Fake Invoice Scams, How do They Work?

A quite common scam in the United States has come to Australia this year, already fleecing some unwitting businesses for over half a million dollars. The scam, listed here on the government’s ScamWatch site involves businesses receiving very realistic looking fake invoices from scammers, usually stating a change of bank details and directing payment to a different bank account. This highlights the importance of taking due care when paying invoices, and having appropriate verification processes in place.

Scammers hack into vendor and/or supplier email accounts and obtain information such as customer lists, bank details and previous invoices

The scam has been reported extensively, particularly in non-tech news media, but it was a little light on the detail for me, so I’ve done some further digging. The reports I’d seen had referred to the scammers sending very realistic invoices to their targets by ‘hacking’ the email accounts of suppliers and vendors, others used words like ‘intercepted email’, but gave no further detail. On asking the question of a few colleagues, some told me of first hand experience with a version of the scam, dubbed a BEC (Business Email Compromise) scam. They’d seen the simplest implementation, which involved creating free email accounts to send the fake invoices, and matching the account name as closely as possible to the actual supplier account. But that’s pretty simple, and most businesses would be quite suspicious if email that was coming from accounts@davescatering.com started coming from accounts_davescatering@yahoo.com. Admittedly, they might not pick it up if the real business was using a free email account in the first place, but although that happens, it doesn’t seem to represent enough businesses for this scam to be so successful.

Then I stumbled across this page from the IC3 (Internet Crime Complaint Center), that sheds some more light on the situation. It details three methods of attack, the first being very much the method described above. The other two methods are far more serious and actually do involve email accounts being hacked. In both these cases, accounts (or the PC’s of account holders) are compromised and invoices issued from them. In the cases where the hacked account is a senior company executive, no invoice is sent, rather a request for a funds transfer is made to other staff within the company (who presumably dutifully processes it because the request comes from their boss).

So that confirms that the media reports about ‘hacking’ weren’t the usual poor reporting (like the iCloud ‘hacking’ scandal). I assume the reports of ‘intercepted emails’ were similarly reliable. It’s certainly plausible enough to assume that by using hacked accounts, compromised PC’s or servers, hackers could have emails surreptitiously forwarded to another party, or be ‘intercepted’ from the server.

I was still curious about the method used to compromise these accounts though. I had assumed they were the the result of some successful phishing expeditions — and some were — but further reading suggested at least some were genuine system compromises, particularly this from the article linked above — “Businesses and personnel using open source e-mail are most targeted”. What does that mean exactly? Properly secured OSS email shouldn’t be more vulnerable than any other system. But that’s where the trail I was following ended. The internet doesn’t seem to have any more information about this, and in particular what the role of Open Source systems would or could be. Even the venerable Steve Gibson of GRC and Security Now didn’t have any idea why OSS would matter in this case, telling me that he couldn’t see why OSS would be implicated.

So that just leaves my theories, and the theories I’ve seen in forums and in comments around the interwebs, which is that some poorly maintained servers running Open Source mail software were compromised, or simply used as an open relay. Not exactly conclusive, but better than what I started with, and we certainly know of other cases where hackers have taken control of systems and used them to do their bidding.

One final note is that the lack of actual published information on this is a cause for concern. I should be able to find out how these attacks have occurred and the mechanisms used. How can we in the IT community protect ourselves and our users against criminal activity if we don’t actually know how it’s perpetrated? If anyone has any more information on this, please post it in the comments, I’d appreciate it.


Originally published at tmtgping.wordpress.com on May 16, 2015.