Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Fraud Email Masquerading as Executive Sent Mail

    • Updated:
    • 30 Oct 2015
    • Product/Version:
    • Email Reputation Services Standard/Advanced.All
    • Platform:
    • Linux - Red Hat RHEL 5 32-bit
Summary

Trend Micro recently observed a wave of targeted scam attacks that starts with an email which appears to be sent from a particular company’s executive(s) to people of influence within their organization (e.g. finance managers). Unlike common email fraud / phishing tricks, these forged emails do not contain attachments or URLs, but instead employ a modified “Reply-To” header that changes the return path to an attacker’s mailbox and is not easily detected without observing the detailed header information.

Based on some data from Trend Micro’s Smart Protection Network, there have been at least 40 companies that appear to have been targeted in this manner in September alone. 

Click image to enlarge.

Details

  • “From” and “To” use the same domain to make it look like an internal email (e.g. CompanyX.com to CompanyX.com).
  • Domain in the “From” and “Reply-To” fields are not the same. (e.g. “From” is CompanyX.com and “Reply-To” is an external domain like gmail.com).
  • If there is a user agent listed in the mail header, “Workspace Webmail” or “Roundcube Webmail” have been observed to be used in several of these emails.
  • The overall content size of the email is small.
  • The content often contains certain words such as “wire” or “transfer.”
  • “Reply-to” field often has keywords such as “executive” or “ceo” or “chief”.

The Trend Micro Email Reputation Services (ERS) team has released patterns to detect this kind of attack for global customers.

Details
Public

Recommendations:

  • Always double check the reply-to address for important email and make sure the recipient is who you expect it to be when you reply to the email (see below).
  • Pay attention to any inconsistencies between “mail from” and “reply-to” addresses, especially taking notice of any mutated domains (e.g. trendrmicro instead of trendmicro).
  • Always report any undetected samples as soon as possible to Trend Micro.

Sample of forged email:

Click image to enlarge.

Recipient email address is changed to attacker’s email address:

Click image to enlarge.

Premium
Internal
Rating:
Category:
SPEC
Solution Id:
1112853
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.