Help! Email hacked

D

Docbot

New Member
Joined
Apr 18, 2018
Messages
7
Reaction score
3
Our business has been hacked and emails intercepted and changed to show fraudulent bank details.
I have paid 3 false invoices so far, since Jan 2020.
We use Outlook and Gmail and (Anydesk for remote working).
I have changed all Gmail, Outlook and Anydesk passwords, we run frequent ESET antivirus scans that come up with nothing.
Any advice would be welcome!
Pieter
 
Docbot said:
Our business has been hacked and emails intercepted and changed to show fraudulent bank details.
Click to expand...
Please spend some time providing more detail.

The information provided thus far is not sufficient.

How did you confirm the "hack"?
Google business or private gmail?
How many accounts?

Describe the "interception" process.
Describe the infrastructure.
 
Last edited:
You have paid 3 false invoices? Someone pretending to be supplier?
 
Was your email account actually "hacked", or was someone just spoofing a supplier's email address (or even your own internal email address) and sending fake invoices? As that is the most common practice.
 
Thanks for the response guys. I have a medical practice. A locum for my December holiday emailed me his invoice. This was intercepted and the bank details changed, so I paid R18 000 into a fraudulent account. They also intercepted an invoice from us to a patient so that the patient paid into the fraudulent account and I had to write off this amount. We have an Outlook email which is linked to a Gmail account, we use a Gmail server.
 
Also, Nedbank forensic dept confirmed the fraudulent account and closed it. I opened a case with the police. They are absolutely useless. I am unable to contact the investigating officer (never at work, never answers messages or calls to his cell) to report 2 subsequent frauds. I don't have enough IT knowledge to figure out the hacker's modus operandi :(
 
Docbot said:
Thanks for the response guys. I have a medical practice. A locum for my December holiday emailed me his invoice. This was intercepted and the bank details changed, so I paid R18 000 into a fraudulent account. They also intercepted an invoice from us to a patient so that the patient paid into the fraudulent account and I had to write off this amount. We have an Outlook email which is linked to a Gmail account, we use a Gmail server.
Click to expand...
Have you confirmed with the bank that the account does not in fact belong to the locum?
 
Docbot said:
Also, Nedbank forensic dept confirmed the fraudulent account and closed it. I opened a case with the police. They are absolutely useless. I am unable to contact the investigating officer (never at work, never answers messages or calls to his cell) to report 2 subsequent frauds. I don't have enough IT knowledge to figure out the hacker's modus operandi :(
Click to expand...
If its a gmail address you best enable 2factor login and check the webmail for any rules forwarding or deleting certain items,its a common BEC method
 
He most likely got hold of your Anydesk password or used some remote software. That software/malware might still be installed on that computer and you won't be wiser.
Enable two factor auth for all your accounts

Windows 10
- Is your Windows 10 firewall on and does any firewall rule look suspicious?
- Windows Security settings show anything suspicious and everything is enabled?
- Run security Scan
- Latest Windows 10 updates?
- Is Remote Desktop Settings Off
1590253449265.png
- Check if anything suspicious is installed that sounds like remote software
Control Panel\All Control Panel Items\Programs and Features
Select the Installed on Column and sort on it descending
1590252849665.png
- Go to Task View (Virtual Desktop) and scroll down to Timeline to see when last applications were opened. Is there a suspicious app there?

Chrome
- View your Chrome browsing history on Chrome and see what sites he visited
Paste in Chrome address bar: chrome://history/all
or the equivalent for the browser you are using.

Google Account
On your gmail account do you recognize any devices that shouldn't be there? Remove ones that don't need to be there
https://myaccount.google.com/device-activity

Check your google activity for that gmail acccount and see if you see anything suspicious
https://myactivity.google.com/myactivity

Security checkup
https://myaccount.google.com/u/0/security-checkup

Recent google security events
https://myaccount.google.com/notifications

Open gmail and in the bottom right corner click details to see the last logins
https://myaccount.google.com/u/0/security-checkup

Maps Timeline
https://www.google.com/maps/timeline
 
Last edited:
The_Ogre said:
Have you confirmed with the bank that the account does not in fact belong to the locum?
Click to expand...
If the locum knows any scammers they might have been paid to install remote software or malware on the computer. These syndicates are much smarter as they use refugees or poor people to open bank accounts for a fee and then take the bank card and register for internet banking. That way they never can get caught even if you find out who owns the bank account

This could be similar like the insider who installed malware on Gautrain system computers
www.iol.co.za

Technician who hacked Gautrain IT system 'to steal R800m' from it's account sentenced to 10 years

Obakeng Israel Busang said it was rage that made him let outsiders gain access into Gautrain's system because he was angry at his boss and the human resources manager.
www.iol.co.za www.iol.co.za
 
Docbot said:
This was intercepted and the bank details changed
Click to expand...
Docbot said:
They also intercepted an invoice from us to a patient so that the patient paid into the fraudulent account
Click to expand...

Still not clear. Maybe what we need to see is the actual mail because this is still perfectly possible via standard phishing. The headers would prove it one way or the other.

Occum's shaving implement. Far simpler to phish than to maintain remote access and spend hours monitoring mail to intercept billing.
 
Hey guys, thanks for the awesome responses.
I still run Windows 7, to be updated shortly. Skimread, I will activate firewall etc. The locum is definitely in the clear.
A forensic tech from my bank (Investec) phoned todays and he reckons it has to do with Outlook filter settings which may have been altered to send scammer copies of all our mails.
 
So we have sorted it out finally: they sent malicious code that allowed them access to my Telkom webmail. They created filters to receive copies of all emails containing words like "invoice, statement, bank details" etc. and to then delete the mails. They then could insert new bank details into these documents. Cunning bastards!
 
Docbot said:
So we have sorted it out finally: they sent malicious code that allowed them access to my Telkom webmail. They created filters to receive copies of all emails containing words like "invoice, statement, bank details" etc. and to then delete the mails. They then could insert new bank details into these documents. Cunning bastards!
Click to expand...
Ah so it did end up being the webmail with the filter rules
Interesting that its telkom as the client I assisted last year with the same BEC issue was also telkom webmail
 
PsyWulf said:
Ah so it did end up being the webmail with the filter rules
Interesting that its telkom as the client I assisted last year with the same BEC issue was also telkom webmail
Click to expand...

Just a coincidence since there's a gazillion telkom sa accounts - and it's doable on the outlook side too.
 
Docbot said:
So we have sorted it out finally: they sent malicious code that allowed them access to my Telkom webmail. They created filters to receive copies of all emails containing words like "invoice, statement, bank details" etc. and to then delete the mails. They then could insert new bank details into these documents. Cunning bastards!
Click to expand...
I have had a few clients get nailed by this but it was through phishing, not "malicious code". All of them responded to a mail that told them that their email accounts were full and that they needed to sort it out because the following (screenshot of rubbish invoices pending delivery) could not be delivered. A link was provided in the email to confirm email details and BAM... compromised.
 
quovadis said:
Just a coincidence since there's a gazillion telkom sa accounts - and it's doable on the outlook side too.
Click to expand...
Not negating the possibility of 2 BEC hits being Telkom,but it is noteworthy if there are enough others with similar circumstances - which you shouldn't discount either:cautious:
 
Sorry for the necro but we have had incidence in the last two weeks where they idk intercept our emails and change the banking details. Lucky our customers have picked up on this . Anyone know how they are doing it?
 
Kornhole said:
Sorry for the necro but we have had incidence in the last two weeks where they idk intercept our emails and change the banking details. Lucky our customers have picked up on this . Anyone know how they are doing it?
Click to expand...

If its the same as the OP someone has clicked a link that is running a code on your PC. This is sending your emails to the attacker where they are editing the email with their banking details and sending them out again. I think

Try run malwarebytes on all the computers and see if you get any hits, it may be this easy and is generally a good starting point.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X