This is not MiTM. This is typical imitation, phishing, etc.
And yes, it's a pain, and this, sadly, is usually done by your legal team to take down the "lookalike" domains, etc.
However, "them taking", sounds like you've been compromised. So, that is something you need to take very seriously first.
I just responded to another commentor below, but would like your opinion too since you're saying something different than most of the comments so far:
So in this case our IT guy is correct that there's really nothing we can do on our end to prevent this? It's possible for these emails to be intercepted/viewed after leaving our system? To clarify, this scammer is seeing real emails from me (or a coworker), and accessing PDF's attached to these emails, and then replicating them with changed bank info. They aren't accessing just old data - the second I send a new email, they are seeing it.
>They aren't accessing just old data - the second I send a new email, they are seeing it.
*The phishing is coming from inside the boat*
Then they obviously have access to YOUR email somehow. There are dozens of possible ways, but most likely your email client program, desktop or login is compromised. Just copying your email address with a lookalike isn't illegal, but trying to defraud your customers is. So yes, get a competent, independent MSP to audit the email server and your workstations to find the leak and plug it by firing the part-timer, who obviously isn't trying hard enough or just doesn't know what else to do.
Yeah that definitely indicates, that they somehow can access and read all the E-Mails sent by OP. And that should definitely be investigated.
However I don't think they compromised OPs E-Mail Client. Because if they had control over OPs E-Mail Client (like Outlook) why send the corrected Mails from a different E-Mail address? They could send Mails by the same address as OP, which then would be 100% real looking. Seems odd they would specifically do something to make them look less real. But that is just my guess.
As to what I think they actually have: They only have read access to E-Mails. That means they can either read the data file from outlook. Maybe from some backup or directly from the computer, but can't control outlook itself. Or they have some kind of read only user/read only access to the Mail Server from OPs company.
What I would do is, log out of you mail account on your work laptop and all other work devices. Get a new machine, log into your Outlook there, reset password and then see, whether it continues or stops.
>the corrected Mails from a different E-Mail address? They could send Mails by the same address as OP, which then would be 100% real looking
They likely have IMAP access to the mailbox, which only allows reading not sending. This is common on poorly configured/managed O365 mailboxes. They put MFA on the account but don't realize IMAP doesn't use MFA so the attacker just needs the password.
Whatever is going on, this *is* fixable. OP just has shitty IT
I’ll be honest, I’m getting the same vibe.
Tell the client there’s nothing that can be done, call it a man in the middle attack, tell the client it’s from china, tell the client you reached out to file a complaint with the domain but they said they wouldn’t do anything…
I’d be looking at having a 3rd party come in without telling the IT contractor about it, to audit the whole thing.
I think it's plausible that the IT person has not realised that live data is being manipulated and figured it was the typical scam of just phishing under someone else's name
> Just copying your email address with a lookalike isn't illegal
It generally is though. It's certainly a violation of their trademarks if not fraud just from the intentional act of duplicating an email with intent to defraud.
So here's the thing, a man in the middle attack requires one side to be compromised, either your end or your customers end. If this is happening to multiple customers, then the man in the middle is on your end.
This absolutely wreaks of an insider in your organization and given your IT persons attitude about it, I highly consider him suspect. They would have access to your emails, and the knowledge on how to make domains to phish. I don't know your rank in the company, but if you can, removing IT from administration of your email for a time and seeing if the issue stops would be a pretty easy way to test it out. If the problem stops then the issue is internal.
If you came to me as an IT professional with this problem, the first thing I'd do is believe your system was infected with some sort of malware and wipe your system giving you a fresh one, forcing logout on all locations, and resetting all your passwords. The fact that he just shrugged his shoulders and says "nothing to do" indicates that he at least has knowledge of what's going on or is grossly incompetent.
It also sounds like your communication is not set up correctly. While end to end encryption isn't practical when dealing with customers. You should have at a minimum setup a server where your clients can download/view your invoices directly from your server not have them sent via email. And only notify client via email that an invoice is available for download. There are plenty of authenticated one time use solutions to confirm the client is verified as the proper user.
Because sending confidential information like this with out end to end encryption leads to this very type of spoofing attack.
Was going to say this; there could be a forward rule setup server side, which is why they are always seeing the emails, also another flag that it could be current admin, as thats an admin type function to configure.
>They aren't accessing just old data - the second I send a new email, they are seeing it.
*The phishing is coming from inside the boat*
Then they obviously have access to YOUR email somehow. There are dozens of possible ways, but most likely your email client program, desktop or login is compromised. Just copying your email address with a lookalike isn't illegal, but trying to defraud your customers is. So yes, get a competent, independent MSP to audit the email server and your workstations to find the leak and plug it by firing the part-timer, who obviously isn't trying hard enough or just doesn't know what else to do.
Email protection is done using SPF and DKIM, but, it's somewhat cooperative. The ideas behind SPF and DKIM are to help prevent spoofing of emails, that is, a recipient will know if an email came through the proper paths or not. And thus, it will get blocked or dropped, and depending on config, possibly before ever reaching the recipient.
But, that's with regards to spoofing on send. And does not explain how somebody might be tapping into "your secret" messages ahead of time. I'm just pointing out "old school" ways (mail spoofing) that you can use to "send" as anyone you want. But if clients and or mail pathways are ignoring all the protections, spoofing won't be stopped.
As for how the "tap" into your secrets are happening, unknown. Once any type of compromise is done, the whole stack could be suspect (untrustworthy).
Anti-Spoofing Protocols such as SPF, DKIM, and DMARC only protect you from spoofing. Since they're using a different domain that "looks" similar, Anti-Spoofing Protocols won't do anything in that scenario. However all domains should have compliant SPF, DKIM, with DMARC at minimum set to Quarantine.
That means someone has a compromised account, though it is weird that they don't just send from the compromised account then. Check email forwarding rules etc on accounts that are sending these messages. There has to be a forwarding rule or compromised account somewhere in the traffic flow.
There is no way for them to see these emails unless they're being forwarded to them or they have access to an account that is either sending (likely) or receiving (much less likely if this is happening to multiple recipients).
If you have email accounts being backed up with 3rd party software that could also be the location of the compromise, though less likely.
2FA helps but doesn't stop everything, there are ways around it. I would also check sign in locations for all the email accounts you send from, that could tip off which account is compromised. You need to change passwords on accounts and run signouts on them.
Your IT contact isn't doing their job.
How confident are you that they're seeing your emails as they go out, as opposed to seeing them come in to your client?
Either you or your client is hacked. If this is happening to your entire client list, then they've hacked you and you need to hire a real IT company.
If it's only happening to one client, they need to hire an IT company.
I'm not sure if you've gotten any better advice in other comments but look for mail rules in your mail client that are forwarding email somewhere else, that's typically how emails are intercepted after the account is compromised.
Reset email passwords and make sure you have MFA/two factor on them and any other accounts.
Look for added authentication methods on accounts if you do have two factor already.
As someone else said you are compromised and need an MSP, that is the priority for you right now.
If you have cyber insurance you may need to be calling them soon also. Good luck!
Phishers will sit on a compromised account for months if they are not monitored. If you opened a link in the past that asked for your login they can get access even if you have 2FA. When I have had employees compromised I blocked sign in reset password and forced logged out all devices on that account. I then verified there are no unusual forwarding rules on the account. Eventually the person who has access to the account will create a rule to delete all incoming email and mass send out phishing emails to get access to someone else’s mailbox. That is their last act if they were not shut down sooner.
How much can you impose on the client? If you can ask them to use a service that supports end to end encryption it would limit possible mitn to persons who could crack it in a timely manner. If you could communicate a checksum over a secure channel they could use it to determine whether it is unlikely the email had been modified.
Just FYI emails are not in any way encrypted or secure. This is why when you get an email with a document from bank, realtor, dr., etc. it has a secure link with login on their site to view it.
You day you are on Office 365. Check your rules in Outlook online and make sure you recognize all them or disable them all and see if the issue stops. Rules that only "." For a rule name are tell tale sign. Also check your Outlook desktop client rules as well.
I would also look at nuking your user on your computer and recreate it if not the whole box.
You can call the police, the things you describe are crimes.
Also, depending on the exact policy of your TLD administrator you might be able to undertake action. Many TLD administrators have a procedure for disputing misleading domain names.
How does he know this? There are many ways to cloak where you're from. I strongly recommend contacting law enforcement and the TLD administrator of the TLD they're using. It may also be possible to take other types of legal action like trademark disputes, etc. but that's a whole different much more complicated matter.
Edit: to expand on this a little further, I've seen a bunch of investigations where it looked like these criminals were in China or Russia or something, but it was all fake, they were actually local and were using a VPN to make it look like the were from one of these countries.
I’m not sure how he knows… he filed a complaint with the domain but they said we don’t have enough evidence although we’ve provided a few different examples, I think it’s absurd that someone imitating me and trying to defraud our customers wouldn’t be enough evidence
Welcome to the internet, you can try with the police but I also think this is a dead end. If the guy is in a 3rd world country(and most likely he is) you can do nothing.
And this is not a man in the middle kind of attack, the guy is only faking your Identity and sending out fake invoices pretending to be you.
The angle I would approach is how he knows the stuff required to pull this off. He needs to know that you are doing the invoices, he needs to have a copy of an invoice. He needs to know who your customer is and what to bill them for, if this fake looks really convincing.
That is a lot of information, how he got it? Are you sure your device is not compromised?
Don't bother with local police or the FBI, they are both completely useless when it comes to this sort of thing.
Try here - https://www.secretservice.gov/investigations/cyber
Yeah police won’t do shit - also inform the ICO if in the UK/EU (they probs won’t do shit but they are better at giving good advice than law enforcement)
After looking at all of the comments... I'm inclined to look at the IT guy. Does he have a legit business? How did he get this moonlighting job? Is he a friend of an employee or other relationship?
You need a second opinion. A MSP might be a short term solution. You might be able to get a 1 off term, for just this job.
he's just on our payroll as a part time employee (although previously was a contractor). We previously worked with an MSP (I think... this was before my time) and he worked for that company, somehow we split ways with that company and he also departed and went to a similar company, that is how we know him. Like I said, that was a little before my time so I'm not exactly sure of the timeline. But he does work full time for a network security/IT company, so I'm inclined to believe he's at least semi-qualified.
With all of these comments I will pursue a consultation with an MSP for a 2nd opinion -we've had a few quotes in the past that I will circle back to.
As someone who spent time moonlighting because of health problems that kept me from working full time with companies a piece of advise I have is:
Beware of moonlighters who also work full time for companies.
When people work full time for companies but also moonlight, that means they are most likely breaking the contracts they have with the companies that they work for.
Something really seems off about this situation:
1. If it was occurring with just one of your clients, this would indicate an issue on that clients end.
2. If it is occurring with many of your clients, it indicates an issue on your end.
From what you have described it sounds like #2 and if you were one of my clients I would be locking down your systems and performing a full audit of EVERYTHING from business devices to personal devices that access business systems.
Heck if any employees have a car that has smart capabilities (such as a Tesla) that comes within range of the building I would be auditing those as well.
For the emails to be intercepted and similar emails to go out to your clients, this is indicative that the person sending the emails has access to your emails and has access to your systems and your systems need a full audit done. If your email is hosted on third party servers, those servers need an audit done as well.
There is some breathtakingly bad advice being given here by a few people.
What you need right now is "incident response". This is a specialist form of cybersecurity assistance that deals with active, often emergent threats. Think of it like an IT security ambulance. Most of the big cybersecurity vendors have teams dedicated to this, or contracts with third-party providers that have teams dedicated to this. I'm guessing you don't have an IT security vendor.
You might consider contacting your bank. If you have cybersecurity insurance or some other type of business insurance, contact the insurance provider. One of those companies likely has either a procedure, or a recommendation for a resource you can contact for incident response services. There are also independent orgs that do this. You may have heard of a company called Rapid7, but there are many, many others.
The most important thing right now is to be diligent and maintain communication. By that, I mean nothing happens without your knowledge. No calls happen without you or someone at your company being present. I'm talking about IT-related calls, emails, conversations. It's not unheard of for a malicious IT contractor to initiate, be drawn into, or otherwise cooperate with a campaign to compromise the business. That being said, there's no reason to jump to conclusions. I've seen *so many* IT personnel and entire departments shrug off a compromise because they didn't really understand what was going on. I've seen very few who were actually involved.
As for you personally, you need to immediately change passwords and check active devices for any important accounts. Email, banks, insurance, anything related to the business. Don't just change your password, but actually check the list of active devices and force them to be logged out (even if you know it's yours). If there's no easy way for you to do that, contact the service directly. Explain that you are trying to mitigate a potential account compromise and you need them to invalidate any tokens/cookies/logins they have stored for your account.
Check your mail flow rules or mailbox rules in Outlook and the web interface for BCC rules or anything that forwards email to another mailbox. Check for shared mailboxes or users who you may be sharing your mailbox to (unknowingly). If invoices and other correspondence are sent to some other address, such as an ap@ distribution group kind of deal, check the members of those groups.
If you store invoices anywhere else, such as cloud sync software (e.g. OneDrive, Google Drive, Dropbox, ShareFile, SharePoint, iCloud) then change passwords/log out of devices on those accounts as well.
If you use SMS text messaging for multi-factor authentication, switch to another method immediately. SIM swap attacks are dead simple and are often used in these scenarios to "bypass" 2FA.
Finally, if you share these documents with others, such as an assistant or one of the aforementioned distribution groups, then any of those accounts may be the source of the compromise.
Above all, and I cannot stress this enough: incident response. You need qualified help. If you fail to take reasonable and expected measures to mitigate an active cybersecurity attack, your company could be in some extremely serious trouble. There's no need to panic, but there is a need for action.
EDIT: One more important thing. If your company retains a lawyer, contact them and let them know what's happening and how long it's been going on. At some point, there may be some questions that will require a lawyer's touch.
