Have I been hacked?

Scoops Bolling

Member
SoSH Member
Jun 19, 2007
5,873
Earlier today a customer of mine forwarded an email chain where an outside account replied into an existing email chain of ours pretending to be from my company (if my email is scoops@bolling.com, the third party came in with an email address of scoops.bolling@[weird ULR].com). What I'm not sure about is whether I was hacked or whether the customer was, as the third party interloper posing us as tried to give them an invoice to be wired to, which our customer recognized as being the wrong code for our location (i.e. they were trying to get paid to a bank in Russia or China or Nigeria, not the United States) and so they contacted me asking "is this you?". I looked up the domain the interlopers emailed from (sl-cassters dot com) and the only thing that I could find was that it was registered this January. I've changed the email accounts passwords and a couple other key business account passwords, but I'm not sure if I need to go through and change everything everywhere now, or if the vulnerability was on the customer's end. Thoughts? Suggestions?
 

cgori

Member
SoSH Member
Oct 2, 2004
4,005
SF, CA
What @BrazilianSoxFan said.

Though I would ask what exactly you meant when you said "replied into an existing email chain" - if some third party is receiving your emails (or your customer's emails) that's a bit odd. If they sent an email to your contact in a way that purported to be you (but with the weird url) that's more conventionally/classically phishing.
 

PedroSpecialK

Comes at you like a tornado of hair and the NHL sa
SoSH Member
Dec 12, 2004
27,164
Cambridge, MA
If you're sending email on behalf of your domain / business, highly recommend setting up a p=reject DMARC policy and sending from a dedicated sending domain.
 

Scoops Bolling

Member
SoSH Member
Jun 19, 2007
5,873
They replied into an existing email chain. So there were something like 20 emails between me and the customer, and then this new account replied (pretending to be me) to the most recent email. They didn't reach out with a new email chain, they replied to the one we already had so they had to have access into either my emails or my customers.
 

amlothi

Member
SoSH Member
Jan 5, 2007
802
Consider contacting all your customers to alert them to this scam. Ask them to alert you of they get a similar message and confirm via an alternate communication method or something before sending any money. If they hacked your company, they will be trying this with other customers too.
 

djbayko

Member
SoSH Member
Jul 18, 2005
25,895
Los Angeles, CA
They replied into an existing email chain. So there were something like 20 emails between me and the customer, and then this new account replied (pretending to be me) to the most recent email. They didn't reach out with a new email chain, they replied to the one we already had so they had to have access into either my emails or my customers.
I don't think they can really reply to an existing chain they aren't on. I'm guessing that they got a hold of the email chain somehow and then recreated to make it look like they replied. But maybe that's what you meant.

I think you're right to be concerned about how they got hold of it in the first place though.
 

cgori

Member
SoSH Member
Oct 2, 2004
4,005
SF, CA
They replied into an existing email chain. So there were something like 20 emails between me and the customer, and then this new account replied (pretending to be me) to the most recent email. They didn't reach out with a new email chain, they replied to the one we already had so they had to have access into either my emails or my customers.
That's not good. I can think of a few ways that could happen without a breach, but the more likely explanation is that either your customer (or you) have an issue.

Consider contacting all your customers to alert them to this scam. Ask them to alert you of they get a similar message and confirm via an alternate communication method or something before sending any money. If they hacked your company, they will be trying this with other customers too.
100% recommend.
 

Scoops Bolling

Member
SoSH Member
Jun 19, 2007
5,873
I don't think they can really reply to an existing chain they aren't on. I'm guessing that they got a hold of the email chain somehow and then recreated to make it look like they replied. But maybe that's what you meant.

I think you're right to be concerned about how they got hold of it in the first place though.
Yes come whether they just copied and pasted it or how they had it I don't know but they had a lengthy email chain. Is there any way for me to figure out if they got it from my end or from customers end?
 

FenwayFrenzy

Member
SoSH Member
Jul 16, 2005
2,141
NYC
This is phishing and invoice fraud - it happens a lot.

Someone has view access to your email, your clients' email, or can see the email in transit. You should change all passwords (network, email, bank account etc) immediately, set up multifactor authentication for every account you can, and ask your clients to do the same. If your business must be done over email, set up encrypted end-to-end email and ensure there is a secondary authentication for each transaction (separate passworded invoice file with bank account info, unique pass phrase that must be matched). You could also have a maker-checker model in place where someone else aside from the primary person who manages the transaction must approve before moving forward.

Ideally, you would have some type of e-invoicing option between billing systems, but that's a bigger investment of time & expense.

Also, a big kudos to your customer for sniffing out the phishing attempt.
 

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
30,498
Yes come whether they just copied and pasted it or how they had it I don't know but they had a lengthy email chain. Is there any way for me to figure out if they got it from my end or from customers end?
FF probably has bingo.

I'd contact a internet security company if I were in your shoes. I'm not an expert but it sounds like your systems are compromised.