Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


martyyn

1389 posts

Uber Geek

Subscriber

#275910 16-Sep-2020 14:16
Send private message quote this post

A local business was reportedly "hacked" two weeks ago. The details are sketchy because after talking to them they don't really understand how their email works, they don't really know what happened, what was involved or what was lost. Their IT guy has said there is nothing they can do about it, so they aren't doing anything.

 

I first heard about it last week when another local business came to me saying they had people calling them to say they had received email which their anti-virus had blocked.

 

I took a look at some examples and it was the usual case of the name was changed to their business name (although with a typo most people wont notice) and the reply address was something like <abc@huoyfhsue.df>. Even where they have changed the email address to be blah@domain.com the headers still show random domains.

 

The phone calls eventually stopped but there have been five today so obviously it's started again.

 

They have valid SPF and DKIM records and their website and email are all looking ok. One employee admitted to opening the attachment because they thought it had come from someone they knew, but all their desktops, laptops and mobiles are also clean. 

 

The attachment appears to be an empty .docx file. It's only 172KB, so I put it on an old laptop and it scanned ok with ESET and malwarebytes and opens a blank Word doc.

 

So I'm assuming this is just a case of spammers spoofing their details (however badly) and there is little to nothing we can do about it ?

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
 
 
 

Affiliate link: Online price comparison made easy.
timmmay
16437 posts

Uber Geek

Trusted
Subscriber

  #2566003 16-Sep-2020 14:26
Send private message quote this post

SPF should be set to hard fail to reject email that hasn't come from authorised email servers.


xpd

xpd
Im a pirate
10750 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

  #2566011 16-Sep-2020 14:48
Send private message quote this post

Will be fallout from the lovely Emotet malware most likely, getting calls regarding similar issues all the time. One client was getting hammered by emails, then they dropped off, but have started again. 

 

 





XPD^ / DemiseNZ

 

Blog         Free Games        Twitter

 

My TradeMe Goodies

 

Disclaimer - It wasn't me, the dog ate my keyboard, my account was hacked, I was drunk, ALIENS.

 

I Twitch occasionally and take part in Folding@Home


 
 
 
 


martyyn

1389 posts

Uber Geek

Subscriber

  #2566012 16-Sep-2020 14:49
Send private message quote this post

I've always understood a hard fail would mess with any forwarding of genuine emails. It was a while ago so my memory may not be correct.

 

I've just noticed they have no DMARC set up. I see lots of conflicting advice with DMARC so never know whether it's necessary or not.


SirHumphreyAppleby
1393 posts

Uber Geek


  #2566014 16-Sep-2020 14:55
Send private message quote this post

SPF may help, assuming receiving servers actually checks this. As SPF applies to the envelope address, malware can get around this by randomly selecting an envelope address using a domain with no or more relaxed SPF policies.

 

The domain should also have a DMARC policy to instruct mail servers on how to handle failed SPF and DKIM checks. Again, it won't stop everything as it relies on the recipient checking and enforcing these policies.


freitasm
BDFL - Memuneh
68528 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2566021 16-Sep-2020 15:14
Send private message quote this post

Back to original question, it looks more like a spoofed sender's address than "email hacked".




 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure


mattwnz
16761 posts

Uber Geek


  #2566022 16-Sep-2020 15:20
Send private message quote this post

You should be easily able to tell if the email has been hacked by looking at the header of he email, and the server IP that is sending the email.Check the header against a legit email.  Most times it will be spoofed. Banks get spoofed all the time, and phishing emails pretending to be from banks are very common. So nothing new.


CYaBro
3331 posts

Uber Geek

Subscriber

  #2566057 16-Sep-2020 15:56
Send private message quote this post

A few of my clients have also asked about this recently, and they forwarded many examples to me, and they were all just spoofed email addresses.

 

No hacking going on and the recipient's mail server/client had correctly marked the emails as junk so not sure why they were even questioning it. :)

 

 


 
 
 
 


dt

dt
723 posts

Ultimate Geek


  #2566066 16-Sep-2020 16:14
Send private message quote this post

xpd:

 

Will be fallout from the lovely Emotet malware

 

 

 

 

My understanding with Emotet is that once it infects a PC it will start spamming the contacts of the infected computers as well.. making it even harder as your regular user will be none the wiser and open attachments from a known contact

 

This is where proactive users education really helps, sent out an email to all network users advising if they receive an email from a known contact stating they are "receiving phishing emails from you containing malware." is that its likely coming from an infected computer and to not open any attachments

 

there was an email sent out from cert on 07/09 advising about this 


SirHumphreyAppleby
1393 posts

Uber Geek


  #2566069 16-Sep-2020 16:17
Send private message quote this post

CYaBro:

 

No hacking going on

 

 

Based on the responses, I don't think anyone assumed that was the case. Spoofing is far more common.