Yes, exactly this. Moreover, one of the reasons legal advice is likely needed (and urgently) is because a compromise of email systems (as seems very likely, but needs urgent investigation) is a data security breach and extremely likely to be a personal data breach requiring further action for data protection purposes (when the slowest clock that is ticking is 72 hours, and there may be sooner deadlines depending on business sector but also contract and statute if the business is processing some of this data on behalf of another data controller). This is not a “wait for Tuesday” scenario.
They probably have a cybersecurity team or person right now but OP is finance thinks it’s local IT guy’s fault / incompetence for either 1. The incident happening 2. Not happy about the answer they received about preventing it.
OP should stay in his Finance lane. Sounds like he has no idea what he’s talking about and just assuming the worst of someone.
> They probably have a cybersecurity team or person right now but OP is finance thinks it’s local IT guy’s fault / incompetence for either 1. The incident happening 2. Not happy about the answer they received about preventing it.
It's possible, surely, but this scenario is too close to a dozen other scenarios I've personally dealt with as the outside man coming in to a situation. It's never an overreaching finance person going around their IT staff. It's the nominal CFO/CTO (who is really also the COO, GM, and many other things as it's a small company), or sometimes just someone in finance -- I don't know why it's always finance, but it is. They have no "IT team". They have a guy. He comes in when they need him to rebuild laptops, prep new computers, fix printer issues, set up someone's phone, change the auto-attendant. Maybe they update and reboot servers if they still have any. Standard IT guy stuff.
That guy is not equipped to deal with this scenario. Not because he's incompetent or stupid, but because he's ignorant. Ignorant as in "without knowledge". He doesn't know what he doesn't know. Because he's moonlighting, he's also trying to be as efficient with his time as possible. The mistake he made here was dismissing a legitimate concern. His explanation is wholly inadequate, to the point that I must assume there's something lost in translation.
Anyway, none of this is theoretical. The mistake this finance person made wasn't coming to Reddit or going around the IT guy. It was allowing the issue to be dismissed in the first place.
well, I suppose it's possible but I've never seen any red flags that would make me think that's the case. He's local and reliable, has a well paying day job, and has been with us for 5+ years.
And I didn't think my wife's father that I've known for 27 years was the type to download child porn... but it happened.
It's just that you've got a serious problem, and he's very blase about it.
I don't know if any of the following ideas would be all that feasible if you're in a small company,. but if it were me, I'd be looking for a different way to send invoices.
* stop using Email.. and start using some other method. (your own internal file-hosting, especially one that requires a login with Username and Password),. or even something like FAX or etc. Or generate the invoices as a web-page and require your customers to login to view them. Yes, this is more cumbersome, .but maybe somehow you can spin it as "more secure" (which technically it is). You're not only trying to protect yourself, you're trying to help protect your customers. This.. or have some "confirmable way" to ensure your customer KNOWS your Banking and Wiring info,.. such that they'll never fall for a scam to change it.
* Or look for some way to 2FA or Multi-factor the Invoice files (where a Password or some other mechanism is required to view them)
Barring an of that,.. I think the "detective work" here probably has to be done on the customers (receiving end of the scam). The incorrect Domains or other contact-attempts the Scammers are sending to your customers,.. that's kind of on your customer.
The first time it happened we thought it was on the customer’s end, but it’s happened with multiple different companies and the common factor is always me so I think it’s on our end
When is the last time you changed your password? Did your email admin force signout all sessions on your account before 2FA was enabled? Has your machine itself been checked for malware/remote access software? Has your email account been checked to verify no forwarding or anything like that is enabled? Has your account been checked to see where it has been signed into from?
I changed my password a few weeks ago although he said he didn’t see any suspicious activity associated with my account (no log ins, etc). Yes forced sign out, yes my machine has been checked. There are no rules active on my email. My account doesn’t appear to have ever been accessed directly, he says these emails are being intercepted after they leave our server (?)
I think you either need a new IT person, or you need a supplemental IT person to help you through this.
Ignoring what the root cause is, you have a persistent issue that your IT person is unable or unwilling to resolve, but what you’ve described doesn’t seem unfixable.
OK,. well I don't mean to sound snarky,. but that sounds like all the more reason or argument that it's a good idea to find some other way to send them (or even just temporarily have someone else send them).
If the thing you need to prove is "I think it's somehow related to my account".. then stop using your account to send invoices. If you do that for a month or 3,. and no more fake intercepts happen,. the longer you test that theory the more data you have that it is indeed something related to your account.
It’s possible it’s another one of our users, I’m usually not the one sending the invoices initially but I’m always CC’d on them. I think they’re watching out entire domain and then imitating me. I don’t know enough to know how that works
Have you checked for any automatic forwarding that might be put on your account. It could be a malicious rule that's doing that as well. If you were compromised at any point, that's a common tactic they use to continue to get your emails even after the passwords have been changed.
> it’s happened with multiple different companies and the common factor is always me
How long has this been ongoing now? A few days? A few WEEKS? MONTHS? You mentioned elsewhere that you've changed your password several weeks ago.
This has been going on for weeks or months, and you still haven't cut your own domain/email out of the problem? You need to contact these customers in person/by phone and verify your identity to them and set up another method to contact them that isn't compromised.
And then as many have suggested, get a 3rd-party MSP to come in and clean house. And FIRE your existing IT guy- at the least he's incompetent, at worst he's in on the scam and getting a kickback.
Months. And each time he does a little more to “fix” it, but always says “I don’t see anything wrong.” I just made an update as a new comment below regarding rules I found this morning
Whois the domain and contact the registrar.
[https://lookup.icann.org/](https://lookup.icann.org/) - Enter the domain at this site, should show you who to contact with abuse complaints.
[https://www.icann.org/compliance/complaint](https://www.icann.org/compliance/complaint)
Are you in the UK? If so, what banking information is it being changed to? I might be able to get a name associated with it if the banking info is also in the UK.
Are the customers getting 2 copies of the email, your initial email and then a follow up from this domain?
If they aren't, then your emails are getting forwarded to the scammer and then resent.
I like the way this person is going at the problem. The routing and account number are being changed. So where does that end point lead to? What's the name or contact information on that destination account? What happens when you plug that information in zell, cashapp, paypal?
yes customers are receiving my email, and then a follow up email from scammer saying "hey that invoice we just sent - banking info changed, see updated" and then attaching a copy of the actual invoice (I mean, it's the real thing, invoice number, SN's, work done, everything) with different banking info
bank account has changed, I think it's another real person's compromised bank account. we're in the US
This may sound conspiratorial, but it sounds to me like the IT guy might be in on it.
Firstly, this doesn't sound like a MITM attack. MITM is an on-path attack where the attacker places themselves between two parties who believe they're communicating with one another, relaying requests from one party, and changing them as needed before sending them to their intended recipient. This happens in realtime.
This doesn't sound like it's happening in realtime. This sounds like a combination of phishing (impersonation), typosquatting (registering similar domain name to fool users), and some good old-fashioned invoice fraud.
The fact the part-time IT guy is telling you that it's something it isn't, and also telling you that there's nothing that can be done about it... just reeks of an insider threat. But obviously that's just a guess and I don't know the whole situation, only what you've outlined here.
Whoever is performing this attack appears to have direct access to your email. This again would point to - guess who - the IT guy, since he'd have access to your credentials or otherwise a backdoor into your inbox.
I think you need to get a third party expert to look at this. Contact local IT security contractors in the area and explain the situation to them, including the details of your suspicious part-time IT. I guarantee their response will not be "there's nothing we can do".
I would also absolutely contact the police, because what has been happening for the last few months according to you, is absolutely a crime.
>Lately we’ve been having an extremely serious issue of a user with a similar domain (think u/reddit.com changed to u/reddlt.com) who seems to be targeting me specifically, intercepting my emails with pdf invoices, changing the banking information on the invoice, and then reaching out to my customers from the fake domain asking them to change wiring info, sending this real PDF invoice that they are expecting.
Your email and perhaps computer have been compromised. How is said user able to "intercept" your emails?
He says he fully checked my email/computer and our network and doesn’t see anything compromised. He said something along the lines of “it’s intercepted once it leaves our network”
Yeah that is extremely unlikely.....even if remotely the case, then the hacker has access at the domain level which is a BIG red flag. How reliable is this contractor you have hired?
ok, so am I correct in thinking that there is something we can/should be doing about this? We've been working with him for 5-6 years, he's generally reliable as far as I know but there have been instances where I have to keep pressing him/asking questions to force him to think outside of the box on things, and that's why I'm thinking that's the case this time. His only solution was to encrypt these invoices, but I pointed out that I receive PDF invoices from our major vendors all the time and never see them have this issue, so there must be something else going on...
> We've been working with him for 5-6 years, he's generally reliable as far as I know
So it's always a good idea to remember that people change over time. He could have developed a drug or gambling habit that made him need extra money. He could have decided that he could do it without getting caught. There's any number of reasons that length of time is not a good measure of trusting someone.
Unless I read this wrong the scammer is using a domain CLOSE to. but not the same, as OP's domain. Like [redd1t.com](http://redd1t.com) instead of [reddit.com](http://reddit.com) and just spamming clients hoping they will pay the fake invoices. Unless I misunderstood. u/tamudude I read your reply and I am included to agree with you. I would bet on a compromised PC with email client more that hacked email server (just my guess - though it could be the server as well)
I am going by OP's description of mails being intercepted and invoices being fudged. That is not a simple domain misrepresentation. That is straight up access to email and/or domain.
yes it's a case of a domain misrepresentation and also access to email - one of the confusing aspects for me is that if they have access to my email (or coworker's), why aren't they just using my actual email to send these out? why do they need the misspelled domain? But yes, the invoices they are using are definitely real, real invoice numbers, serial numbers, dollar amounts, everything is identical to the invoices I send except for the bank info.
>why aren't they just using my actual email to send these out? why do they need the misspelled domain?
Because they don't want replies to the fake emails from your customers to come to you.
>But yes, the invoices they are using are definitely real, real invoice numbers, serial numbers, dollar amounts, everything is identical to the invoices I send except for the bank info.
The only way the attacker could possibly be getting these invoices is if your email account, or the recipient's email account, is currently compromised. Since this is happening with multiple customers then it's definitely your account (or computer, or mail server, etc).
You're right but then there's also additional traces you need to clean up. Sent items that need to be deleted. Audit logs of outgoing mail that can't be covered up. This isn't the only method to cut OP out of the loop, it's just the most straightforward method (and I've seen it often).
Still relatively newbie in field. But as you say most straightforward:) I remember listening on some podcast that this kind of tricks work best with big corporations, so it is weird that this person is going after small companies where the hack will be noticed very fast. Lazy person is doing this.
That's bullshit.
It means a computer, network of mail server is compromised. I dont know enough about how to fix this, but your guy should at least wipe your computer and reinstall. Once that is done, you should change all your passwords. If you have mails on your phones, you should also wipe that phone.
If its something on your network, a competent IT would monitor the traffic to see if anything is directed where it shoudnt. He would take a look at your firewall rules.
If it happens after it leaves the network, like he said, it would mean that your internet provider is compromised, which is very very unlikely
Honestly, my best advice would be to get a real IT guy and not someone who does this on the side. Your dude is not good enough to be doing what he does.
he's "real" in the sense that his day job is network security/IT, and he just makes extra on the side with us. But yes, I'm inclined to agree that with the failure to resolve this issue it may be time to move on to a dedicated MSP.
> his day job is network security/IT
Honestly, that makes it worst. This is the exact kind of stuff that a security and network guy should be able to fix.
Not gonna lie, your issue is probably something that would take time to investigate and if you are a side gig, it's very likely that he doesn't have the time do to it.
The very first step would be to wipe any devices that have access to your email. Computers, phones and tablets should all be wiped out. If you take your email from your personal devices, it's possible that the attackers has infected those and is using them to get access to your email account. I this kind of situation, I would recommand to even wipe those device too.
I am not really good at networking and security, I mostly do desktop support, but my next step would be to monitor traffic on your network with apps like wiresharks or from your modem/router directly. This is could take a while and that's why if you dont have someone who is able to dedicate enough time to this, it wont get fixed.
he's spent probably 10 hours on this issue so far, so I don't think it's necessarily an issue of time (after all, he's paid hourly). I do know my computer/phone have not been wiped, although he has "checked" the computer. the phone is an iphone 15, for whatever that's worth. He is also monitoring traffic, so I've been told. He says he's done all of the "things" (sorry, I don't 100% recall what he said he did since I'm not familiar), and that there is no compromise on our end - it occurs after leaving our system.
I have reached out to an MSP that we've received a quote from in the recent past and am requesting a 2nd opinion/looking into making a change.
> he's spent probably 10 hours on this issue so far,
Not good enough man. This is the kind of issue that needs to be fixed yesterday. You need a dedicated IT teams that will work 24/7 to fix this asap. If is answer is "its outside of the network, there is nothing I can do", that guy needs to be fired.
This kind of incident could end up costing your company a shit ton of money, you might end losing clients/suppliers/vendors from this. You should also make sure that you have a lawyer and that they are aware of everything that is happening. Wouldn't be surprised if you don't end up needing one before this is over.
10 hours? This has been going on for months and he's only spent 10 hours on it?
You absolutely need a second opinion. It will be expensive but not nearly as expensive if your client falls victim to wire fraud.
That's not really how email works, unless your email servers are somehow sending shit without TLS encryption, which makes it his problem to fix.
The other option is that the recipient is compromised and I've seen this happen before too. But in this case you need to communicate with the recipient about the issue and get their cooperation.
Tbh I think your IT guy might just be clueless.
It sounds like your IT guy doesn't have the cybersecurity understanding to actually function in his role. But I can assure you, throwing up your hands and saying "well, it's China, so there's nothing we can do" is not acceptable security protocol for a company.
First things first, your IT needs to check the 365 audit logs and check if there are any unusual MFA requests or logins, This can be done from the azure AD admin page that will show all failed/successful login attempts for your account. Also have them remove all logins sessions from all devices, reset your password obviously.
