Email interception

[LukeS]

Hi there,

Anyone experienced a situation before with POP3 connectors "internal email" get's intercepted and arrives at the recipient with a changed attachment than it was sent with?

 

[AinsleyHarriott]

Is there no security on the mail client?

 

[LukeS]

How do you mean? Using SSL?

 

[SpaceWalker]

Hi there,

Anyone experienced a situation before with POP3 connectors "internal email" get's intercepted and arrives at the recipient with a changed attachment than it was sent with?

Not possible.

Unless the email address was spoofed. Or email was received on a webmail platform, edited and sent from the webmail platform in edited form.

It's not possible to intercept an email in another manner. It is either spoofed or someone has access to the email account.

 

[Centurion_Oke]

Yes. Sounds very much like BEC (Business Email Compromise) / EAC (Email Account Compromise). Google it. It's common in South Africa as well.

Bank account different or any payment instructions?

We had a client receive an email, but the bank acct mysteriously kept changing in the attached doc. Luckily they phoned up to check. Another email was sent with them on the phone, less than a minute later they received it, bank account different. Turned out they had somebody accessing the email provider.

Check IP logs, hidden email folders and forwarding filters on the email server if possible. Also, a good malware scan on your side wont do harm.

 

[LukeS]

Thanks @SpaceWalker and @Centurion_Oke

Happened twice at a client, once i think supplier has been compromised, the other one was an internal email. so the first one being "internal" akthough they have no exchange solution, only POP is the weird one for me.
Definitely seems to be at ISP although ISP claims no breach on their system. so not to sure what to do..

 

[SpaceWalker]

Thanks @SpaceWalker and @Centurion_Oke

Happened twice at a client, once i think supplier has been compromised, the other one was an internal email. so the first one being "internal" akthough they have no exchange solution, only POP is the weird one for me.
Definitely seems to be at ISP although ISP claims no breach on their system. so not to sure what to do..

First steps would be to reset all POP and SMTP passwords. If SMTP authentication is used. Look at implementing AWS SES or a similar secure SMTP provider other than a standard hosting provider SMTP solution. Use secure DNS network wide. Make sure AV and Firewalls are functioning.

Edit: I assume it's a custom domain and not gmail etc. If so DMARC is a must and easy to implement to stop Spoofing.

 

[LukeS]

Yo,

Got into the cpanel today, forwarders all over. Think they been there a while. Not sure if they configured them from the cpanel or individual mailboxes although. Domain host can't really provide any access logs with enough detail.

Thanks for the replies here

 

[PaladinLaw]

Fix your spf records as well. Good spf + dmarc = no spoofing

 

[abd]

Any chance of this occurring with Gmail accounts? Or Google domains email forwarding

 

[Scrooloose]

This is more common than you might think.

POP3 and SMTP send credentials over plaintext which means it's super easy to sniff. If a client used an unsecured mail connection on a public wireless hotspot, they would be at a heightened risk, however the password can also be sniffed over the internet by someone that's on the same ISP subnet.

The first step is to change everyone's mail account passwords, and at the same time reconfigure their mail clients to use SSL/TLS for POP and SMTP. The mail hosting company would provide the port details, although it's usually a set of default ports.

How to protect yourself from email interception fraud | The Help Centre