Basic Business Email Security; The Disaster Waiting to Happen for Kenyan Banks

Last week I promised to take a look at Email Security of some Kenyan organisations and how vulnerable they are. It is surprisingly easy to both spoof (fake emails) and even penetrate the business emails of some of Kenya’s largest and important organisations ranging from banks Government agencies and financial institutions.I will focus on banks as a sequel to my previous post but the principle is the same. Most Kenyan banks as we saw have very little regard to web security and almost all their public websites are unencrypted and un-secured. Their emails are no different.

I make it a habit each time my bank sends me an email, to test and check things such as the email provider, email security and the email configuration. In this era of spammers and spoofs, the email you receive and imagine it has come from your bank, may not be from your bank but part of an elaborate scheme to scam. So when a staff from my bank sent me an email and I saw from the word go that their email server/provider does not encrypt emails, I was curious and disturbed for 2 reasons;

My Email Excerpt from DTB Bank Africa that is not Encrypted
  1. It is a bank; Dah why would they not know this?The contents of the email were private and confidential
  2. My banks sends me a statement each end month that is encrypted sent using a non-encrypted email provider. Pointless!

I checked the email provider details using a simple HOST command and found they provide/host their own emails as;

DTB Africa Mail Query

Using Telnet to Spoof /Forge a Business Email

So I went ahead to test if their SMTP/Mail server was on open relay or NOT using a simple Telnet check. So I fired my command and attempted the crude and simple telnet command over the default port 25;

telnet mail.dtbafrica.com 25
DTB Africa SMTP is in Open Relay Mode on the default port 25. Like WTF?

I was shocked to notice their SMTP was on Open Relay, which means I could with ease, just spoof anyone in the organisation. Basically I could send an email “as anyone” from DTB to any staff. I can Imagine how disastrous this could play, Say; I send an email as CEO to a staff, authorising them to send money to account number 12345567, BINGO!

Of course you would ask how I could get staff emails and the answer would be a few Google Searches, Web Crawling places such as LinkedIn for Staff and combining with email hunting tools such as Hunter.io.

From here basically you can spoof and send an emails masquerading as someone from this Organisation without breaking a sweat. You can follow this WikiHow Tutorial for how to Spoof an In-secure orgnziation email that is on Open Relay with nothing but the command line; http://www.wikihow.com/Forge-Email

List of Kenya Banks with Open Relay

So I went ahead and sampled a few Kenyan banks with this issue and my findings were shocking!All the banks I checked had their SMTP on Open Relay. I could have listed their email SMTP and the email providers but I thought best not to;

  1. KCB
  2. Equity Bank
  3. Coop Bank
  4. DTB Bank
  5. CBA
  6. National Bank
  7. Family Bank;
  8. NIC Bank
  9. Eco Bank Kenya
  10. I&M Bank

You can check for yourself from this list of Kenyan Banks ( https://www.centralbank.go.ke/commercial-banks/ )and test any other organisation.

I know of many Government Organisation having the same issue and I shudder to imagine when Russian hackers and Nigerian Scammers would land in Kenya if my money would be safe at all ! (Or a bank manager would be authorising withdrawals from my account using email authorisation when I travel out of the country when I cannot be reached by phone for confirmation)

Next time I will share simple basic DNS tips that could be used to reduce this risk.

Edit 1:

After I posted this, I came across this article and I saw my prophecy for Kenya banks in the quote;

“From half a world away, Evaldas Rimašauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control,”

Source;http://www.pymnts.com/news/b2b-payments/2017/doj-business-email-compromise-scam-charge-department-justice-enterprise-cybersecurity-invoice-fraud

Like what you read? Give Limoke Oscar a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.