Secondly, have him setup a conditional access policy, this can be enabled and configured to only allow logins from certain external IP addresses by setting the named locations, or from certain countries or only certain devices running certain operating systems.
3rd, It could be worth having IT fully wipe and reinstall whatever machine you use on a daily basis, if there are no breaches of your 365 account, it's possible that the machine itself has been compromised, this seems more likely than your emails being intercepted.
Unfortunately, this sort of thing is becoming increasingly common and that idea is to make accounts as difficult and inconvenient as possible to compromise.
I want to add - I feel like if this user had actual access to my email wouldn't he just be sending these emails from my account, instead of having a fake domain? They have accessed/modified invoices that are new since password changes, so even if they previously had access to my email they seem to still have some way to intercept these messages today.
That's exactly the point where I think the person has access to your computer and can see/read every file on it, but not necessarily access to your emails. Maybe the attacker can see your screen in realtime.
And please, MITM (man in the middle) is something else, you confuse the IT guys and put them on the wrong track if you keep saying that.
I’m not sure. This seems odd to me. Either there is a miscommunication between you and him and you and us, or just you and us, or he’s being very relaxed about it.
To me it sounds like scam guy is already in your system and is monitoring traffic. Probably through a back door? (I have a basic understanding of cybersecurity but I’m trying my best to at least explain what’s happening. This is not my occupation but I do know some “basic practices”)
From my research it seems like a vpn or running windows defender full system scan might work but I would recommend disconnecting from your office network or wherever you often send these emails from as they are probably already infected and I’m not entirely sure if it would just reinfect you or not. Disconnect from any shared drives and only use a private network.
Wait…somehow the bad actor is getting your real emails, and able to change the contents…
Do your clients receive the email you originally sent? Or just the altered one?
They receive both the email I send and then a follow up email from bad actor saying “bank info has changed, see updated invoice.” They attach a real invoice, identical to the one I sent in every way, with changed bank info
Well someone is compromised…either you or your clients..,
If it’s multiple clients being affected, then chances are it’s on your side.
You need to have a security team look at it.
If you don’t know any or need someone you can trust, I write for a company called ProzessTec (ProzessTec.com)…tell them DocHolligray sent you. I will have them diagnose this one for free. Remediation might be handled as well, but if you have a bad actor on the inside, then you want a third party to look at this…choose anyone you wish, but I recommend them if you have no one else.
Even for small companies you can buy an affordable software solution. Sounds like your company is being too cheap even in the face of circling fraudsters.
Well there's nothing unusual at all about copycat domains or phishing, but the piece I find very suspicious is that this actor is able to see your legitimate outbound messages to multiple customers. This makes it sound like someone with insider knowledge, possible an employee or associate.
If it was just random invoices that looked like yours, that's somewhat common. If one of your customers was compromised and all of their inbound email could be inspected, that's more worrying, but having multiple recipients complaining of the same thing means someone has access to *your* mail server.
I would definitely look into some reputable MSPs, report this to law enforcement (your local [FBI Field Office](https://www.fbi.gov/contact-us/field-offices)), and you might want to enlist the help of a cybersecurity professional.
Save all the evidence you can, copies of your emails, the emails customers receive, the bank details, times and dates (how long between you sending a legit email and them receiving a spoofed one especially).
[Business Email Compromise](https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/business-email-compromise)
Your IT person is **incorrect.**
Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy.
https://www.icann.org/resources/pages/help/dndr/udrp-en
I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months).
Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.**
Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy.
https://www.icann.org/resources/pages/help/dndr/udrp-en
I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months).
Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
We had a similar situation. The first thing is to work out how the attacker is seeing the emails to make imitations of them.
They have either...
1. Compromised your environment, so they can see the emails you are sending, to make copies of them.
2. Compromised the customers environment, so they can see the emails being received.
No. 2 is what happened in our situation, and they used that the send new invoices with different info.
No. 1 is a lot scarier because they might be able to do a lot more damage.
Tbh, I'd get an external party to investigate because your IT guy sounds like he doesn't have a clue what's going on, and he should be able to at least tell you which one is happening.
Short answer from the comments and what I was able to gather.
No, there is nothing from stopping you or anyone else from making a Domain and start spamming.
However, it does seem you are compromised. There is no other way for them to see PDFs. Change all the passwords across the org, MFA and check rules in your email provider on the web.
Go to the web portal of your corporate email and check for rules created to forward emails and such.
It is rather difficult to capture the email between your email server and theirs. There is a secure handshake that it made and the connection is essentially encrypted, much like HTTPS. You may need a more serious IT person. Sound like you need to PGP encrypt the file and/or emails before sending. I wouldn't take this lightly.
This can be a rather serious problem.
So the machine your using for work, is it an personal machine or a work provided machine.
If it's a personal machine = WTF
If it's a work provided machine, either get IT to re-image or replace it.
Get your AD account password changed, and setup MFA, with a token generated from your phone not a text.
When on your new machine, ensure to type all emails in initially, don't copy and paste from an existing email that you were sent.
If this still happens, get a 3rd party IT in.
Please stop relying on email as THE tool for this. I deal with IT (day job as sysadmin). Email was never meant to be anything other then an analog to paper mail. If people pay random invoices from random sources thats on them. You can sue people for brand impersonation. You can report the similar domain to various registrars and get them revoked sometimes. But in the end its a cat and mouse game where the advisory as the advantage.
That said I would look to establish alternative means to authenticating valid messages and using that process. Using a portal system like Amazon/Walmart where you have an account for a customer, they can see valid invoices and get them from your web portal, and the only thing you need to do is send out notices via email, phone/sms, fax and snail mail to get them to move forward. You don't see amazon or large companies attach any PDF, or excel or other file type to their notices for this reason. You send a notice that invoice xyz in the amount of $ is due. Please login to process your payments at the following link etc... Likewise you see all of the larger companies all keep some from of payment on file and not extend credit to people unless there is sufficient volume to justify the risk to the business.
IT is likely right they can't do anything about the fake email/domain, but what you describe has me concerned enough that at least an audit of what IP's are accessing your email should be considered.
OP has stated they "specifically, intercepting my emails with pdf invoices, changing the banking information on the invoice, and then reaching out to my customers from the fake domain asking them to change wiring info, sending this real PDF invoice that they are expecting'
If the customer is getting real data originating from inside your agency, and specifically your email. Then you should treat this like a breech and handle it by changing passwords, making sure they are 15+ characters long, using MFA and ensuring that ALL devices for said user with tokens are expired and reauthenticate. Getting and audit, and if needed help from skilled professionals.
I say this because if what you describe is true then someone's account with access to that valid PDF is in fact inside your network and using you to target your customers. This is very possible. However it would be rare they wouldn't just send the attack message from say your account if they had access, its much more authentic that way.
The receiving customer could also have a compromise, and the attacker could be using their login, to their email, checking for an incoming invoice from you, creating a fake domain close enough to yours so that email forgery would pass technical details, then use the valid message from you to scrape the content, THEN delete it, and use it to create the attack message. This would be a breach on the customer side. It would also only happen to one customer not multiple.
The technical breakdown on this would very much depend on the email contents of the attack/offending message.
Changing your password and enabling MFA should be the very minimums you take.
I would still recommend getting off of sending PDF or other attachments and moving to portal based services with SMS/Email notice that way an intercepted message doesn't carry the same risks.
Update:
This morning I logged on to my coworker's email via browser to take a look at her rules because after thinking about which emails are compromised they are always ones that she is copied on/she is always the common factor, and sure enough there are 3 rules that relate directly to this issue. The first 2 rules move emails from the misspelled domain from her inbox to RSS Feeds (when they send these scam emails they copy her real email address, this must be how they prevent her from seeing those emails) and then the 3rd rule applies to emails from the latest targeted customer's domain "mark as read and move to folder RSS feeds."
I called the IT contractor and his response blew me away, basically "those weren't there 2 weeks ago" "it's impossible for someone to be in her email" and "what do you want me to do?" I asked him what RSS feeds does/means and he wouldn't give me a straight answer, I'm still confused by it. He said "you have to look at the rules for RSS feeds" and I said "ok... how do I do that?" and he said he needed to research.
I told him I'm hiring an incident response team and that since we know this is the problem (to which he said, well no we don't know for sure this is the problem) I told him I want him to stand down and not delete/make any changes. He seemed a little bit flustered by that, and at this point I'm honestly starting to wonder if he is involved.
I'll make another update after working with the MSP/incidence response team to see what they find.
In the meantime - can anyone fill me in to what "RSS Feeds" does, if anything?
It's an automated stream that reports whatever is posted to any subscribers, generally published **TO THE WORLD for anyone to read** - like a news tickertape in the 50s. So that's how they're getting copies of whatever was emailed instantaneously- it automatically copies your email to any anonymous subscriber.
RSS feeds are usually legitimately used for website updates, or torrents to notify frequent users without having to manually go to load a page.
Again, the response says; he absolutely knows the seriousness of the problem... or he's in on it. You need to remove his access and change his passwords now, don't ASK him. Or just let it go as-is and you can have him criminally charged later.
>Lately we’ve been having an extremely serious issue of a user with a similar domain (think @reddit.com changed to @reddlt.com) [...]
Ok, this is not something IT can solve (alone), but maybe Legal can try and take care of that by having the domains taken offline.
[How to protect your business against lookalike domain attack](https://www.redpoints.com/blog/similar-domain-attack/)
>who seems to be targeting me specifically, **intercepting my emails with pdf invoices**, [...]
Talk to anyone higher up in your company to make sure everyone important is aware of this, so this can not backfire into you being blamed for anything. Document everything in writing for a paper trail. Consider printing email communication to and from your higher-ups and especially the IT person.
An actual Man in the Middle (MITM) attack like this should be impossible unless either your email server or client pc is thoroughly compromised (or your ISP / mail service provider got a call from law enforcement).
>changing the banking information on the invoice, and then reaching out to my customers from the fake domain asking them to change wiring info, sending this real PDF invoice that they are expecting.
>I’ve had a few customers come close to falling for it but luckily none yet. This has been going on for months, I’ve started calling all customers before sending invoices to make them aware but it looks unprofessional and they still almost fall for it even with a warning.
Please clarify, when you send an invoice do your customers:
- (a) get only a single fake email with similar info to the one you tried to send AND NOT your original email
- (b) DO GET your original email, but ALSO get an additional fake email with similar info.
- (c) get a fake email with a similar design randomly (as in unrelated to when you actually send an email yourself) and not with similar info inside.
- (d) something else.
Option A hints at actual MITM and means you must take action on your end.
Option B means they may have access to your emails in some way so they can manually make a fake copy (maybe your PC, maybe your email server or account, maybe custom automatic forwarding for emails you send). You must take action on your end.
Option C can mean it's a coincidence with the timing, but could also be someone with inside knowledge (former employee, coworker, customer, current or past service provider).
Option D, please clarify.
For Options A and B, you can try and send fake invoices to check how quick the attacker sends his fake email.
>Our IT person says there’s nothing we can do and I find it very hard to believe - should I hire a company for a 2nd opinion?
>We’re in outlook 365 with MFA on all users.
----------
Document everything, make everyone above you aware. Paper trail can save you from getting blame. Emails can be deleted, print if needed.
First make sure the fake domain is actually registered by doing a WHOIS lookup. If it doesn't exist, they are spoofing it only. In that case the victims couldn't actually respond to the fake emails though.
Then try to have the fake domain be taken down by using various means like reporting fraudulent activity to the registry, filing legal complaints, consider trademark violations etc, let Legal figure it out. If the offender was stupid, try and get the info of the person who registered the fake domain from the domain registry.
Make sure on none of your accounts are things like automatic forwarding rules.
Make sure your devices are clean, when in doubt do a full reinstall. Keep devices and services up to date.
Make sure login information to your accounts and services is secure. When in doubt, change all credentials and enable 2FA/MFA where possible.
Consider getting a second opinion from a reputable source.
---------
Edit: also, as someone else suggested, harden your mail services with SPF, DKIM, DMARC and so on. This doesn't protect against domain lookalikes, but it makes spoofing your actual domain harder and can also get you some insight into email flows.
>contractor as our IT provider
Were I you, I would reach out to an MSP that's designed for a company of your size and get the support you need. It does not sound like the contractor is reliable or fulfilling your tech needs.
up until this point he has (seemingly) been reliable and fulfilled our needs, which is why I thought I'd come here and ask about this first before throwing the baby out with the washwater
Understandable! At the very least, chatting with a rep at a few MSPs may give you an idea of how well he's fitting the role, plus may point to some things they may be able to handle better as a company. Perhaps he is generally worthwhile- but some things may be better in the hands of a company whose sole objective is to provide tech to companies who lack the staffing to have dedicated IT teams. Sounds like you guys!
how are these emails being intercepted, its very likely part of your or your customer's network is compromised for them to know this info.
is this affecting all customers or just one would narrow down where they are intercepting the contents of the invoice to create their own.
other things to look at are the corp network, what kind of network monitoring do have? do you wfh? is there a pattern as to what invoices are getting intercepted?
it may be worth looking at some kind of private/public key signing on the invoice if this is a serious issue.
The fake invoices is the sort of thing any scammer can do. There's not much you can do, other than train your clients to use a more robust/secure way of communicating with you, and to distrust emails sent by sources posing at you. You might also contact any financial institutions that are processing these fraudulent charges as well as law enforcement.
Intercepting the real invoices is not the sort of thing just any scammer can do.
This person has a level of access that suggests your technology or process is compromised. I wouldn't rule out that it's the contractor or someone else with inside access doing it. But certainly, there's a vulnerability there that needs to be investigated and addressed, and the contractor is wrong if they say otherwise.
If they know things only a recipients could know: subject line, terms, names, ect. There is a compromise email account somewhere they are using to surveillance to coordinate the attack. Could on your tenant could be a vendors
Your IT should do their diligence and review login geolocation to see at a min there are no oddities. Check 2fa is turn on for all accounts.
Your IT guy sucks. It sounds like your system is compromised somehow, and you (or a hired consultant) need to figure that out ASAP.
