Hi Mike

A friend of mine unfortunately had a similar case with a Chinese partner firm.

The e-mail correspondence was intercepted - I suspected a trojan in the Chinese firm (or simply an employee of that Chinese firm going rogue, who knows...).

The forged mail was exactly as you describe it: The second e-mail stated, that the bank account information was changed.

However in this case the forged mail clearly came from another e-mail, but it looked very close to the one from the Chinese partner. Unfortunately my friend didn't see it.

He asked me to help investigate this as his e-mail account runs on a server I manage and from the mail logs I could show him that the forged mail came from another sender.

Take a look at the mail headers and mail logs of the recipient server (if you can) to verify where the fraud mail came from. Compare the sending servers, the e-mail address itself can be easily changed as you may know.

I am at this moment not aware of the current status of that case but I know police investigation (and also investigations on my friends Swiss bank) were ongoing.

cheers,

Claudio

On Fri, Oct 7, 2016 at 2:46 PM, Mike Kellenberger <mike.kellenberger@escapenet.ch> wrote:

Hi all

I might be slightly off-topic here, because it's not a network issue, but it might be of interest to some of you anyway and maybe you've had customers which were affected as well.

I don't know if this ploy is new, but after having two customers affected within one week, I suspect it is.

The customer receives an e-mail with an invoice from his supplier, which he trusts and has worked with in the past. Shortly after this e-mail he receives another e-mail from the same sender and in the exact same layout stating that the company has a new bank account and that this account should be used.

The second e-mail is forged of course. We haven't beeen able to find out where the original mail gets captured (most likely on the suppliers client, because in one case, more than one customer of the supplier was affected).

The fraudulent bank account was in UK in both cases, in one case the amount was around CHF 6K, where the UK authorities did not get active, in the second case it was a 6 digit amount... That case is still ongoing.

The fraudulent bank account was already closed again in both cases when the customer realized that his transaction had gone to the wrong account (usually after the supplier asked if the money had not been transferred yet).

Have you had similar cases?

Regards,

Mike

--
Mike Kellenberger | Escapenet GmbH
www.escapenet.ch
+41 52 235 0700/04
Skype mikek70atwork

_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog