The problem

We were contacted by an IT support firm to see if we could help their client. The client was being targeted by a fraudster. In this particular scam, the fraudster was sending out emails, apparently from the client, to inform customers that the invoices they'd just received contained the wrong bank account details. The emails contained details of a new account to which payment should be made.

Of course, the accounts had nothing to do with the client and any payments made were ending up with the fraudsters.

The client was running anti-virus software and kept changing passwords on their email accounts, but the fraudsters kept getting access. The IT firm had run all their usual tests, checked the security software reports and found nothing amiss. Rolling software back to previous versions or installing machines from scratch had done nothing to stop the fraud.

We were called in because our experience of working with law-enforcement agencies and our expertise in network and Internet activity might help to discover how the fraudsters were operating.

How we helped

We had a limited time to act. Firstly, we checked the client's network and discovered that there was an extra computer on it. This was not, in itself suspicious. In fact, the machine was known to the client, but not to their IT firm and was not running the same security as the other machines on the network. It had also not been covered by the IT support contact, so it had fallen outside normal maintenance and security procedures.

Over a weekend, we imaged (copied) the contents of all the machines present in the company and then started to examine them. Our anti-malware inspection runs "off-line". i.e. it runs on a separate trusted machine, that we completely control, and can inspect everything present in a drive image. Because of this, it's less susceptible to "anti-forensic" or "anti-detection" tricks that modern malware often use to fool normal security software.

In this case, our inspection revealed that several of the machines had been infected with remote-control software. This allowed the fraudsters to monitor every action on the client's computers and detect when an invoice was sent out as well as when any passwords were changed. The fraudsters thus had access to the email system, the accounts package and the email system so they could easily sent out one of their fake change of account emails within minutes of an invoice being sent.

The bank accounts being used by the fraudsters were all different, probably obtained through one of the many job scams that deal with "payment processing" (or money laundering) for non-existent foreign companies.

Our actions

We cleaned up all the machines in one go.

No machine was allowed onto the client's network until it had bean cleaned and updated with the latest security software. We also reconfigured the client's network to prevent certain types of outgoing traffic, particularly the traffic generated by the fraudsters' malware, and we reconfigured the email system to make it harder for unauthorised users to get access and change or add passwords and verification data.

We also ran a network monitor to check incoming and outoing data, and monitored the email system to check for unauthorised use.

The fraud stopped.

Additional advice

We also recommended that the client should write to all their customers, reminding them that bank account details would NEVER be changed by email and the customers should ALWAYS check by phone or in writing before sending payments to any bank account that they didn't recognise.

Cost to the client ?

Because this was a small business, the whole process took about 4 days to complete. The business, which had been suffering from cash-flow problems and a loss of customer trust, was saved.

If you have a similar problem, please contact n-gate ltd. now.