Help! Email hacked

Docbot

New Member
Joined
Apr 18, 2018
Messages
7
Our business has been hacked and emails intercepted and changed to show fraudulent bank details.
I have paid 3 false invoices so far, since Jan 2020.
We use Outlook and Gmail and (Anydesk for remote working).
I have changed all Gmail, Outlook and Anydesk passwords, we run frequent ESET antivirus scans that come up with nothing.
Any advice would be welcome!
Pieter
 

rustypup

Senior Member
Joined
Jan 28, 2016
Messages
788
Our business has been hacked and emails intercepted and changed to show fraudulent bank details.
Please spend some time providing more detail.

The information provided thus far is not sufficient.

How did you confirm the "hack"?
Google business or private gmail?
How many accounts?

Describe the "interception" process.
Describe the infrastructure.
 
Last edited:

ghoti

Karmic Sangoma
Joined
Jan 17, 2005
Messages
46,362
You have paid 3 false invoices? Someone pretending to be supplier?
 

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,370
Was your email account actually "hacked", or was someone just spoofing a supplier's email address (or even your own internal email address) and sending fake invoices? As that is the most common practice.
 

Docbot

New Member
Joined
Apr 18, 2018
Messages
7
Thanks for the response guys. I have a medical practice. A locum for my December holiday emailed me his invoice. This was intercepted and the bank details changed, so I paid R18 000 into a fraudulent account. They also intercepted an invoice from us to a patient so that the patient paid into the fraudulent account and I had to write off this amount. We have an Outlook email which is linked to a Gmail account, we use a Gmail server.
 

Docbot

New Member
Joined
Apr 18, 2018
Messages
7
Also, Nedbank forensic dept confirmed the fraudulent account and closed it. I opened a case with the police. They are absolutely useless. I am unable to contact the investigating officer (never at work, never answers messages or calls to his cell) to report 2 subsequent frauds. I don't have enough IT knowledge to figure out the hacker's modus operandi :(
 

The_Ogre

Honorary Master
Joined
Apr 30, 2010
Messages
22,082
Thanks for the response guys. I have a medical practice. A locum for my December holiday emailed me his invoice. This was intercepted and the bank details changed, so I paid R18 000 into a fraudulent account. They also intercepted an invoice from us to a patient so that the patient paid into the fraudulent account and I had to write off this amount. We have an Outlook email which is linked to a Gmail account, we use a Gmail server.
Have you confirmed with the bank that the account does not in fact belong to the locum?
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,956
Also, Nedbank forensic dept confirmed the fraudulent account and closed it. I opened a case with the police. They are absolutely useless. I am unable to contact the investigating officer (never at work, never answers messages or calls to his cell) to report 2 subsequent frauds. I don't have enough IT knowledge to figure out the hacker's modus operandi :(
If its a gmail address you best enable 2factor login and check the webmail for any rules forwarding or deleting certain items,its a common BEC method
 

skimread

Executive Member
Joined
Oct 18, 2010
Messages
9,455
He most likely got hold of your Anydesk password or used some remote software. That software/malware might still be installed on that computer and you won't be wiser.
Enable two factor auth for all your accounts

Windows 10
- Is your Windows 10 firewall on and does any firewall rule look suspicious?
- Windows Security settings show anything suspicious and everything is enabled?
- Run security Scan
- Latest Windows 10 updates?
- Is Remote Desktop Settings Off
1590253449265.png
- Check if anything suspicious is installed that sounds like remote software
Control Panel\All Control Panel Items\Programs and Features
Select the Installed on Column and sort on it descending
1590252849665.png
- Go to Task View (Virtual Desktop) and scroll down to Timeline to see when last applications were opened. Is there a suspicious app there?

Chrome
- View your Chrome browsing history on Chrome and see what sites he visited
Paste in Chrome address bar: chrome://history/all
or the equivalent for the browser you are using.

