Email phishing attempt against one of our vendors was successful ...
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
My question is how likely was this caused by a breach on our network?
No indication whatsoever that it is related to you.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Anything in particular that I should be checking?
Nope. There's not the slightest indication of any breach on either side. No reason to suspect a breach in any way.
-
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
I see that either side could be infected.
Sure, either side, or both, COULD be infected. But there's absolutely nothing in the situation to suggest that that is the case. They had to resort to phishing because there was no infection.
It's like finding your window broken with a brick and then wondering if that means that they picked your door lock. Can you pick a door lock and then throw a brick through the window to be a jerk? Sure. But finding a brick thrown through a window gives you no reason to suspect that the door was picked.
-
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
But I'm sure there are many more options too.
Could just be fortuitous timing.
-
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
But I'm sure there are many more options too.
Could just be fortuitous timing.
Could be, but I doubt it.
-
I think you should get an infosec dude that can investigate it asap.
I think the vendors O365 account has been breached. Could be something simple as having used the same password somewhere else.
-
@Pete-S said in Email phishing attempt against one of our vendors was successful ...:
I think you should get an infosec dude that can investigate it asap.
I think the vendors O365 account has been breached. Could be something simple as having used the same password somewhere else.
Most likely thing is just a single user, not the org. We see users get hacked regularly.
-
@JaredBusch said in Email phishing attempt against one of our vendors was successful ...:
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
But I'm sure there are many more options too.
Could just be fortuitous timing.
Could be, but I doubt it.
I agree, this seems way to close in timing to just be fortuitous.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Subsequently and on the same day, the vendor received another email that he thought was from one of our accountants directing him to ACH to a different (bogus) account.
What makes me also think it was a directed phish attack on your vendor, is that you say the vendor received an e-mail regarding another ACH account number on the same day, but you didn't say the message had any indication it was a follow up or correction to the earlier message.
I would say your vendor fell victim to a phishing scam that used your company info. They used your company info because at some point an e-mail address book was compromised at your vendor.
Remember, these phishers are very smart, their written English poor (but getting better), but they can extrapolate a lot of correct information just from an address book, like who the vendors are, and who the finance people are.
There is a chance the compromise was at your end, but more likely at the vendor.
-
@JasGot said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
Subsequently and on the same day, the vendor received another email that he thought was from one of our accountants directing him to ACH to a different (bogus) account.
What makes me also think it was a directed phish attack on your vendor, is that you say the vendor received an e-mail regarding another ACH account number on the same day, but you didn't say the message had any indication it was a follow up or correction to the earlier message.
Thanks everyone for the feedback. It does appear it was on the vendor end but it was a more sophisticated attack that did involve us being fooled as well even though the target was our vendor. From our investigation this is what we believe actually happened:
- Vendor owed us and was going to pay by ACH and requested details. These details were sent to him by our head of finance in an encrypted email which the vendor did receive.
- The attacker then spoofed our accounting team by sending us a phishing email that appeared to come from the vendor (the domain name used against us left an "s" off of the end of the domain name, thus appeared valid to our accounting team) stating that he had not received the ACH info (which the vendor had, this was the attacker phishing us). One of our accountants responded (to the wrong domain) once again giving the correct ACH details.
- At this point the attacker had all he needed to spoof an email that appeared to come from the accountant that had responded to him. The attacker used that info to send a phishing attack email to the vendor which appeared to come from our accountant but using the wrong domain name and contained the attackers ACH info.
- Vendor was fooled by this email and sent payment to the wrong account.
- Vendor ignored (for some reason, don't know why) the fact that when he went to ACH the money the company name appearing on his bank portal as the destination for the payment was not our company name.
One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.
Wow! Good work. That's a dedicated scammer. What was his payday? If you don't mind making the story more fun...
-
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
-
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
-
-
Dont give vendor any details about your IT infrastructure, it is their problem not yours. Give them minor details that make sense that are relevant to investigation, but certainly dont reveal any infrastructure to them.
-
This is most certainly an insider attack or a compromised account. In either situation, you have to assume they havent resolved it yet. Hopefully its a compromised account which is more easily fixed, but if its an insider they may be hard to detect.
-
-
@JaredBusch said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
If they let the email system do the encryption (not end to end) then maybe. But if they were truly encrypting the email end to end, getting into the email system would not provide that info.
-
@IRJ said in Email phishing attempt against one of our vendors was successful ...:
This is most certainly an insider attack or a compromised account.
Every chance that this was an insider, especially if the person encrypted the mail rather than using an encryption service.
-
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
If they let the email system do the encryption (not end to end) then maybe. But if they were truly encrypting the email end to end, getting into the email system would not provide that info.
True, but knowing users.... they probably decrypted it and sent it to another employee as plain text!
-
@JasGot said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
One other detail is that both of the spoofed domains that were used in the attack were registered through google on the same day approximately 4 weeks ago which would suggest they were anticipating being able to use us and the vendor in a coordinated attack.
Wow! Good work. That's a dedicated scammer. What was his payday? If you don't mind making the story more fun...
Enough to sting but not crippling to us or the vendor involved.
-
@IRJ said in Email phishing attempt against one of our vendors was successful ...:
- Dont give vendor any details about your IT infrastructure, it is their problem not yours. Give them minor details that make sense that are relevant to investigation, but certainly dont reveal any infrastructure to them.
We haven't and they haven't asked. They don't seem to have any internal IT resources and are flying blind a little I think.
- This is most certainly an insider attack or a compromised account. In either situation, you have to assume they havent resolved it yet. Hopefully its a compromised account which is more easily fixed, but if its an insider they may be hard to detect.
Are you saying a compromised account or insider at our vendor or do you think it points to a compromised account/insider on our side?
-
@scottalanmiller said in Email phishing attempt against one of our vendors was successful ...:
@JaredBusch said in Email phishing attempt against one of our vendors was successful ...:
@Dashrender said in Email phishing attempt against one of our vendors was successful ...:
@BraswellJay said in Email phishing attempt against one of our vendors was successful ...:
ame appearing on his bank portal as the destination for the payment was not our company name.
Wow - so a failing on both sides, and likely no actual hacking at all.
Umm, no. The vendor has a compromised email account that was being monitored for keywords.
If they let the email system do the encryption (not end to end) then maybe. But if they were truly encrypting the email end to end, getting into the email system would not provide that info.
The email system did do the encryption. We use Office 365 and a handful of users who need it have encryption capability by sending an email with the word "Encrypt" in the subject and the Office 365 system will do the encryption from there. The initial email in the chain of events that we sent to the vendor said to the effect of "click here to get your encrypted document"