A few days ago I came across the CBC story on how a Canadian man had been defrauded out of $800,000 when cybercriminals inserted themselves into a real estate deal and had the funds diverted to themselves:
Here is the “Whois” record for the fake domain used to send the $$ redirection email. These could be searched for all suspicious transactions to generate a “is this who you are dealing with” query. “Did you (customer) notice the change?” @easyDNS – https://t.co/QPFjkYGPad pic.twitter.com/CEHRj08t92
— Ron Usher (@ron_usher) November 18, 2019
My first reaction when I saw this was “Oh ****” because I thought easyDNS had something to do with a story about cyberfraud that was in the early innings of going viral on Twitter. Thankfully, no, it was just an easyDNS client posting the Whois record for the fraudulent domain used in the scam via our easyWhois tool.
The TL,DR on the CBC story is that a Canadian man was in the process of buying a condo in the U S. As the deal was nearing close, he received an email, ostensibly from the realtor instructing him to change the destination for his wire transfer: over 600K USD which was 800K CAD.
What neither he nor the bank noticed was the the domain name from which these new instructions where coming were not from the original domain name of the realtor (BradySandahl.com), but from fraudsters who had registered a lookalike domain with the last two-characters reversed: bradysandalh.com.
My second reaction was wondering if the original real estate deal was real? Or was it part of the fraud? Turns out it was a real deal, but that the cybercooks inserted themselves into the transaction at a key point in the process.
I wrote it up in this week’s edition of our #AxisOfEasy briefing but still found myself wondering about it.
How did they pull it off?
Registering slight variations of somebody else’s domains is trivial. But how did they know that there was a deal in the offing, who were the parties to it, and when was the right time to step into the transaction with bogus wire transfer instructions?
This morning I got a DM on Twitter from somebody who had read the #AxisOfEasy piece on it, who told me a similar story:
Just read your message about the 800k real estate fraud. The thing that really piqued my interest was about the two letters being swapped. My company just experienced this exact same thing two weeks ago. We tracked it down to a VP getting his O365 account compromised, and the attacker stuck in a forwarding rule.
Then when they saw a big transaction about to go through, they bought the domain that had two letters swapped, and impersonated the contact, saying to change the payment info.
And further, this was the second such incident at that firm. Neither of them successful, but in both cases using a surreptitiously placed email forwarding rule into a hacked Office 365 account.
So that’s how it works, hackers compromise email accounts, probably via spearphishing and probably targeting companies known to handle large transactions via wire transfer.
Then they drop in a forward that would have the effect of copying all of one’s email to this external address, almost certainly throwaway accounts somewhere. They probably have filters or scans in place to scour these emails for interesting items:
- Passwords, login creds
- Private keys? Bitcoin / crypto wallets
- Chatter about financial transactions
- Stock tips (mergers and acquisitions)
There’s really no end to the kind of info they can mine for. Then when they get wind of an opportunity they step into the flow of the transaction and insert an email with “revised” wire transfer details.
What to do about it
Other than always treating emailed instructions about changing the destination for large blocks of funds as highly suspicious (the victim is suing his bank for sending the wire transfer anyway), there are two different sides of remedy here:
On the client side
- Check your settings in your email host for any additional forwards that are not supposed to be there.
- If you use email forwarding to forward to another location, check your forwarding service as well, that nobody has compromised your account there and appended additional destinations to your existing forwards.
- As always, watch out for phishing attempts. Any time you are being prompted via email to update, confirm, verify or save your account from suspension by logging in, you are in the danger zone for being phished.
- Enable all security enhancements on your accounts. At easyDNS that includes: account ACLs, 2-factor authentication and copious event notifications.
On the vendor side
If you’re running a law firm, real estate agency, investment bank or any entity that routinely shuffles large chunks of funds around, you should have a mechanism in place that can detect lookalike domains as they become registered.
Our new Domainsure platform does this, in near realtime.
It is worth noting that our client who originally brought this to our attention via Twitter did some digging on his own and found that the same entity who registered the fake domain in this caper had over 100 other domains employing similar variations on other firms’ domains:
The AOL email address shown in the whois record for the imposter domain is connected to over 100 domains. For example, https://t.co/ZotwgXrlSa – a subtle distortion of the actual https://t.co/Ovkjv2QAfA ( https://t.co/JTeSCqgUui ) The “l” (ell) is substituted for the “i” (eye)
— Ron Usher (@ron_usher) November 18, 2019
With an early warning mechanism in place you can at least give your clients and counter-parties in any deals you are working on a heads up to be on the alert for this type of attack.
I am currently experiencing a similar situation.
I’m receiving email for a Quebec company that happens to have a domain similar to one of mine – only two letters are transposed.
I’ve sent them emails to no avail.
I’ve not looked at any of the attachments but, based on the body of the messages, I could gain insight on a substantial amount of privileged information.
I’ve been deleting their emails as of recent and will soon have to disable my wildcard (& consequently my easy canary system) and define each of my valid email addresses (which means I also have to do the same every time I want to use a new email address so there goes the “on-the-spot” convenience).
It’s a good thing for them that I’m not nefarious.
Check if the majority of the emails are hitting the same addresses intended for them, if it’s a manageable number then instead of disabling your catchall, enter explicit maps for those guys, with either BOUNCE or DISCARD for their values. That way you’ll never see them and you can keep using your catch-all as a canary email.
Same here. A company has a .net from which I have the .com. I regularly receive orders. I have informed company.net and requested them to lead their customers to the right addresses. Never heard from them. So I keep receiving wrongly addressed mails, and they miss their orders and appointments.
01D_1337R, check to see if your email service supports “plus addressing” or “tagged addressing”. For example, if you use gmail, you might be 0177r@gmail.com, but email send to 0177r+foo@gmail.com or 0177r+bar@gmail.com will still reach your inbox. This gives you unlimited addresses you can invent on demand, without the domain wildcard. Any email provider worth their salt should be able to support this.
We do.
When it comes to large transactions, it appears there is something to be said for using fax and courier for documents! Just when I thought they were both dead communication modes. Who woulda thought?