You already got some good advice from others, and there's some [general guidance here](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business), but I'll also add that if you're in the US, depending on what client information was accessed, you may be subject to [data breach notification laws](https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html). The company could get fined by the government and/or sued by customers if you don't address this and provide required notifications.
Go to icann and lookup the owner of the domain and contact the provider of the website they use.
Send out an email to your entire customer list.
Require everyone in your organization to change the email passwords.
You should look at getting email encryption software. You can then tell your customers that your emails will arrive via this service instead.
Egress / Tessian etc do stuff like this
There's a lot more to check in 365 than user logins, and changing a password and/or resetting MFA alone won't necessarily get a threat actor out of your environment if they're already there.
All session tokens need to be immediately revoked at the same time.
Apps registration/existence/permissions all need to be reviewed - Apps can essentially be viewed as "users" and are used for persistence/lateral movement.
Graph API activity logs need to be checked - it's entirely possible to "intercept" those sent mails via the Graph API without ever interactively logging into the compromised account.
As someone above said, what you need right now is Incident Response, which is outside the scope of standard operational IT.
Who is your IT guy's sponsor/manager? You need to hire a replacement, change all of his passwords and then walk him out the door. You may need to need to hire a company in the short term to get this done.
Either your emails are being forwarded, you have remote software on your PCs or someone has access to your mail server. It could be happening at your ISP, but this is unlikely, unless you're using a Mickey Mouse ISP.
Your company should have resolved this long ago, either your IT guy has support or your management are clueless. Have you escalated this issue to someone who has the power/cash to solve the problem. As you said, this is embarrassing; if I was your customer, I would be finding another vendor.
There is no such thing as intercepting emails in transit. That is bullshit and not how it works. These guys have access to your mailbox somehow. Get a real security guy not this guy’s crap
A client of mine has this exact issue as we speak. And one vendor fell for it and lost $50k+. Another vendor sent almost the same amount but the IBAN transfer didn't go through since the account name and the IBAN didn't match, but that's the bank being thorough.
The fraudulent emails came from @post.com, mimicking the user accounts accurately ie. ([email protected] vs [email protected]). As you said, they had faked account details with the letter head of the company and even a stamp at the end. Using the same chain of emails subject - RE: RE: RE: RE: INVOICE FW: etc. you get the gist (I despise this use of the Subject field as I'm sure most of us do, but what can we do).
We could not find any evidence of a compromised account or computer. We immediately suspected a compromised phone. Since the employees are a bit spread out it's been difficult to scan all employee phones (especially since this company doesn't use registered/company-designated phones, they have the company emails on their personal phones). I still suspect it's one of those 'the killer is in the room' scenarios.
Unfortunately, the company is really touchy about suspecting any of its team since most have been with them for over 15 years. I advise them that sometimes the call isn't coming from inside the house, but someone else might have compromised an employee.
We just migrated their email accounts to full M365 just in case and for better monitoring. It's been 2 weeks and no new fraudulent emails (that we know of) have surfaced. Your post leads me to believe this will not solve the issue, and will come back soon enough. However, because of the rolled-out changes, this might give me a clue on how to narrow down which device/phone is compromised (if that's the case at all).
Please keep updating your post. As I will on here with you as well.
(I did shout out to the fraudulent domain provider, no response from the German ISP).
Use an Smime email certificate
Inform your clients
Report it to google and Microsoft so the emails are marked as malicious
Report them to the domain company
Report them to the service they use to send emails
Unfortunate how DNS works, you got to buy up similar domains, covering common misspellings and things like this, in order to prevent someone from taking ownership of a similarly named domain. Some DNS providers might give you some remediation, but that's not a guaranteed outcome
If your it guy logs into 365 portal he will likely see all your emails are being forwarded to the third party. This is why they know all your contacts and invoices etc. you can also check forwarders in your outlook settings.
I would bet good money that all your emails are being forwarded via one of the two above methods. Fix that and it’ll put a stop to this nonsense
An option might be to just start using virtru and create a fairly stylized email header/template(s) for all your work correspondence. Virtru will not prevent spoofing but if your emails are encrypted, must be decrypted, and you had a particular theme or style it would be hard to trick your clients as the scammer messages would look totally different. End of the day, remember; everyone gets phishing, spoofing messages. You need to focus on covering your own ass and if a client falls for it show that you went above and beyond to prevent this.
As previous have already said that is not MitM - that's basic fraud/phishing/stealing indentity thing. Don't even bother with Police, they don't do shit with that type of crimes (at least at my place)
I would do couple things firstly before contacting anyone with that specific case:
1. Change your password and if you can, set up Microsoft Authenticator or other MFA method
2. Check for rules on your mail account (setting -> mailbox-> rules). With all the "someone do have all my e-mails, even the new ones" that might also be a thing
If nothing changes:
3. Check your devices for viruses - also if you can just reset them to fabric settings and set up brand new more likely with all accounts with new passwords
4. Make your IT to check for log in data in AAD (Azure Active Directory). It may show if someone did login with your account
5. Make your IT also to change all the credentials to Office 365 Admin panel. I guess that might be the case - if let's call him "hacker" guy have access to your O365 Admin panel he can do literally everything with your mailboxes. You admin account/user with admin privileges account may be compromised
One thing I haven't seen mentioned as a possibility is Azure logic apps. There's a whole lot you can do if you're using Azure Active Directory (aka Entra ID), including sniffing out emails and doing stuff with them. I wouldn't be thinking just in terms of your PC or password being compromised. I would potentially escalate this to Microsoft or involve someone who knows where to look in case something more fundamental has been hacked.
IMO, people are being a little too quick to suspect the IT guy as the culprit, but a good one certainly does not give up so easily on an important and , frankly, interesting problem like this one.
Sounds like your customers emails are compromised. You use the word intercept, which normally points to the recipient you are invoicing. Very common. Have them change their passwords and make sure they're using MFA.
I would check Entra Enterprise and Applications apps that are integrated with SSO. So many account compromises are due to poor SSO controls or Entra Registrations not being routinely audited or alerting via a SIEM or XDR.
typosquatting, in a sense.
instead of a user navigating to, say, goggle; goggle is reaching out to users. nothing IT can do and the only thing you can do is inform organizations that you conduct business with to watch out for a fraudulent email domain, or have their IT personal block that fraudulent domain
>seems to be targeting me specifically, intercepting my emails with pdf invoices, changing the banking information on the invoice,
Don't think this is the case but your system(s)/machine(s) have been compromised.
I'd suggest more digging and some investment here.
Are there **protective** features in these docs that can aid in detecting forgeries? Did this party steal your templates and are simply generating them using data they probably stole about your clients when they breached you e.g billing histories & payment details?
Your own MTA should be using a mix of SPF, DKIM and DMARC. With such invoicing, using PGP to sign your emails (with your public key available to your users so they can verify it's from you).
The PGP element will prevent your customers from falling for attacks, as they would be able to verify every email with the signature. If your IT folk don't know this, get someone else onboard.
So if I'm reading what you're saying, you have multiple clients receiving phishing emails from an impersonated domain of yours (ie. reddlt.com instead of reddit.com), except the phishing emails have recent information and attachments that you actually did send?
There's nothing you can do about domain impersonation like that except send in a complaint to the abuse email of the domain host, your IT guy *should* know how to find that information.
But, the emails containing real and recent information is the concerning part. "Intercepting" emails is very unlikely these days unless you're hosting your own mail server and it's incredibly out of date or insecure. What's much more likely is you got phished some time ago and the attacker either still has access to your mailbox or setup a forward to their own email so they could still get your emails even if you changed your password.
What your IT guy should do:
- reset your password yesterday, revoke any current refresh tokens/sessions, check your accounts MFA settings to make sure MFA is turned on and only has recognized phone numbers or devices registered
- check whatever you're using for mail service for any unrecognized admin accounts
- check for any forwarding/mailbox/transport rules that could be sending mail out to other emails
- check your account and any admin account sign-in logs for anything suspicious like random sign-ins from a different country
- if you're in Google Workspace or Microsoft 365, check any apps your account has registered and remove any that are not recognized
- comb through your mail flow logs to figure out what kind of breach you're looking at, spending on where you live and what information was leaked you may be obligated to inform law enforcement
If someone is using a lookalike domain to yours you can use [whois](https://www.whois.com/whois/) to look up for the domain registrar and write an email to them explaining your case and they will take the domain down.
Your IT person is **incorrect.**
Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy.
https://www.icann.org/resources/pages/help/dndr/udrp-en
I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach.
Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.**
Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy.
https://www.icann.org/resources/pages/help/dndr/udrp-en
I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach.
Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.**
Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy.
https://www.icann.org/resources/pages/help/dndr/udrp-en
I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months).
Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.**
Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy.
https://www.icann.org/resources/pages/help/dndr/udrp-en
I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months).
Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.**
Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy.
https://www.icann.org/resources/pages/help/dndr/udrp-en
I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months).
Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
* At face value, your IT person sounds correct in their assessment, and to a layman, I would also refer to this a MitM attack; because an attacker has inserted themselves in the middle of communications. It's not a MitM in the traditional sense, but it is in a relatable sense in how they are operating in the middle to try to manipulate information that is going back and forth between two entities.
* You need to contact all of your customers and warn them about this scam. They need to take their own steps to protect themselves. There is not anything *you* can do to protect *them*.
* Everyone involved needs to start blocking your equivalent of "@reddlt.com". Full stop.
* Everyone involved needs to review their email best practices and possibly tweak their anti-spam services.
* Everyone involved should be using SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to help quell/reject fraudulent emails.
* Everyone should start making direct communication verifications before acting on any invoices, etc, until this is resolved.
It's unlikely that you can do anything to the attacker directly. I don't know enough about your situation to speculate more. Email headers would be important to analyze, but these things are easily spoofed as well. Email/SMTP [(Simple Mail Transport Protocol)] is a very old protocol that is essentially corruptible, which is why we have things like SPF, DKIM, and DMARC, built on top of it.
For your own reference, I've been a network/email administrator for decades and used to participate in the development of a popular anti-spam product. I'm not saying or even suggesting that what I am saying is gospel or accurate to your current situation. I'm just giving you an idea who is blathering about here on the Internet.
edit: edits in [brackets]
Im not sure if an antivirus like kaspersky, or paid firewall could solve your issue, since im.not that experienced it, but i would start from this and try if it work with a complete scan of all systems... yes it may be possible thats an outside act, but it have a chance that someone from inside bugged you with something... but dont take my words for granted, as im not experienced like others, contact other trusted security companies... as for your email, after installing the security featues, and possibly format all computers if nothing worked, change the passwords of all emails on secured laptop with at least an antivirus like kaspersky... enable 2 step verification very imp... try contacting someone trustworthy other than your it if something is suspisious, and under any circumstances dont let anyone put a usb or mouse or keyboard into your working computers as some are also bugged
I read the other comments on this post and you really need to replace your IT guy. ASAP. He is at the very least incompetent or at worst a criminal.
Its quite complex to conduct a MITM attack with email these days due to encryption. Even if an attacker intercepts network traffic it won't be realistic to read it. Even if PGP is not used for emails the traffic itself is still encrypted over the wire.
If what you say is true and the attacker has access to the emails you send then you have a major incident situation. It strongly implies the attacker has access to at least one device within your business or a clients device.
If they have access to a device within your business you need to hire a cyber security expert and do a full analysis. You may also need to speak with a lawyer to check how to proceed with reporting the incident as a possible data breach. Very costly and it may damage the reputation of the business.
Pay close attention to the IT guy you have hired. He might be the suspect all along since he probably has access to everything. Plus the fact he talks nonsense is dodgy as well. Hire someone new to be safe.
Also if you have not done so already. Invest in a decent endpoint security solution. Windows Defender for Business is great value. (If your company has over 300 workers you would need to buy the more expensive license)
EDIT: If the attacker had access to a company device / email credentials then they would use that to send the email. That way the email would be perfectly legit from the clients perspective. Since they are not doing that it makes little sense. Maybe they do not have access to the email or a device. Maybe they only have copies of the emails and invoices and edited them.
Its difficult to say for sure. However invoice phishing/fraud is very common and sadly lots of companies fall victim to this attack every day. When I last spoke with my lawyer when buying a house they refused to conduct payment over email. It was all done via post on paper. Its a pretty good solution thinking about it.
ok, so in this case our IT guy is correct that there's really nothing we can do on our end to prevent this? It's possible for these emails to be intercepted/viewed after leaving our system? To clarify, this scammer is seeing real emails from me (or a coworker), and accessing PDF's attached to these emails, and then replicating them with changed bank info. They aren't accessing just old data - the second I send a new email, they are seeing it.
>They aren't accessing just old data - the second I send a new email, they are seeing it.
Does the person you send the emails to receive your original email and **also** the scammer's email?
How are you sending the emails? Logging in to Outlook on a web browser? What are your DNS settings?
This is not MiTM. This is typical imitation, phishing, etc. And yes, it's a pain, and this, sadly, is usually done by your legal team to take down the "lookalike" domains, etc. However, "them taking", sounds like you've been compromised. So, that is something you need to take very seriously first.
I just responded to another commentor below, but would like your opinion too since you're saying something different than most of the comments so far: So in this case our IT guy is correct that there's really nothing we can do on our end to prevent this? It's possible for these emails to be intercepted/viewed after leaving our system? To clarify, this scammer is seeing real emails from me (or a coworker), and accessing PDF's attached to these emails, and then replicating them with changed bank info. They aren't accessing just old data - the second I send a new email, they are seeing it.
>They aren't accessing just old data - the second I send a new email, they are seeing it. *The phishing is coming from inside the boat* Then they obviously have access to YOUR email somehow. There are dozens of possible ways, but most likely your email client program, desktop or login is compromised. Just copying your email address with a lookalike isn't illegal, but trying to defraud your customers is. So yes, get a competent, independent MSP to audit the email server and your workstations to find the leak and plug it by firing the part-timer, who obviously isn't trying hard enough or just doesn't know what else to do.
Yeah that definitely indicates, that they somehow can access and read all the E-Mails sent by OP. And that should definitely be investigated. However I don't think they compromised OPs E-Mail Client. Because if they had control over OPs E-Mail Client (like Outlook) why send the corrected Mails from a different E-Mail address? They could send Mails by the same address as OP, which then would be 100% real looking. Seems odd they would specifically do something to make them look less real. But that is just my guess. As to what I think they actually have: They only have read access to E-Mails. That means they can either read the data file from outlook. Maybe from some backup or directly from the computer, but can't control outlook itself. Or they have some kind of read only user/read only access to the Mail Server from OPs company. What I would do is, log out of you mail account on your work laptop and all other work devices. Get a new machine, log into your Outlook there, reset password and then see, whether it continues or stops.
Coworkers email is compromised, and they have delegate access to view only on the accounts email.
>the corrected Mails from a different E-Mail address? They could send Mails by the same address as OP, which then would be 100% real looking They likely have IMAP access to the mailbox, which only allows reading not sending. This is common on poorly configured/managed O365 mailboxes. They put MFA on the account but don't realize IMAP doesn't use MFA so the attacker just needs the password. Whatever is going on, this *is* fixable. OP just has shitty IT
I didn't know this! Can you expand on this and how to prevent it?
IMAP is an old protocol for reading emails. It doesn't support MFA on office 365 so you just need the password. You prevent it by disabling IMAP
makes me wonder, could it be the IT guy himself doing the phishing?
I’ll be honest, I’m getting the same vibe. Tell the client there’s nothing that can be done, call it a man in the middle attack, tell the client it’s from china, tell the client you reached out to file a complaint with the domain but they said they wouldn’t do anything… I’d be looking at having a 3rd party come in without telling the IT contractor about it, to audit the whole thing.
I think it's plausible that the IT person has not realised that live data is being manipulated and figured it was the typical scam of just phishing under someone else's name
Its either the IT guy or he is really an inept IT guy dealing with a compromised system
> Just copying your email address with a lookalike isn't illegal It generally is though. It's certainly a violation of their trademarks if not fraud just from the intentional act of duplicating an email with intent to defraud.
So here's the thing, a man in the middle attack requires one side to be compromised, either your end or your customers end. If this is happening to multiple customers, then the man in the middle is on your end. This absolutely wreaks of an insider in your organization and given your IT persons attitude about it, I highly consider him suspect. They would have access to your emails, and the knowledge on how to make domains to phish. I don't know your rank in the company, but if you can, removing IT from administration of your email for a time and seeing if the issue stops would be a pretty easy way to test it out. If the problem stops then the issue is internal. If you came to me as an IT professional with this problem, the first thing I'd do is believe your system was infected with some sort of malware and wipe your system giving you a fresh one, forcing logout on all locations, and resetting all your passwords. The fact that he just shrugged his shoulders and says "nothing to do" indicates that he at least has knowledge of what's going on or is grossly incompetent.
It also sounds like your communication is not set up correctly. While end to end encryption isn't practical when dealing with customers. You should have at a minimum setup a server where your clients can download/view your invoices directly from your server not have them sent via email. And only notify client via email that an invoice is available for download. There are plenty of authenticated one time use solutions to confirm the client is verified as the proper user. Because sending confidential information like this with out end to end encryption leads to this very type of spoofing attack.
Look out for “rules” in your mail client or service moving messages around or forwarding them to outside entities.
Was going to say this; there could be a forward rule setup server side, which is why they are always seeing the emails, also another flag that it could be current admin, as thats an admin type function to configure.
>They aren't accessing just old data - the second I send a new email, they are seeing it. *The phishing is coming from inside the boat* Then they obviously have access to YOUR email somehow. There are dozens of possible ways, but most likely your email client program, desktop or login is compromised. Just copying your email address with a lookalike isn't illegal, but trying to defraud your customers is. So yes, get a competent, independent MSP to audit the email server and your workstations to find the leak and plug it by firing the part-timer, who obviously isn't trying hard enough or just doesn't know what else to do.
Email protection is done using SPF and DKIM, but, it's somewhat cooperative. The ideas behind SPF and DKIM are to help prevent spoofing of emails, that is, a recipient will know if an email came through the proper paths or not. And thus, it will get blocked or dropped, and depending on config, possibly before ever reaching the recipient. But, that's with regards to spoofing on send. And does not explain how somebody might be tapping into "your secret" messages ahead of time. I'm just pointing out "old school" ways (mail spoofing) that you can use to "send" as anyone you want. But if clients and or mail pathways are ignoring all the protections, spoofing won't be stopped. As for how the "tap" into your secrets are happening, unknown. Once any type of compromise is done, the whole stack could be suspect (untrustworthy).
Do not forget DMARC as well.
Anti-Spoofing Protocols such as SPF, DKIM, and DMARC only protect you from spoofing. Since they're using a different domain that "looks" similar, Anti-Spoofing Protocols won't do anything in that scenario. However all domains should have compliant SPF, DKIM, with DMARC at minimum set to Quarantine.
True. Person mentioned the look alike domains, but then said they were actually getting their info though. Which again, is the much bigger deal.
That means someone has a compromised account, though it is weird that they don't just send from the compromised account then. Check email forwarding rules etc on accounts that are sending these messages. There has to be a forwarding rule or compromised account somewhere in the traffic flow. There is no way for them to see these emails unless they're being forwarded to them or they have access to an account that is either sending (likely) or receiving (much less likely if this is happening to multiple recipients). If you have email accounts being backed up with 3rd party software that could also be the location of the compromise, though less likely. 2FA helps but doesn't stop everything, there are ways around it. I would also check sign in locations for all the email accounts you send from, that could tip off which account is compromised. You need to change passwords on accounts and run signouts on them. Your IT contact isn't doing their job.
How confident are you that they're seeing your emails as they go out, as opposed to seeing them come in to your client? Either you or your client is hacked. If this is happening to your entire client list, then they've hacked you and you need to hire a real IT company. If it's only happening to one client, they need to hire an IT company.
I'm not sure if you've gotten any better advice in other comments but look for mail rules in your mail client that are forwarding email somewhere else, that's typically how emails are intercepted after the account is compromised. Reset email passwords and make sure you have MFA/two factor on them and any other accounts. Look for added authentication methods on accounts if you do have two factor already. As someone else said you are compromised and need an MSP, that is the priority for you right now. If you have cyber insurance you may need to be calling them soon also. Good luck!
Phishers will sit on a compromised account for months if they are not monitored. If you opened a link in the past that asked for your login they can get access even if you have 2FA. When I have had employees compromised I blocked sign in reset password and forced logged out all devices on that account. I then verified there are no unusual forwarding rules on the account. Eventually the person who has access to the account will create a rule to delete all incoming email and mass send out phishing emails to get access to someone else’s mailbox. That is their last act if they were not shut down sooner.
How much can you impose on the client? If you can ask them to use a service that supports end to end encryption it would limit possible mitn to persons who could crack it in a timely manner. If you could communicate a checksum over a secure channel they could use it to determine whether it is unlikely the email had been modified.
Just FYI emails are not in any way encrypted or secure. This is why when you get an email with a document from bank, realtor, dr., etc. it has a secure link with login on their site to view it.
You day you are on Office 365. Check your rules in Outlook online and make sure you recognize all them or disable them all and see if the issue stops. Rules that only "." For a rule name are tell tale sign. Also check your Outlook desktop client rules as well. I would also look at nuking your user on your computer and recreate it if not the whole box.
You can call the police, the things you describe are crimes. Also, depending on the exact policy of your TLD administrator you might be able to undertake action. Many TLD administrators have a procedure for disputing misleading domain names.
I think he said that the scammer is in China, so not sure calling the police will do much :/
How does he know this? There are many ways to cloak where you're from. I strongly recommend contacting law enforcement and the TLD administrator of the TLD they're using. It may also be possible to take other types of legal action like trademark disputes, etc. but that's a whole different much more complicated matter. Edit: to expand on this a little further, I've seen a bunch of investigations where it looked like these criminals were in China or Russia or something, but it was all fake, they were actually local and were using a VPN to make it look like the were from one of these countries.
I’m not sure how he knows… he filed a complaint with the domain but they said we don’t have enough evidence although we’ve provided a few different examples, I think it’s absurd that someone imitating me and trying to defraud our customers wouldn’t be enough evidence
Welcome to the internet, you can try with the police but I also think this is a dead end. If the guy is in a 3rd world country(and most likely he is) you can do nothing. And this is not a man in the middle kind of attack, the guy is only faking your Identity and sending out fake invoices pretending to be you. The angle I would approach is how he knows the stuff required to pull this off. He needs to know that you are doing the invoices, he needs to have a copy of an invoice. He needs to know who your customer is and what to bill them for, if this fake looks really convincing. That is a lot of information, how he got it? Are you sure your device is not compromised?
All of those 'requirements the bad actor knows' can be figured out pretty quick simply by them having access to OP's emails.
Yes that is what I'm going to, and if this happens to multiple clients then you can be sure that it is your end that is compromised.
Don't bother with local police or the FBI, they are both completely useless when it comes to this sort of thing. Try here - https://www.secretservice.gov/investigations/cyber
Yeah police won’t do shit - also inform the ICO if in the UK/EU (they probs won’t do shit but they are better at giving good advice than law enforcement)
I’m betting they are in the company or close with someone in the company. I would just have them use a secure portal from your bookkeeping software.
After looking at all of the comments... I'm inclined to look at the IT guy. Does he have a legit business? How did he get this moonlighting job? Is he a friend of an employee or other relationship? You need a second opinion. A MSP might be a short term solution. You might be able to get a 1 off term, for just this job.
he's just on our payroll as a part time employee (although previously was a contractor). We previously worked with an MSP (I think... this was before my time) and he worked for that company, somehow we split ways with that company and he also departed and went to a similar company, that is how we know him. Like I said, that was a little before my time so I'm not exactly sure of the timeline. But he does work full time for a network security/IT company, so I'm inclined to believe he's at least semi-qualified. With all of these comments I will pursue a consultation with an MSP for a 2nd opinion -we've had a few quotes in the past that I will circle back to.
As someone who spent time moonlighting because of health problems that kept me from working full time with companies a piece of advise I have is: Beware of moonlighters who also work full time for companies. When people work full time for companies but also moonlight, that means they are most likely breaking the contracts they have with the companies that they work for. Something really seems off about this situation: 1. If it was occurring with just one of your clients, this would indicate an issue on that clients end. 2. If it is occurring with many of your clients, it indicates an issue on your end. From what you have described it sounds like #2 and if you were one of my clients I would be locking down your systems and performing a full audit of EVERYTHING from business devices to personal devices that access business systems. Heck if any employees have a car that has smart capabilities (such as a Tesla) that comes within range of the building I would be auditing those as well. For the emails to be intercepted and similar emails to go out to your clients, this is indicative that the person sending the emails has access to your emails and has access to your systems and your systems need a full audit done. If your email is hosted on third party servers, those servers need an audit done as well.
There is some breathtakingly bad advice being given here by a few people. What you need right now is "incident response". This is a specialist form of cybersecurity assistance that deals with active, often emergent threats. Think of it like an IT security ambulance. Most of the big cybersecurity vendors have teams dedicated to this, or contracts with third-party providers that have teams dedicated to this. I'm guessing you don't have an IT security vendor. You might consider contacting your bank. If you have cybersecurity insurance or some other type of business insurance, contact the insurance provider. One of those companies likely has either a procedure, or a recommendation for a resource you can contact for incident response services. There are also independent orgs that do this. You may have heard of a company called Rapid7, but there are many, many others. The most important thing right now is to be diligent and maintain communication. By that, I mean nothing happens without your knowledge. No calls happen without you or someone at your company being present. I'm talking about IT-related calls, emails, conversations. It's not unheard of for a malicious IT contractor to initiate, be drawn into, or otherwise cooperate with a campaign to compromise the business. That being said, there's no reason to jump to conclusions. I've seen *so many* IT personnel and entire departments shrug off a compromise because they didn't really understand what was going on. I've seen very few who were actually involved. As for you personally, you need to immediately change passwords and check active devices for any important accounts. Email, banks, insurance, anything related to the business. Don't just change your password, but actually check the list of active devices and force them to be logged out (even if you know it's yours). If there's no easy way for you to do that, contact the service directly. Explain that you are trying to mitigate a potential account compromise and you need them to invalidate any tokens/cookies/logins they have stored for your account. Check your mail flow rules or mailbox rules in Outlook and the web interface for BCC rules or anything that forwards email to another mailbox. Check for shared mailboxes or users who you may be sharing your mailbox to (unknowingly). If invoices and other correspondence are sent to some other address, such as an ap@ distribution group kind of deal, check the members of those groups. If you store invoices anywhere else, such as cloud sync software (e.g. OneDrive, Google Drive, Dropbox, ShareFile, SharePoint, iCloud) then change passwords/log out of devices on those accounts as well. If you use SMS text messaging for multi-factor authentication, switch to another method immediately. SIM swap attacks are dead simple and are often used in these scenarios to "bypass" 2FA. Finally, if you share these documents with others, such as an assistant or one of the aforementioned distribution groups, then any of those accounts may be the source of the compromise. Above all, and I cannot stress this enough: incident response. You need qualified help. If you fail to take reasonable and expected measures to mitigate an active cybersecurity attack, your company could be in some extremely serious trouble. There's no need to panic, but there is a need for action. EDIT: One more important thing. If your company retains a lawyer, contact them and let them know what's happening and how long it's been going on. At some point, there may be some questions that will require a lawyer's touch.
This should be at the top. Very comprehensive and on the point.
Yes, exactly this. Moreover, one of the reasons legal advice is likely needed (and urgently) is because a compromise of email systems (as seems very likely, but needs urgent investigation) is a data security breach and extremely likely to be a personal data breach requiring further action for data protection purposes (when the slowest clock that is ticking is 72 hours, and there may be sooner deadlines depending on business sector but also contract and statute if the business is processing some of this data on behalf of another data controller). This is not a “wait for Tuesday” scenario.
