name of the
recipient of the transfer).

Isn't banking system supposed to protect from this kind of stuff? I mean, is
not responsability of banks to ensure that the recipient of the transfer is
indeed the one specified by the sender? Or one should consider a (wrong)
placed banking transfer simply gone? The (non-)reversibility of transfers is
one of the main arguments against crypto-currencies, and yet this kind of
events seems to be happening with banks anyway.

My family runs a small-medium business and a couple of years back we were
victim of something very similar. I'm a professional penetration tester myself
(not to brag but I'm pretty sure my family company is pretty secure), anyway
as we were the victim here (the one that were not paid in the process), there
was no way for us (me) to detect the issue (at the technical level) up until
it was too late. What happened is that one of our customer got their email
compromised, and attackers were literally man-in-the-middleing all of their
emails. When they detected some bills and payments requests from us, they
simply forwarded them back to our customers using a fresh registered domain
name that looked a lot like ours. In the process they did alter the
attachment, to change indeed the IBAN.

To keep it short, when we realized that something was wrong it was too late,
and banks even refused to pay our customer back.

We did report the event to the authorities, however to this day we did not
hear anything back :)

TL;DR Attackers compromised some customers' emails, altering the IBAN in the
attachments in the process. Customer did pay attackers instead of the
legitimate company, and bank could not undo things. Is sending money to a
wrong IBAN the same as sending it to a wrong wallet address for crypto-
currencies? Not a big fan myself, but if there are no guarantees we might as
well do the switch.

Only a rant