 

I recently received an e-mail from "william from Los angeles" (IP address in India), requesting the source code for a mail application I wrote. I'd put money on it that the reason he wanted it was to alter the X-Mailer header so mail appeared to come from a popular client, and to allow the envelope address to be set to bypass SPF checks. He may have even wanted to bundle it with malware to do the actual spamming or calling home. It wouldn't be the first time.


martyyn

1389 posts

Uber Geek

Subscriber

  #2566080 16-Sep-2020 16:43
Send private message quote this post

I don't think there is any hacking going on with the company who came to me. What happened with the original company I don't know, mostly because they don't know either.

 

I'm just wondering if there is more I can do to help alleviate the amount of phone calls they're getting from people saying they've been hacked and are sending out a virus.

 

Every email I've seen so far is pretty easy to dismiss, but to Joe Public all they see is the company name and they pick up the phone.

 

I've told them to email their suppliers and clients explaining the situation and they've put out SM posts to reassure people but that's not stopping the calls.

 

 


BlakJak
787 posts

Ultimate Geek

Trusted

  #2566122 16-Sep-2020 18:23
Send private message quote this post

Where's the email hosted? What's the chances that there'll be some traversal?

A common thread behind email account compromise (usually by way of phishing - being conned into giving away your credentials) is to then leverage the compromised email account's good reputation to further distribute malicious emails.  So yes, good chance that the dodgy email you receive is actually from the system of someone you trust.

 

Bad actor will access the compromised email account and harvest as many email addresses as they can from places like the sent items folder, other filed email folders, the address book.  These become future spam targets.

 

As you've noted, the suspicious email attachment could well be innocuous. Or it could have something 'less malicious' tied to it - like maybe a tracking pixel or something, so they get some intel as to who has opened the document.  Hard to assess based on your comments.

 

 

 

Importantly regarding SPF. You can publish an SPF record which others can then _choose_ to use to assess whether an email they receive, is actually from the domain being claimed.  SPF results can be used to make an absolute delivery decision (so a record with -all essentially says - no match, do not accept), or "score" an email (couple with other elements to help make that decision). It's really important to understand the difference between the "Envelope Sender' (the sender email address as given during the mail-server-to-mail-server transaction) and the "From" (which is contained within the message headers - the headers are actually part of the email payload, and are NOT part of the delivery system)..  SPF evaluates the Envelope-sender ONLY and the From: field in the email headers may still say something else.

 

So in other words an SPF record properly addressed by the recipient, still won't prevent an email address being 'spoofed' if the sender is a little clever.

 

As a simple example of how this works, legitimate email distribution lists (newlsetters and such) will use an envelope-sender that uniquely identifies you as a recipient - so that a failure to deliver (bounce) can be automatically processed in a way that affects your own subscription without affecting anyone elses.  But the From will still simply look like the place you're subbed to.  Mailing lists (Mailman etc) work this way as well.

 

There's really no substitute for education; ensuring staff know to look for signs that the email is not 'as expected' and to then ask questions. A rogue Reply-To header, a source domain that looks different, a subtle difference in formatting, these are all cues that something's up.

 

Also... hate the use of the term 'hacked', it's quite inspecific. Social engineering attacks are not necessarily 'hacks' when they're targeting the human element.





No signature to see here, move along...

SomeoneSomewhere
265 posts

Ultimate Geek

Lifetime subscriber

  #2566196 16-Sep-2020 19:42
Send private message quote this post

I've had some of these arrive, purporting to be from someone legitimate, but the actual sender is a nonsense address. A .doc with a random name is attached.

 

Interestingly it has the title and content of a previous email conversation I had with them, so the malware must have access to their email inbox.


MadEngineer
2200 posts

Uber Geek

Trusted

  #2566203 16-Sep-2020 19:54
Send private message quote this post

I’ve seen a tonne of emails replied back to the original sender with .doc attachments with simply something like, “thanks for that, please see attached”.

The original email might be 6 or 12 months old and is a real email that they had sent all those months back. This email with the attached virus is coming from a third party, usually an open or hacked mail server.

This can only mean that the email account some time ago was slurped of all emails for the purpose sending back to the original sender with the payload. The slurp would have been performed by a hack of their office365 account. I say office365 as it’s a common theme that I see.

At some point someone has clicked a dodgy link in a phishing email to a website where they entered their outlook.com password. From experience, most likely one of the Xero fakes or similar where you’re asked to click a link to view an invoice



(Party A sends an email to Party B. Party B gets hacked by party X. Party X uses hacked server of party Q to send payload back to party A with emails between parties A+B and all contacts of party B. There is a very high chance that party A now gets hacked because it’s a reply to their own email, their own subject, their own contact is named. Rinse, repeat.)

Somewhere out there is a massive database of ancient emails from many many hacked accounts.

Some of them have had the email signature changed ever so slightly, eg the mobile number has a couple of digits swapped around so when the recipient goes to ring them for confirmation before clicking the attachment they don’t get anywhere, increasing the chances of the payload.


xpd

xpd
Im a pirate
10750 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

  #2566241 16-Sep-2020 21:02
Send private message quote this post

SomeoneSomewhere:

 

I've had some of these arrive, purporting to be from someone legitimate, but the actual sender is a nonsense address. A .doc with a random name is attached.

 

Interestingly it has the title and content of a previous email conversation I had with them, so the malware must have access to their email inbox.

 

 

That's the method Emotet uses for spreading itself.... fricking annoying thing.

 

 





XPD^ / DemiseNZ

 

Blog         Free Games        Twitter

 

My TradeMe Goodies

 

Disclaimer - It wasn't me, the dog ate my keyboard, my account was hacked, I was drunk, ALIENS.

 

I Twitch occasionally and take part in Folding@Home


1101
2295 posts

Uber Geek


  #2566613 17-Sep-2020 09:29
Send private message quote this post

martyyn:

 

The attachment appears to be an empty .docx file. It's only 172KB, so I put it on an old laptop and it scanned ok with ESET and malwarebytes and opens a blank Word doc.

 

 

Upload it to Virustotal.com for scanning
https://www.virustotal.com/gui/

A doc attatchment I was given , thought to have caused a ransomware attack , scanned as clean with NOD, Bitdefender & Mbytes, but showed as infected in Virustotal .

 

"Somewhere out there is a massive database of ancient emails from many many hacked accounts. "
Actually not old emails, recent sent (eg Dec 2019) emails are on hackers databases . They use these emails to make the spammed email look like a legit reply , this is becoming more common

One thing that should be done , is have companies remove email address from their websites. But no matter how many times you advise them to do this, nothing happens
Some company websites have staffers Full Name ,photo, job title & email address . Making it all to easy to spoof emails to look like invoices or payment requests from the company accountant or managers (and it happens)

 

 

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic




News »

Slingshot offering ugly-modem to help reduce e-waste in New Zealand
Posted 30-Sep-2020 16:01


AWS launches new edge location in New Zealand
Posted 30-Sep-2020 15:35


Amazon introduces new Echo devices
Posted 25-Sep-2020 11:56


Mad Catz introduces new S.T.R.I.K.E. 13 Mechanical Gaming Keyboard
Posted 25-Sep-2020 11:34


Vodafone NZ upgrades international submarine network
Posted 25-Sep-2020 09:09


Jabra announces wireless noise-cancelling airbuds, upgrade existing model
Posted 24-Sep-2020 14:43


Nokia 3.4 to be available in New Zealand
Posted 24-Sep-2020 14:34


HP announces new HP ENVY laptops aimed at content creators
Posted 24-Sep-2020 14:02


Logitech introduce MX Anywhere 3
Posted 21-Sep-2020 21:17


Countdown unveils contactless shopping with new Scan&Go tech
Posted 21-Sep-2020 09:48


HP unveils new innovations for businesses adapting to rapidly evolving workstyles and workforces
Posted 17-Sep-2020 15:36


GoPro launches new HERO9 Black camera
Posted 17-Sep-2020 09:45


Telecommunications industry launches new 5G Facts website
Posted 17-Sep-2020 07:56


New Zealand ranks 3rd in world in GSMA index
Posted 15-Sep-2020 10:13


Trend Micro Security Suite adds web monitoring to prevent identity theft
Posted 14-Sep-2020 15:37



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.