Business Email Compromise (#BEC) Email Forwarding In Action

DarkTower President Robin Pugh was chatting with a friend who is the VP of Operations for her family business.  She mentioned as an aside that their email had been hacked, and of course, Robin’s cybercrime-fighter ears perked up.  The friend went on to explain that one of her clients, a global, Fortune 500 company, had called her to confirm email instructions from the company to start making payments into a different bank account.  But, of course, those were not legitimate instructions.

The screenshot below shows part of an email thread between her customer and the criminal using the compromised account.  What you cannot tell due to the redactions is that a cybercriminal had control of an account at the company; he messaged all customers to change the remittance instructions.  Even when the customer responded by email to confirm that these were legitimate instructions, the criminal assured the customer that the instructions were correct. 

However, the customer noticed some spelling and grammar discrepancies in the response and finally called the vendor to confirm.  Once alerted to the email compromise, the VP immediately changed the password to secure the email account.  This is certainly a "Best Practice" when responding to a phishing incident.  

But having spent time listening to Gary and Heather talk so much about Business Email Compromise, Robin knew to advise her friend to check one more thing…forwarding rules in the email client.  

After navigating in the email client to the Rules section, the VP found that a rule had been created to forward any messages mentioning the words “wire instructions,” “wire transfer,” “fund transfer,” “payment,” or “invoice” to the address blessingsalways823 at gmail dot com.

"If the message includes specific words in the subject or body 'wire instructions' or 'wire transfer' or 'funds transfer' or 'payment' or 'invoice'; forward the message to blessingalways823 at gmail.com."

Even though Robin’s friend had already changed the email account password, the criminals were able to continue viewing and intercepting the email messages that were important to them.

The next steps were then to disable the rule, have I.T. check other users in the email domain for malicious forwarding rules, and then begin the process of notifying clients. 

A DarkTower investigation revealed that the Gmail account was used to register the domain name alpan.us on 9/13/18, for which the registration details reveal the name and address Anthony L. Ania, 34501 Southside Park Dr, Solon, OH, 44139, phone 813-856-5005, and fax 650-253-0000.  The domain has never had a website and was probably used to impersonate an executive of Alpan Lighting Products, a company in California that uses the domain name alpan.com.  The address in Ohio may belong to a Cleveland attorney who has suffered identity theft, but there are at least three Nigerian profiles on Facebook using the same name, and the Google account password recovery process reveals that a phone number ending in 05 is tied to the Gmail account.

The criminal’s Gmail account was also seen on two boat sales websites, sailboatlistings dot com and powerboatlistings dot com, in lists of suspicious email addresses.

Lessons Learned:

1) Simply changing the password did not secure the account. 

2) Never confirm suspicious emails by replying to the suspicious email.

3) Regularly check rules in email accounts of your domain.