Trend Micro recently observed a wave of targeted scam attacks that starts with an email which appears to be sent from a particular company's executive(s) to people of influence within their organization (e.g. finance managers). Unlike common email fraud or phishing tricks, these forged emails do not contain attachments or URLs, but instead employ a modified "Reply-To" header that changes the return path to an attacker's mailbox and is not easily detected without observing the detailed header information.
Detecting Fraud Emails
Based on some data from Trend Micro's Smart Protection Network, there have been at least 40 companies that appear to have been targeted in this manner in a month alone.
Below are some hints of the fraud email:
- "From" and "To" use the same domain to make it look like an internal email (e.g. CompanyX.com to CompanyX.com).
- Domain in the "From" and "Reply-To" fields are not the same (e.g. From: CompanyX.com and Reply-To: external domain like gmail.com).
- If there is a user agent listed in the mail header, Workspace Webmail or Roundcube Webmail have been observed to be used in several of these emails.
- The overall content size of the email is small.
- The content often contains certain words such as "wire" or "transfer".
- "Reply-to" field often has keywords such as "executive", "ceo", or "chief".
The Trend Micro Email Reputation Services (ERS) team has released patterns to detect this kind of attack for global customers.
- Always double-check the reply-to address for important email and make sure the recipient is who you expect it to be when you reply to the email.
- Pay attention to any inconsistencies between mail from and reply-to addresses, especially taking notice of any mutated domains (e.g. trendrmicro instead of trendmicro).
- Always report any undetected samples as soon as possible to Trend Micro. See Submitting spam samples.
Here is a sample of forged email:
When replying to the email, the recipient email address is changed to attacker's email address: