cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bjonah
Newcomer I

Investigating Email Hijacking

I am trying to investigate a possible Email hijacking issue. An Email was sent with details for a payment to be made. Sender is authentic (meaning email address is correct). The receiver asks for additional details and sender sends additional details back. unfortunately for the sender some of the additional details were not correct and needed verification. On verification (phone call) the "real sender"(owner of the email address used to send the request) claimed not to know anything about it. The Email Server shows records of emails delivered to the email address.

 

Is there any way I can prove that a particular email sent was hijacked?

9 Replies
JoePete
Advocate I

I'd start with an mxtoolbox check of the domain in question. See if anything pops up there.

 

The details seem a little confusing (to me at least). Maybe it would help that rather than saying sender and receiver you say A and B. It sounds like:

  1. Address A sent a request (we'll call it Email 1) for payment to Address B. 
  2. Address B sent Email 2 to Address A asking for verification.
  3. Address A sent Email 3 to Address B with verification details. However owner of Address B (User B) wasn't satisfied and called apparent owner of Address A (User A). At which User A claims no knowledge.

Since Address B was able to send Email 2 to Address A, that tells you the sender (Address A) in Email 1 and 3 doesn't appear to be forged. It doesn't mean User A ever got the email. If someone has access to his or her account, it is easy enough to intercept email. Is it possible that Address A is some sort of generic account used by a department, etc.? Also, Email 1 and 3 have headers that can be looked at to determine the full route to Address B. It sounds like you checked the server used to send Email 2, and the mail appears to have been delivered. Again, that doesn't mean much. The battle against spam has resulted in mail servers rarely sending accurate or any error messages. Also, bear in mind that on top of whatever checks done by Address A's server, the mail client might do its own filtering (the dreaded spam folder or quarantine situation). Even if delivered, there is no guarantee it was read (even tracking data/web beacons mean very little if anything on the receiving end scans content). My gut says take are really close look at the domains, addresses, reply-tos involved. It may not be hijacking, just someone passing off a similar domain or address as the real thing.

HTCPCP-TEA
Contributor I

Hi,

 

I'm not sure exactly what you have tried as yet, but it would depend on what technologies you are using for the most part.

 

MS Exchange will normally have the ability to track messages, and you can confirm legitimate mail sender/recipients using that. Indeed other systems, such as Mimecast or Sophos Mail can do more in depth tracking also.

 

The difficulty comes in proving it was the user who sent the mail, or indeed did not send the mail.

 

I would suggest looking at the email headers under it's properties. This would normally contain some IP address of the originating computer, so you could narrow down your investigation that way. Be sure there are no signs of spoofed mail (X-Headers etc.).

 

Furthermore, look for mails sent around the same time, and compare the IP addresses, this could prove that the user would need to be in two locations at once and potentially on 2 different machines to have completed the task.

 

Hope this helps and by all means expand more on the situation should you wish, I'd be happy to help wherever possible.

 

 

bjonah
Newcomer I

Thank you JoePete. Your illustration is correct. Address A is a customer and Address B an Account Officer managing the customer's Account.

 

Domain addresses, reply-tos all read correctly. MX lookup and Email Header analysis all point to the cusomer's dns/mx records.

 

 

bjonah
Newcomer I

Thanks  HTCPCP-TEA. From the headers it appears that the sender's SMTP server keeps changing. Is that normal? The originating IP as well though from the same subnet. 

HTCPCP-TEA
Contributor I

Hi,

 

Apologies, it would again come down to your topolgy. If it's internal and you have multiple SMTP servers, then you could be load balancing and therefore could expect to see differing IP addresses. However, these would always match your expected internal SMTP server addresses.

 

You could identify the IP addresses as a start to see what sort of mail route is being taken. I would also look to establish what other emails the particular user sent around the same time, and ensure they correspond with such IP addresses. This would, at least, place the user within the same network as the "Problem" email at the time of sending.

 

Also, if said IP address is an external address, you could try to find out where the IP is from ("Whois" searches etc)

 

Hope this helps. Let me know if you need anything more.

 

 

 

 

JoePete
Advocate I


@bjonah wrote:

From the headers it appears that the sender's SMTP server keeps changing. Is that normal? The originating IP as well though from the same subnet. 


Keep in mind that until an email ends up on your side of the route, the headers are fill in the blank - it all depends on what the mail transfer agents in between are configured to append. As HTCPCP-TEA notes, load balancing might explain some of what you are seeing. Again, though, when a header says originating IP, it depends on what the first server is configured to append.

 

It seems like the issue is your organization received an email that appeared to be genuine, but when you reached out to the person who supposedly owns that email, you got a "no I never sent that." You're trying ascertain if that person is telling the truth, and I suspect the implications can be far reaching as your company normally trusts the email messages it gets.

 

I'm not sure the business you are in, but unless you require encrypted/signed email, you really can't authenticate its sender. Practically speaking, you're better off creating some sort of web application that requires authentication (even just username and password) in order to conduct any substantive business. Or what someone on your side in fact did - call the person in question to verify the information - is the right step. This is an interesting case, and I'm curious what you eventually discover, but in the larger context, I would raise the issue organizationally that you should not rely on unencrypted/unsigned email as a business tool.

bjonah
Newcomer I

Thanks. So I ran the headers again through another online tool (have this nudging feeling something is not right but can't put my finger on it) and the Originating IP address for the questionable email is from a different country whereas originating IPs of previous emails sent by the same client are from the same country. Is that indicative of hacking? I am no email forensic expert so....

bjonah
Newcomer I

Thanks. It is not our normal practice to trust or conclude financial transactions over email, hence fraudster being cutoff when physical verification was done. Moreover, staff are aware about email fraud...but like you I am also very curious to find out if this was a lie or a hack. Will keep you posted :).

HTCPCP-TEA
Contributor I

Could be...

 

It would depend though, as if you are using something like Office 365 the mail can come from pretty much anywhere, due to the architecture they use.

 

I have done this sort of thing a lot, hence why I'm keen to lend advice wherever possible. The issue I commonly come against is that even if you track the mail all the way back to the person in question, you then have the issue of whether someone gained access to their account/workstation.

 

There are some techinques to help find the truth, though I'm pretty sure that they are frowned upon these days... I joke of course.

 

Happy hunting, and again if I can be of any further assistance, I'll do what I can.