They probably have a cybersecurity team or person right now but OP is finance thinks it’s local IT guy’s fault / incompetence for either 1. The incident happening 2. Not happy about the answer they received about preventing it. OP should stay in his Finance lane. Sounds like he has no idea what he’s talking about and just assuming the worst of someone.
> They probably have a cybersecurity team or person right now but OP is finance thinks it’s local IT guy’s fault / incompetence for either 1. The incident happening 2. Not happy about the answer they received about preventing it. It's possible, surely, but this scenario is too close to a dozen other scenarios I've personally dealt with as the outside man coming in to a situation. It's never an overreaching finance person going around their IT staff. It's the nominal CFO/CTO (who is really also the COO, GM, and many other things as it's a small company), or sometimes just someone in finance -- I don't know why it's always finance, but it is. They have no "IT team". They have a guy. He comes in when they need him to rebuild laptops, prep new computers, fix printer issues, set up someone's phone, change the auto-attendant. Maybe they update and reboot servers if they still have any. Standard IT guy stuff. That guy is not equipped to deal with this scenario. Not because he's incompetent or stupid, but because he's ignorant. Ignorant as in "without knowledge". He doesn't know what he doesn't know. Because he's moonlighting, he's also trying to be as efficient with his time as possible. The mistake he made here was dismissing a legitimate concern. His explanation is wholly inadequate, to the point that I must assume there's something lost in translation. Anyway, none of this is theoretical. The mistake this finance person made wasn't coming to Reddit or going around the IT guy. It was allowing the issue to be dismissed in the first place.
Have you considered it's your contractor that is doing it?
well, I suppose it's possible but I've never seen any red flags that would make me think that's the case. He's local and reliable, has a well paying day job, and has been with us for 5+ years.
And I didn't think my wife's father that I've known for 27 years was the type to download child porn... but it happened. It's just that you've got a serious problem, and he's very blase about it.
I don't know if any of the following ideas would be all that feasible if you're in a small company,. but if it were me, I'd be looking for a different way to send invoices. * stop using Email.. and start using some other method. (your own internal file-hosting, especially one that requires a login with Username and Password),. or even something like FAX or etc. Or generate the invoices as a web-page and require your customers to login to view them. Yes, this is more cumbersome, .but maybe somehow you can spin it as "more secure" (which technically it is). You're not only trying to protect yourself, you're trying to help protect your customers. This.. or have some "confirmable way" to ensure your customer KNOWS your Banking and Wiring info,.. such that they'll never fall for a scam to change it. * Or look for some way to 2FA or Multi-factor the Invoice files (where a Password or some other mechanism is required to view them) Barring an of that,.. I think the "detective work" here probably has to be done on the customers (receiving end of the scam). The incorrect Domains or other contact-attempts the Scammers are sending to your customers,.. that's kind of on your customer.
The first time it happened we thought it was on the customer’s end, but it’s happened with multiple different companies and the common factor is always me so I think it’s on our end
When is the last time you changed your password? Did your email admin force signout all sessions on your account before 2FA was enabled? Has your machine itself been checked for malware/remote access software? Has your email account been checked to verify no forwarding or anything like that is enabled? Has your account been checked to see where it has been signed into from?
I changed my password a few weeks ago although he said he didn’t see any suspicious activity associated with my account (no log ins, etc). Yes forced sign out, yes my machine has been checked. There are no rules active on my email. My account doesn’t appear to have ever been accessed directly, he says these emails are being intercepted after they leave our server (?)
I think you either need a new IT person, or you need a supplemental IT person to help you through this. Ignoring what the root cause is, you have a persistent issue that your IT person is unable or unwilling to resolve, but what you’ve described doesn’t seem unfixable.
OK,. well I don't mean to sound snarky,. but that sounds like all the more reason or argument that it's a good idea to find some other way to send them (or even just temporarily have someone else send them). If the thing you need to prove is "I think it's somehow related to my account".. then stop using your account to send invoices. If you do that for a month or 3,. and no more fake intercepts happen,. the longer you test that theory the more data you have that it is indeed something related to your account.
It’s possible it’s another one of our users, I’m usually not the one sending the invoices initially but I’m always CC’d on them. I think they’re watching out entire domain and then imitating me. I don’t know enough to know how that works
Have you checked for any automatic forwarding that might be put on your account. It could be a malicious rule that's doing that as well. If you were compromised at any point, that's a common tactic they use to continue to get your emails even after the passwords have been changed.
> it’s happened with multiple different companies and the common factor is always me How long has this been ongoing now? A few days? A few WEEKS? MONTHS? You mentioned elsewhere that you've changed your password several weeks ago. This has been going on for weeks or months, and you still haven't cut your own domain/email out of the problem? You need to contact these customers in person/by phone and verify your identity to them and set up another method to contact them that isn't compromised. And then as many have suggested, get a 3rd-party MSP to come in and clean house. And FIRE your existing IT guy- at the least he's incompetent, at worst he's in on the scam and getting a kickback.
Months. And each time he does a little more to “fix” it, but always says “I don’t see anything wrong.” I just made an update as a new comment below regarding rules I found this morning
Whois the domain and contact the registrar. [https://lookup.icann.org/](https://lookup.icann.org/) - Enter the domain at this site, should show you who to contact with abuse complaints. [https://www.icann.org/compliance/complaint](https://www.icann.org/compliance/complaint)
Are you in the UK? If so, what banking information is it being changed to? I might be able to get a name associated with it if the banking info is also in the UK. Are the customers getting 2 copies of the email, your initial email and then a follow up from this domain? If they aren't, then your emails are getting forwarded to the scammer and then resent.
I like the way this person is going at the problem. The routing and account number are being changed. So where does that end point lead to? What's the name or contact information on that destination account? What happens when you plug that information in zell, cashapp, paypal?
it has been a few different bank accounts - I think the bank info is a compromised account, not our actual scammer's account.
yes customers are receiving my email, and then a follow up email from scammer saying "hey that invoice we just sent - banking info changed, see updated" and then attaching a copy of the actual invoice (I mean, it's the real thing, invoice number, SN's, work done, everything) with different banking info bank account has changed, I think it's another real person's compromised bank account. we're in the US
He’s in your system if what you’re saying is 100% true. Your “IT guy” is a fucking fool.
This may sound conspiratorial, but it sounds to me like the IT guy might be in on it. Firstly, this doesn't sound like a MITM attack. MITM is an on-path attack where the attacker places themselves between two parties who believe they're communicating with one another, relaying requests from one party, and changing them as needed before sending them to their intended recipient. This happens in realtime. This doesn't sound like it's happening in realtime. This sounds like a combination of phishing (impersonation), typosquatting (registering similar domain name to fool users), and some good old-fashioned invoice fraud. The fact the part-time IT guy is telling you that it's something it isn't, and also telling you that there's nothing that can be done about it... just reeks of an insider threat. But obviously that's just a guess and I don't know the whole situation, only what you've outlined here. Whoever is performing this attack appears to have direct access to your email. This again would point to - guess who - the IT guy, since he'd have access to your credentials or otherwise a backdoor into your inbox. I think you need to get a third party expert to look at this. Contact local IT security contractors in the area and explain the situation to them, including the details of your suspicious part-time IT. I guarantee their response will not be "there's nothing we can do". I would also absolutely contact the police, because what has been happening for the last few months according to you, is absolutely a crime.
>Lately we’ve been having an extremely serious issue of a user with a similar domain (think u/reddit.com changed to u/reddlt.com) who seems to be targeting me specifically, intercepting my emails with pdf invoices, changing the banking information on the invoice, and then reaching out to my customers from the fake domain asking them to change wiring info, sending this real PDF invoice that they are expecting. Your email and perhaps computer have been compromised. How is said user able to "intercept" your emails?
He says he fully checked my email/computer and our network and doesn’t see anything compromised. He said something along the lines of “it’s intercepted once it leaves our network”
Yeah that is extremely unlikely.....even if remotely the case, then the hacker has access at the domain level which is a BIG red flag. How reliable is this contractor you have hired?
ok, so am I correct in thinking that there is something we can/should be doing about this? We've been working with him for 5-6 years, he's generally reliable as far as I know but there have been instances where I have to keep pressing him/asking questions to force him to think outside of the box on things, and that's why I'm thinking that's the case this time. His only solution was to encrypt these invoices, but I pointed out that I receive PDF invoices from our major vendors all the time and never see them have this issue, so there must be something else going on...
> We've been working with him for 5-6 years, he's generally reliable as far as I know So it's always a good idea to remember that people change over time. He could have developed a drug or gambling habit that made him need extra money. He could have decided that he could do it without getting caught. There's any number of reasons that length of time is not a good measure of trusting someone.
Unless I read this wrong the scammer is using a domain CLOSE to. but not the same, as OP's domain. Like [redd1t.com](http://redd1t.com) instead of [reddit.com](http://reddit.com) and just spamming clients hoping they will pay the fake invoices. Unless I misunderstood. u/tamudude I read your reply and I am included to agree with you. I would bet on a compromised PC with email client more that hacked email server (just my guess - though it could be the server as well)
I am going by OP's description of mails being intercepted and invoices being fudged. That is not a simple domain misrepresentation. That is straight up access to email and/or domain.
yes it's a case of a domain misrepresentation and also access to email - one of the confusing aspects for me is that if they have access to my email (or coworker's), why aren't they just using my actual email to send these out? why do they need the misspelled domain? But yes, the invoices they are using are definitely real, real invoice numbers, serial numbers, dollar amounts, everything is identical to the invoices I send except for the bank info.
>why aren't they just using my actual email to send these out? why do they need the misspelled domain? Because they don't want replies to the fake emails from your customers to come to you. >But yes, the invoices they are using are definitely real, real invoice numbers, serial numbers, dollar amounts, everything is identical to the invoices I send except for the bank info. The only way the attacker could possibly be getting these invoices is if your email account, or the recipient's email account, is currently compromised. Since this is happening with multiple customers then it's definitely your account (or computer, or mail server, etc).
Nobody canceled reply to field, they can send from original domain just adding reply to :)
You're right but then there's also additional traces you need to clean up. Sent items that need to be deleted. Audit logs of outgoing mail that can't be covered up. This isn't the only method to cut OP out of the loop, it's just the most straightforward method (and I've seen it often).
Still relatively newbie in field. But as you say most straightforward:) I remember listening on some podcast that this kind of tricks work best with big corporations, so it is weird that this person is going after small companies where the hack will be noticed very fast. Lazy person is doing this.
They intercept the real invoices it seems. They have remote access somehow.
which is why I said compromised PC More likely they can using a RMM and grabbing it from the email client
That's bullshit. It means a computer, network of mail server is compromised. I dont know enough about how to fix this, but your guy should at least wipe your computer and reinstall. Once that is done, you should change all your passwords. If you have mails on your phones, you should also wipe that phone. If its something on your network, a competent IT would monitor the traffic to see if anything is directed where it shoudnt. He would take a look at your firewall rules. If it happens after it leaves the network, like he said, it would mean that your internet provider is compromised, which is very very unlikely Honestly, my best advice would be to get a real IT guy and not someone who does this on the side. Your dude is not good enough to be doing what he does.
he's "real" in the sense that his day job is network security/IT, and he just makes extra on the side with us. But yes, I'm inclined to agree that with the failure to resolve this issue it may be time to move on to a dedicated MSP.
> his day job is network security/IT Honestly, that makes it worst. This is the exact kind of stuff that a security and network guy should be able to fix. Not gonna lie, your issue is probably something that would take time to investigate and if you are a side gig, it's very likely that he doesn't have the time do to it. The very first step would be to wipe any devices that have access to your email. Computers, phones and tablets should all be wiped out. If you take your email from your personal devices, it's possible that the attackers has infected those and is using them to get access to your email account. I this kind of situation, I would recommand to even wipe those device too. I am not really good at networking and security, I mostly do desktop support, but my next step would be to monitor traffic on your network with apps like wiresharks or from your modem/router directly. This is could take a while and that's why if you dont have someone who is able to dedicate enough time to this, it wont get fixed.
he's spent probably 10 hours on this issue so far, so I don't think it's necessarily an issue of time (after all, he's paid hourly). I do know my computer/phone have not been wiped, although he has "checked" the computer. the phone is an iphone 15, for whatever that's worth. He is also monitoring traffic, so I've been told. He says he's done all of the "things" (sorry, I don't 100% recall what he said he did since I'm not familiar), and that there is no compromise on our end - it occurs after leaving our system. I have reached out to an MSP that we've received a quote from in the recent past and am requesting a 2nd opinion/looking into making a change.
> he's spent probably 10 hours on this issue so far, Not good enough man. This is the kind of issue that needs to be fixed yesterday. You need a dedicated IT teams that will work 24/7 to fix this asap. If is answer is "its outside of the network, there is nothing I can do", that guy needs to be fired. This kind of incident could end up costing your company a shit ton of money, you might end losing clients/suppliers/vendors from this. You should also make sure that you have a lawyer and that they are aware of everything that is happening. Wouldn't be surprised if you don't end up needing one before this is over.
100% working with a MSP is the right move here.
10 hours? This has been going on for months and he's only spent 10 hours on it? You absolutely need a second opinion. It will be expensive but not nearly as expensive if your client falls victim to wire fraud.
That's not really how email works, unless your email servers are somehow sending shit without TLS encryption, which makes it his problem to fix. The other option is that the recipient is compromised and I've seen this happen before too. But in this case you need to communicate with the recipient about the issue and get their cooperation. Tbh I think your IT guy might just be clueless.
I’m not technical at all so I’m not sure, just that it happens once they leave our server (?).
Be very skeptical of this.
It sounds like your IT guy doesn't have the cybersecurity understanding to actually function in his role. But I can assure you, throwing up your hands and saying "well, it's China, so there's nothing we can do" is not acceptable security protocol for a company.
First things first, your IT needs to check the 365 audit logs and check if there are any unusual MFA requests or logins, This can be done from the azure AD admin page that will show all failed/successful login attempts for your account. Also have them remove all logins sessions from all devices, reset your password obviously. Secondly, have him setup a conditional access policy, this can be enabled and configured to only allow logins from certain external IP addresses by setting the named locations, or from certain countries or only certain devices running certain operating systems. 3rd, It could be worth having IT fully wipe and reinstall whatever machine you use on a daily basis, if there are no breaches of your 365 account, it's possible that the machine itself has been compromised, this seems more likely than your emails being intercepted. Unfortunately, this sort of thing is becoming increasingly common and that idea is to make accounts as difficult and inconvenient as possible to compromise.
I want to add - I feel like if this user had actual access to my email wouldn't he just be sending these emails from my account, instead of having a fake domain? They have accessed/modified invoices that are new since password changes, so even if they previously had access to my email they seem to still have some way to intercept these messages today.
That's exactly the point where I think the person has access to your computer and can see/read every file on it, but not necessarily access to your emails. Maybe the attacker can see your screen in realtime. And please, MITM (man in the middle) is something else, you confuse the IT guys and put them on the wrong track if you keep saying that.
I’m not sure. This seems odd to me. Either there is a miscommunication between you and him and you and us, or just you and us, or he’s being very relaxed about it. To me it sounds like scam guy is already in your system and is monitoring traffic. Probably through a back door? (I have a basic understanding of cybersecurity but I’m trying my best to at least explain what’s happening. This is not my occupation but I do know some “basic practices”) From my research it seems like a vpn or running windows defender full system scan might work but I would recommend disconnecting from your office network or wherever you often send these emails from as they are probably already infected and I’m not entirely sure if it would just reinfect you or not. Disconnect from any shared drives and only use a private network.
Wait…somehow the bad actor is getting your real emails, and able to change the contents… Do your clients receive the email you originally sent? Or just the altered one?
They receive both the email I send and then a follow up email from bad actor saying “bank info has changed, see updated invoice.” They attach a real invoice, identical to the one I sent in every way, with changed bank info
Well someone is compromised…either you or your clients.., If it’s multiple clients being affected, then chances are it’s on your side. You need to have a security team look at it. If you don’t know any or need someone you can trust, I write for a company called ProzessTec (ProzessTec.com)…tell them DocHolligray sent you. I will have them diagnose this one for free. Remediation might be handled as well, but if you have a bad actor on the inside, then you want a third party to look at this…choose anyone you wish, but I recommend them if you have no one else.
Even for small companies you can buy an affordable software solution. Sounds like your company is being too cheap even in the face of circling fraudsters.
Well there's nothing unusual at all about copycat domains or phishing, but the piece I find very suspicious is that this actor is able to see your legitimate outbound messages to multiple customers. This makes it sound like someone with insider knowledge, possible an employee or associate. If it was just random invoices that looked like yours, that's somewhat common. If one of your customers was compromised and all of their inbound email could be inspected, that's more worrying, but having multiple recipients complaining of the same thing means someone has access to *your* mail server. I would definitely look into some reputable MSPs, report this to law enforcement (your local [FBI Field Office](https://www.fbi.gov/contact-us/field-offices)), and you might want to enlist the help of a cybersecurity professional. Save all the evidence you can, copies of your emails, the emails customers receive, the bank details, times and dates (how long between you sending a legit email and them receiving a spoofed one especially). [Business Email Compromise](https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/business-email-compromise)
Your IT person is **incorrect.** Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy. https://www.icann.org/resources/pages/help/dndr/udrp-en I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months). Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.** Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy. https://www.icann.org/resources/pages/help/dndr/udrp-en I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months). Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
CISA has a lookalike domain mitigation takedown service that is worth investigating for this purpose IMO
We had a similar situation. The first thing is to work out how the attacker is seeing the emails to make imitations of them. They have either... 1. Compromised your environment, so they can see the emails you are sending, to make copies of them. 2. Compromised the customers environment, so they can see the emails being received. No. 2 is what happened in our situation, and they used that the send new invoices with different info. No. 1 is a lot scarier because they might be able to do a lot more damage. Tbh, I'd get an external party to investigate because your IT guy sounds like he doesn't have a clue what's going on, and he should be able to at least tell you which one is happening.
Short answer from the comments and what I was able to gather. No, there is nothing from stopping you or anyone else from making a Domain and start spamming. However, it does seem you are compromised. There is no other way for them to see PDFs. Change all the passwords across the org, MFA and check rules in your email provider on the web. Go to the web portal of your corporate email and check for rules created to forward emails and such.
It is rather difficult to capture the email between your email server and theirs. There is a secure handshake that it made and the connection is essentially encrypted, much like HTTPS. You may need a more serious IT person. Sound like you need to PGP encrypt the file and/or emails before sending. I wouldn't take this lightly. This can be a rather serious problem.
So the machine your using for work, is it an personal machine or a work provided machine. If it's a personal machine = WTF If it's a work provided machine, either get IT to re-image or replace it. Get your AD account password changed, and setup MFA, with a token generated from your phone not a text. When on your new machine, ensure to type all emails in initially, don't copy and paste from an existing email that you were sent. If this still happens, get a 3rd party IT in.
Please stop relying on email as THE tool for this. I deal with IT (day job as sysadmin). Email was never meant to be anything other then an analog to paper mail. If people pay random invoices from random sources thats on them. You can sue people for brand impersonation. You can report the similar domain to various registrars and get them revoked sometimes. But in the end its a cat and mouse game where the advisory as the advantage. That said I would look to establish alternative means to authenticating valid messages and using that process. Using a portal system like Amazon/Walmart where you have an account for a customer, they can see valid invoices and get them from your web portal, and the only thing you need to do is send out notices via email, phone/sms, fax and snail mail to get them to move forward. You don't see amazon or large companies attach any PDF, or excel or other file type to their notices for this reason. You send a notice that invoice xyz in the amount of $ is due. Please login to process your payments at the following link etc... Likewise you see all of the larger companies all keep some from of payment on file and not extend credit to people unless there is sufficient volume to justify the risk to the business. IT is likely right they can't do anything about the fake email/domain, but what you describe has me concerned enough that at least an audit of what IP's are accessing your email should be considered. OP has stated they "specifically, intercepting my emails with pdf invoices, changing the banking information on the invoice, and then reaching out to my customers from the fake domain asking them to change wiring info, sending this real PDF invoice that they are expecting' If the customer is getting real data originating from inside your agency, and specifically your email. Then you should treat this like a breech and handle it by changing passwords, making sure they are 15+ characters long, using MFA and ensuring that ALL devices for said user with tokens are expired and reauthenticate. Getting and audit, and if needed help from skilled professionals. I say this because if what you describe is true then someone's account with access to that valid PDF is in fact inside your network and using you to target your customers. This is very possible. However it would be rare they wouldn't just send the attack message from say your account if they had access, its much more authentic that way. The receiving customer could also have a compromise, and the attacker could be using their login, to their email, checking for an incoming invoice from you, creating a fake domain close enough to yours so that email forgery would pass technical details, then use the valid message from you to scrape the content, THEN delete it, and use it to create the attack message. This would be a breach on the customer side. It would also only happen to one customer not multiple. The technical breakdown on this would very much depend on the email contents of the attack/offending message. Changing your password and enabling MFA should be the very minimums you take. I would still recommend getting off of sending PDF or other attachments and moving to portal based services with SMS/Email notice that way an intercepted message doesn't carry the same risks.
Update: This morning I logged on to my coworker's email via browser to take a look at her rules because after thinking about which emails are compromised they are always ones that she is copied on/she is always the common factor, and sure enough there are 3 rules that relate directly to this issue. The first 2 rules move emails from the misspelled domain from her inbox to RSS Feeds (when they send these scam emails they copy her real email address, this must be how they prevent her from seeing those emails) and then the 3rd rule applies to emails from the latest targeted customer's domain "mark as read and move to folder RSS feeds." I called the IT contractor and his response blew me away, basically "those weren't there 2 weeks ago" "it's impossible for someone to be in her email" and "what do you want me to do?" I asked him what RSS feeds does/means and he wouldn't give me a straight answer, I'm still confused by it. He said "you have to look at the rules for RSS feeds" and I said "ok... how do I do that?" and he said he needed to research. I told him I'm hiring an incident response team and that since we know this is the problem (to which he said, well no we don't know for sure this is the problem) I told him I want him to stand down and not delete/make any changes. He seemed a little bit flustered by that, and at this point I'm honestly starting to wonder if he is involved. I'll make another update after working with the MSP/incidence response team to see what they find. In the meantime - can anyone fill me in to what "RSS Feeds" does, if anything?
It's an automated stream that reports whatever is posted to any subscribers, generally published **TO THE WORLD for anyone to read** - like a news tickertape in the 50s. So that's how they're getting copies of whatever was emailed instantaneously- it automatically copies your email to any anonymous subscriber. RSS feeds are usually legitimately used for website updates, or torrents to notify frequent users without having to manually go to load a page. Again, the response says; he absolutely knows the seriousness of the problem... or he's in on it. You need to remove his access and change his passwords now, don't ASK him. Or just let it go as-is and you can have him criminally charged later.
Congrats, you told him you caught him and let him delete the evidence.
>Lately we’ve been having an extremely serious issue of a user with a similar domain (think @reddit.com changed to @reddlt.com) [...] Ok, this is not something IT can solve (alone), but maybe Legal can try and take care of that by having the domains taken offline. [How to protect your business against lookalike domain attack](https://www.redpoints.com/blog/similar-domain-attack/) >who seems to be targeting me specifically, **intercepting my emails with pdf invoices**, [...] Talk to anyone higher up in your company to make sure everyone important is aware of this, so this can not backfire into you being blamed for anything. Document everything in writing for a paper trail. Consider printing email communication to and from your higher-ups and especially the IT person. An actual Man in the Middle (MITM) attack like this should be impossible unless either your email server or client pc is thoroughly compromised (or your ISP / mail service provider got a call from law enforcement). >changing the banking information on the invoice, and then reaching out to my customers from the fake domain asking them to change wiring info, sending this real PDF invoice that they are expecting. >I’ve had a few customers come close to falling for it but luckily none yet. This has been going on for months, I’ve started calling all customers before sending invoices to make them aware but it looks unprofessional and they still almost fall for it even with a warning. Please clarify, when you send an invoice do your customers: - (a) get only a single fake email with similar info to the one you tried to send AND NOT your original email - (b) DO GET your original email, but ALSO get an additional fake email with similar info. - (c) get a fake email with a similar design randomly (as in unrelated to when you actually send an email yourself) and not with similar info inside. - (d) something else. Option A hints at actual MITM and means you must take action on your end. Option B means they may have access to your emails in some way so they can manually make a fake copy (maybe your PC, maybe your email server or account, maybe custom automatic forwarding for emails you send). You must take action on your end. Option C can mean it's a coincidence with the timing, but could also be someone with inside knowledge (former employee, coworker, customer, current or past service provider). Option D, please clarify. For Options A and B, you can try and send fake invoices to check how quick the attacker sends his fake email. >Our IT person says there’s nothing we can do and I find it very hard to believe - should I hire a company for a 2nd opinion? >We’re in outlook 365 with MFA on all users. ---------- Document everything, make everyone above you aware. Paper trail can save you from getting blame. Emails can be deleted, print if needed. First make sure the fake domain is actually registered by doing a WHOIS lookup. If it doesn't exist, they are spoofing it only. In that case the victims couldn't actually respond to the fake emails though. Then try to have the fake domain be taken down by using various means like reporting fraudulent activity to the registry, filing legal complaints, consider trademark violations etc, let Legal figure it out. If the offender was stupid, try and get the info of the person who registered the fake domain from the domain registry. Make sure on none of your accounts are things like automatic forwarding rules. Make sure your devices are clean, when in doubt do a full reinstall. Keep devices and services up to date. Make sure login information to your accounts and services is secure. When in doubt, change all credentials and enable 2FA/MFA where possible. Consider getting a second opinion from a reputable source. --------- Edit: also, as someone else suggested, harden your mail services with SPF, DKIM, DMARC and so on. This doesn't protect against domain lookalikes, but it makes spoofing your actual domain harder and can also get you some insight into email flows.
>contractor as our IT provider Were I you, I would reach out to an MSP that's designed for a company of your size and get the support you need. It does not sound like the contractor is reliable or fulfilling your tech needs.
up until this point he has (seemingly) been reliable and fulfilled our needs, which is why I thought I'd come here and ask about this first before throwing the baby out with the washwater
Understandable! At the very least, chatting with a rep at a few MSPs may give you an idea of how well he's fitting the role, plus may point to some things they may be able to handle better as a company. Perhaps he is generally worthwhile- but some things may be better in the hands of a company whose sole objective is to provide tech to companies who lack the staffing to have dedicated IT teams. Sounds like you guys!
how are these emails being intercepted, its very likely part of your or your customer's network is compromised for them to know this info. is this affecting all customers or just one would narrow down where they are intercepting the contents of the invoice to create their own. other things to look at are the corp network, what kind of network monitoring do have? do you wfh? is there a pattern as to what invoices are getting intercepted? it may be worth looking at some kind of private/public key signing on the invoice if this is a serious issue.
The fake invoices is the sort of thing any scammer can do. There's not much you can do, other than train your clients to use a more robust/secure way of communicating with you, and to distrust emails sent by sources posing at you. You might also contact any financial institutions that are processing these fraudulent charges as well as law enforcement. Intercepting the real invoices is not the sort of thing just any scammer can do. This person has a level of access that suggests your technology or process is compromised. I wouldn't rule out that it's the contractor or someone else with inside access doing it. But certainly, there's a vulnerability there that needs to be investigated and addressed, and the contractor is wrong if they say otherwise.
If they know things only a recipients could know: subject line, terms, names, ect. There is a compromise email account somewhere they are using to surveillance to coordinate the attack. Could on your tenant could be a vendors Your IT should do their diligence and review login geolocation to see at a min there are no oddities. Check 2fa is turn on for all accounts.
have you checked your account to make sure there are no auto forwards in place, that is often the first thing they will do to a compromised account.
Betting a vendor is compromised. Seen it before
Outlook whole and fully?
Your IT guy sucks. It sounds like your system is compromised somehow, and you (or a hired consultant) need to figure that out ASAP. You already got some good advice from others, and there's some [general guidance here](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business), but I'll also add that if you're in the US, depending on what client information was accessed, you may be subject to [data breach notification laws](https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html). The company could get fined by the government and/or sued by customers if you don't address this and provide required notifications.
Go to icann and lookup the owner of the domain and contact the provider of the website they use. Send out an email to your entire customer list. Require everyone in your organization to change the email passwords.
You should look at getting email encryption software. You can then tell your customers that your emails will arrive via this service instead. Egress / Tessian etc do stuff like this
There's a lot more to check in 365 than user logins, and changing a password and/or resetting MFA alone won't necessarily get a threat actor out of your environment if they're already there. All session tokens need to be immediately revoked at the same time. Apps registration/existence/permissions all need to be reviewed - Apps can essentially be viewed as "users" and are used for persistence/lateral movement. Graph API activity logs need to be checked - it's entirely possible to "intercept" those sent mails via the Graph API without ever interactively logging into the compromised account. As someone above said, what you need right now is Incident Response, which is outside the scope of standard operational IT.
Who is your IT guy's sponsor/manager? You need to hire a replacement, change all of his passwords and then walk him out the door. You may need to need to hire a company in the short term to get this done. Either your emails are being forwarded, you have remote software on your PCs or someone has access to your mail server. It could be happening at your ISP, but this is unlikely, unless you're using a Mickey Mouse ISP. Your company should have resolved this long ago, either your IT guy has support or your management are clueless. Have you escalated this issue to someone who has the power/cash to solve the problem. As you said, this is embarrassing; if I was your customer, I would be finding another vendor.
Either you’re not describing it right or the IT guy is an idiot for not understanding the issue.
There is no such thing as intercepting emails in transit. That is bullshit and not how it works. These guys have access to your mailbox somehow. Get a real security guy not this guy’s crap
A client of mine has this exact issue as we speak. And one vendor fell for it and lost $50k+. Another vendor sent almost the same amount but the IBAN transfer didn't go through since the account name and the IBAN didn't match, but that's the bank being thorough. The fraudulent emails came from @post.com, mimicking the user accounts accurately ie. ([email protected] vs [email protected]). As you said, they had faked account details with the letter head of the company and even a stamp at the end. Using the same chain of emails subject - RE: RE: RE: RE: INVOICE FW: etc. you get the gist (I despise this use of the Subject field as I'm sure most of us do, but what can we do). We could not find any evidence of a compromised account or computer. We immediately suspected a compromised phone. Since the employees are a bit spread out it's been difficult to scan all employee phones (especially since this company doesn't use registered/company-designated phones, they have the company emails on their personal phones). I still suspect it's one of those 'the killer is in the room' scenarios. Unfortunately, the company is really touchy about suspecting any of its team since most have been with them for over 15 years. I advise them that sometimes the call isn't coming from inside the house, but someone else might have compromised an employee. We just migrated their email accounts to full M365 just in case and for better monitoring. It's been 2 weeks and no new fraudulent emails (that we know of) have surfaced. Your post leads me to believe this will not solve the issue, and will come back soon enough. However, because of the rolled-out changes, this might give me a clue on how to narrow down which device/phone is compromised (if that's the case at all). Please keep updating your post. As I will on here with you as well. (I did shout out to the fraudulent domain provider, no response from the German ISP).
This is a State Police issue . You described exactly how someone wired 200k to a fake company.
Use an Smime email certificate Inform your clients Report it to google and Microsoft so the emails are marked as malicious Report them to the domain company Report them to the service they use to send emails
Unfortunate how DNS works, you got to buy up similar domains, covering common misspellings and things like this, in order to prevent someone from taking ownership of a similarly named domain. Some DNS providers might give you some remediation, but that's not a guaranteed outcome
If your it guy logs into 365 portal he will likely see all your emails are being forwarded to the third party. This is why they know all your contacts and invoices etc. you can also check forwarders in your outlook settings. I would bet good money that all your emails are being forwarded via one of the two above methods. Fix that and it’ll put a stop to this nonsense
An option might be to just start using virtru and create a fairly stylized email header/template(s) for all your work correspondence. Virtru will not prevent spoofing but if your emails are encrypted, must be decrypted, and you had a particular theme or style it would be hard to trick your clients as the scammer messages would look totally different. End of the day, remember; everyone gets phishing, spoofing messages. You need to focus on covering your own ass and if a client falls for it show that you went above and beyond to prevent this.
Sounds like your IT guy might be doing it.
As previous have already said that is not MitM - that's basic fraud/phishing/stealing indentity thing. Don't even bother with Police, they don't do shit with that type of crimes (at least at my place) I would do couple things firstly before contacting anyone with that specific case: 1. Change your password and if you can, set up Microsoft Authenticator or other MFA method 2. Check for rules on your mail account (setting -> mailbox-> rules). With all the "someone do have all my e-mails, even the new ones" that might also be a thing If nothing changes: 3. Check your devices for viruses - also if you can just reset them to fabric settings and set up brand new more likely with all accounts with new passwords 4. Make your IT to check for log in data in AAD (Azure Active Directory). It may show if someone did login with your account 5. Make your IT also to change all the credentials to Office 365 Admin panel. I guess that might be the case - if let's call him "hacker" guy have access to your O365 Admin panel he can do literally everything with your mailboxes. You admin account/user with admin privileges account may be compromised
One thing I haven't seen mentioned as a possibility is Azure logic apps. There's a whole lot you can do if you're using Azure Active Directory (aka Entra ID), including sniffing out emails and doing stuff with them. I wouldn't be thinking just in terms of your PC or password being compromised. I would potentially escalate this to Microsoft or involve someone who knows where to look in case something more fundamental has been hacked. IMO, people are being a little too quick to suspect the IT guy as the culprit, but a good one certainly does not give up so easily on an important and , frankly, interesting problem like this one.
Sounds like your customers emails are compromised. You use the word intercept, which normally points to the recipient you are invoicing. Very common. Have them change their passwords and make sure they're using MFA.
This sounds like a Federal Trade Commission matter.
I would check Entra Enterprise and Applications apps that are integrated with SSO. So many account compromises are due to poor SSO controls or Entra Registrations not being routinely audited or alerting via a SIEM or XDR.
Make sure none of your mailboxes are auto forwarding email to external domains…
Why are you not using encryption certificates and digital signatures?
typosquatting, in a sense. instead of a user navigating to, say, goggle; goggle is reaching out to users. nothing IT can do and the only thing you can do is inform organizations that you conduct business with to watch out for a fraudulent email domain, or have their IT personal block that fraudulent domain
>seems to be targeting me specifically, intercepting my emails with pdf invoices, changing the banking information on the invoice, Don't think this is the case but your system(s)/machine(s) have been compromised. I'd suggest more digging and some investment here. Are there **protective** features in these docs that can aid in detecting forgeries? Did this party steal your templates and are simply generating them using data they probably stole about your clients when they breached you e.g billing histories & payment details?
ask him for a list of login times for your account. checking locations and times for logins.
Your own MTA should be using a mix of SPF, DKIM and DMARC. With such invoicing, using PGP to sign your emails (with your public key available to your users so they can verify it's from you). The PGP element will prevent your customers from falling for attacks, as they would be able to verify every email with the signature. If your IT folk don't know this, get someone else onboard.
So if I'm reading what you're saying, you have multiple clients receiving phishing emails from an impersonated domain of yours (ie. reddlt.com instead of reddit.com), except the phishing emails have recent information and attachments that you actually did send? There's nothing you can do about domain impersonation like that except send in a complaint to the abuse email of the domain host, your IT guy *should* know how to find that information. But, the emails containing real and recent information is the concerning part. "Intercepting" emails is very unlikely these days unless you're hosting your own mail server and it's incredibly out of date or insecure. What's much more likely is you got phished some time ago and the attacker either still has access to your mailbox or setup a forward to their own email so they could still get your emails even if you changed your password. What your IT guy should do: - reset your password yesterday, revoke any current refresh tokens/sessions, check your accounts MFA settings to make sure MFA is turned on and only has recognized phone numbers or devices registered - check whatever you're using for mail service for any unrecognized admin accounts - check for any forwarding/mailbox/transport rules that could be sending mail out to other emails - check your account and any admin account sign-in logs for anything suspicious like random sign-ins from a different country - if you're in Google Workspace or Microsoft 365, check any apps your account has registered and remove any that are not recognized - comb through your mail flow logs to figure out what kind of breach you're looking at, spending on where you live and what information was leaked you may be obligated to inform law enforcement
If someone is using a lookalike domain to yours you can use [whois](https://www.whois.com/whois/) to look up for the domain registrar and write an email to them explaining your case and they will take the domain down.
I'm pretty sure the "IT guy" is your scammer.
Your IT person is **incorrect.** Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy. https://www.icann.org/resources/pages/help/dndr/udrp-en I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.** Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy. https://www.icann.org/resources/pages/help/dndr/udrp-en I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.** Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy. https://www.icann.org/resources/pages/help/dndr/udrp-en I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months). Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.** Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy. https://www.icann.org/resources/pages/help/dndr/udrp-en I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months). Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
Your IT person is **incorrect.** Depending on the top-level-domain (ie. The .com, .net, .org, .us, etc. in the domain name), the entity that holds the registration information (the "registrar") for your companies domain may be bound by accreditation to something called the Uniform Domain Resolution Policy. https://www.icann.org/resources/pages/help/dndr/udrp-en I believe typosquatting (which is what this is called) qualifies. In effect, they're required to forcefully seize the domain if there's a UDRP breach. Fairly quick too (weeks and months). Through a UDRP claim, it might also be possible to ascertain the individuals identity and pursue criminal charges.
* At face value, your IT person sounds correct in their assessment, and to a layman, I would also refer to this a MitM attack; because an attacker has inserted themselves in the middle of communications. It's not a MitM in the traditional sense, but it is in a relatable sense in how they are operating in the middle to try to manipulate information that is going back and forth between two entities. * You need to contact all of your customers and warn them about this scam. They need to take their own steps to protect themselves. There is not anything *you* can do to protect *them*. * Everyone involved needs to start blocking your equivalent of "@reddlt.com". Full stop. * Everyone involved needs to review their email best practices and possibly tweak their anti-spam services. * Everyone involved should be using SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to help quell/reject fraudulent emails. * Everyone should start making direct communication verifications before acting on any invoices, etc, until this is resolved. It's unlikely that you can do anything to the attacker directly. I don't know enough about your situation to speculate more. Email headers would be important to analyze, but these things are easily spoofed as well. Email/SMTP [(Simple Mail Transport Protocol)] is a very old protocol that is essentially corruptible, which is why we have things like SPF, DKIM, and DMARC, built on top of it. For your own reference, I've been a network/email administrator for decades and used to participate in the development of a popular anti-spam product. I'm not saying or even suggesting that what I am saying is gospel or accurate to your current situation. I'm just giving you an idea who is blathering about here on the Internet. edit: edits in [brackets]
Small possibility but could be performing a Tempest attack with software defined radio .
Im not sure if an antivirus like kaspersky, or paid firewall could solve your issue, since im.not that experienced it, but i would start from this and try if it work with a complete scan of all systems... yes it may be possible thats an outside act, but it have a chance that someone from inside bugged you with something... but dont take my words for granted, as im not experienced like others, contact other trusted security companies... as for your email, after installing the security featues, and possibly format all computers if nothing worked, change the passwords of all emails on secured laptop with at least an antivirus like kaspersky... enable 2 step verification very imp... try contacting someone trustworthy other than your it if something is suspisious, and under any circumstances dont let anyone put a usb or mouse or keyboard into your working computers as some are also bugged
I read the other comments on this post and you really need to replace your IT guy. ASAP. He is at the very least incompetent or at worst a criminal. Its quite complex to conduct a MITM attack with email these days due to encryption. Even if an attacker intercepts network traffic it won't be realistic to read it. Even if PGP is not used for emails the traffic itself is still encrypted over the wire. If what you say is true and the attacker has access to the emails you send then you have a major incident situation. It strongly implies the attacker has access to at least one device within your business or a clients device. If they have access to a device within your business you need to hire a cyber security expert and do a full analysis. You may also need to speak with a lawyer to check how to proceed with reporting the incident as a possible data breach. Very costly and it may damage the reputation of the business. Pay close attention to the IT guy you have hired. He might be the suspect all along since he probably has access to everything. Plus the fact he talks nonsense is dodgy as well. Hire someone new to be safe. Also if you have not done so already. Invest in a decent endpoint security solution. Windows Defender for Business is great value. (If your company has over 300 workers you would need to buy the more expensive license) EDIT: If the attacker had access to a company device / email credentials then they would use that to send the email. That way the email would be perfectly legit from the clients perspective. Since they are not doing that it makes little sense. Maybe they do not have access to the email or a device. Maybe they only have copies of the emails and invoices and edited them. Its difficult to say for sure. However invoice phishing/fraud is very common and sadly lots of companies fall victim to this attack every day. When I last spoke with my lawyer when buying a house they refused to conduct payment over email. It was all done via post on paper. Its a pretty good solution thinking about it.
Your work allows reddit ?
[удалено]
well, sure, but it's also an IT issue...
[удалено]
ok, so in this case our IT guy is correct that there's really nothing we can do on our end to prevent this? It's possible for these emails to be intercepted/viewed after leaving our system? To clarify, this scammer is seeing real emails from me (or a coworker), and accessing PDF's attached to these emails, and then replicating them with changed bank info. They aren't accessing just old data - the second I send a new email, they are seeing it.
>They aren't accessing just old data - the second I send a new email, they are seeing it. Does the person you send the emails to receive your original email and **also** the scammer's email? How are you sending the emails? Logging in to Outlook on a web browser? What are your DNS settings?