Views:

Detecting Fraud Emails

Based on some data from Trend Micro's Smart Protection Network, there have been at least 40 companies that appear to have been targeted in this manner in a month alone.

Fraud email sent by executive

Below are some hints of the fraud email:

  • "From" and "To" use the same domain to make it look like an internal email (e.g. CompanyX.com to CompanyX.com).
  • Domain in the "From" and "Reply-To" fields are not the same (e.g. From: CompanyX.com and Reply-To: external domain like gmail.com).
  • If there is a user agent listed in the mail header, Workspace Webmail or Roundcube Webmail have been observed to be used in several of these emails.
  • The overall content size of the email is small.
  • The content often contains certain words such as "wire" or "transfer".
  • "Reply-to" field often has keywords such as "executive", "ceo", or "chief".

The Trend Micro Email Reputation Services (ERS) team has released patterns to detect this kind of attack for global customers.

Recommendations

  • Always double-check the reply-to address for important email and make sure the recipient is who you expect it to be when you reply to the email.
  • Pay attention to any inconsistencies between mail from and reply-to addresses, especially taking notice of any mutated domains (e.g. trendrmicro instead of trendmicro).
  • Always report any undetected samples as soon as possible to Trend Micro. See Submitting spam samples.

Here is a sample of forged email:

forged email

When replying to the email, the recipient email address is changed to attacker's email address:

Changed email address

Keywords: scam email,email fraud,email hacking,company email hacked,Smart Protection Network,Executive Sent Mail scam,email hacking advisory