Google Account
On your gmail account do you recognize any devices that shouldn't be there? Remove ones that don't need to be there
https://myaccount.google.com/device-activity

Check your google activity for that gmail acccount and see if you see anything suspicious
https://myactivity.google.com/myactivity

Security checkup
https://myaccount.google.com/u/0/security-checkup

Recent google security events
https://myaccount.google.com/notifications

Open gmail and in the bottom right corner click details to see the last logins
https://myaccount.google.com/u/0/security-checkup

Maps Timeline
https://www.google.com/maps/timeline
 
Last edited:

skimread

Executive Member
Joined
Oct 18, 2010
Messages
9,455
Have you confirmed with the bank that the account does not in fact belong to the locum?
If the locum knows any scammers they might have been paid to install remote software or malware on the computer. These syndicates are much smarter as they use refugees or poor people to open bank accounts for a fee and then take the bank card and register for internet banking. That way they never can get caught even if you find out who owns the bank account

This could be similar like the insider who installed malware on Gautrain system computers
 

rustypup

Senior Member
Joined
Jan 28, 2016
Messages
788
This was intercepted and the bank details changed
They also intercepted an invoice from us to a patient so that the patient paid into the fraudulent account
Still not clear. Maybe what we need to see is the actual mail because this is still perfectly possible via standard phishing. The headers would prove it one way or the other.

Occum's shaving implement. Far simpler to phish than to maintain remote access and spend hours monitoring mail to intercept billing.
 

Docbot

New Member
Joined
Apr 18, 2018
Messages
7
Hey guys, thanks for the awesome responses.
I still run Windows 7, to be updated shortly. Skimread, I will activate firewall etc. The locum is definitely in the clear.
A forensic tech from my bank (Investec) phoned todays and he reckons it has to do with Outlook filter settings which may have been altered to send scammer copies of all our mails.
 

Docbot

New Member
Joined
Apr 18, 2018
Messages
7
So we have sorted it out finally: they sent malicious code that allowed them access to my Telkom webmail. They created filters to receive copies of all emails containing words like "invoice, statement, bank details" etc. and to then delete the mails. They then could insert new bank details into these documents. Cunning bastards!
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,956
So we have sorted it out finally: they sent malicious code that allowed them access to my Telkom webmail. They created filters to receive copies of all emails containing words like "invoice, statement, bank details" etc. and to then delete the mails. They then could insert new bank details into these documents. Cunning bastards!
Ah so it did end up being the webmail with the filter rules
Interesting that its telkom as the client I assisted last year with the same BEC issue was also telkom webmail
 

quovadis

Expert Member
Joined
Sep 10, 2004
Messages
4,315
Ah so it did end up being the webmail with the filter rules
Interesting that its telkom as the client I assisted last year with the same BEC issue was also telkom webmail
Just a coincidence since there's a gazillion telkom sa accounts - and it's doable on the outlook side too.
 

Datura

Captain Faptastic
Joined
Oct 12, 2006
Messages
45,936
So we have sorted it out finally: they sent malicious code that allowed them access to my Telkom webmail. They created filters to receive copies of all emails containing words like "invoice, statement, bank details" etc. and to then delete the mails. They then could insert new bank details into these documents. Cunning bastards!
I have had a few clients get nailed by this but it was through phishing, not "malicious code". All of them responded to a mail that told them that their email accounts were full and that they needed to sort it out because the following (screenshot of rubbish invoices pending delivery) could not be delivered. A link was provided in the email to confirm email details and BAM... compromised.
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,956
Just a coincidence since there's a gazillion telkom sa accounts - and it's doable on the outlook side too.
Not negating the possibility of 2 BEC hits being Telkom,but it is noteworthy if there are enough others with similar circumstances - which you shouldn't discount either:cautious:
 

quovadis

Expert Member
Joined
Sep 10, 2004
Messages
4,315
Not negating the possibility of 2 BEC hits being Telkom,but it is noteworthy if there are enough others with similar circumstances - which you shouldn't discount either:cautious:
It’s not significant or noteworthy though.
 
Top