Question about hacking

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
16,322
So I'm curious about something and the people on this board knows way more than my IT department so I thought I'd get some good information here.

We all get phishing emails where we are sent something that looks like an adobe file or what not saying "invoice, please open," or things along those lines. More often lately, I have been getting these emails from people I know. I have been thinking that in most of these cases, the hackers are spoofing people's email. As such, I have made it my practice to send an email back to the person I know to tell them someone got into their contacts or what not, and they are grateful.

On two different occasions in the last week, I received emails basically saying, "Here is the updated project description." One was from a person I'm actively working with; one is not.

In both cases, I sent the email back to the account and said, "I don't think you meant to send this." And in both cases - here is what gets me - the hacker replied to me, "Yes, I did. Please review."

So here's my question. I'm not surprised that hackers can take over someone's email address, but what does it mean that the hacker is replying in real time? If it doesn't really mean anything other than the hacker is in the system, that's fine, I just wanted to know. But I'm just wondering if this means that something even worse has happened to the other users' systems - i.e., the hack is deeper or the hacker has more control.

Sorry if this question is dumb but I just had not seen that before this week and it happened twice!
 

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
16,322
Thanks. Just to be clear, it is not my system. I'm just receiving emails from people whose systems are compromised.

I guess my question can be boiled down to this: if the hackers are responding to me in real time, does that mean that the system is more compromised than just a phished account? Or is there really no way of knowing.

Again, I'm just being curious.
 

Myt1

the FRESH maker
Lifetime Member
SoSH Member
Mar 13, 2006
27,340
South Boston
So I'm curious about something and the people on this board knows way more than my IT department so I thought I'd get some good information here.

We all get phishing emails where we are sent something that looks like an adobe file or what not saying "invoice, please open," or things along those lines. More often lately, I have been getting these emails from people I know. I have been thinking that in most of these cases, the hackers are spoofing people's email. As such, I have made it my practice to send an email back to the person I know to tell them someone got into their contacts or what not, and they are grateful.

On two different occasions in the last week, I received emails basically saying, "Here is the updated project description." One was from a person I'm actively working with; one is not.

In both cases, I sent the email back to the account and said, "I don't think you meant to send this." And in both cases - here is what gets me - the hacker replied to me, "Yes, I did. Please review."

So here's my question. I'm not surprised that hackers can take over someone's email address, but what does it mean that the hacker is replying in real time? If it doesn't really mean anything other than the hacker is in the system, that's fine, I just wanted to know. But I'm just wondering if this means that something even worse has happened to the other users' systems - i.e., the hack is deeper or the hacker has more control.

Sorry if this question is dumb but I just had not seen that before this week and it happened twice!
The behavior that you’re describing is consistent with a business email compromise in which the hacker has full access to the email account of the sender and responds/sends emails in real time. They’ll do that sometimes after sending the initial email because they know they might get a follow up.


Picking up the phone to call a number you looked up yourself (that is, not in the signature block of the suspicious email) is key to confirming legitimacy.
 
Last edited:

InstaFace

MDLzera
Sep 27, 2016
7,443
it's also possible that the email address you're seeing was spoofed but under the hood it's being routed to a very different address from which they are actually sending and receiving mail. That's not always readily obvious from the headers, but your IT guy could look at the headers and probably tell you what's up.

There's a nice Outlook plugin called Cofense that a lot of enterprises are using for recognizing phishing attacks, might be worth a look.
 

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
16,322
The behavior that you’re describing is consistent with a business email compromise in which the hacker has full access to the email account of the sender and responds/sends emails in real time. They’ll do that sometimes after sending the initial email because they know they might get a follow up.


Picking up the phone to call a number you looked up yourself (that is, not in the signature block of the suspicious email) is key to confirming legitimacy.
it's also possible that the email address you're seeing was spoofed but under the hood it's being routed to a very different address from which they are actually sending and receiving mail. That's not always readily obvious from the headers, but your IT guy could look at the headers and probably tell you what's up.

There's a nice Outlook plugin called Cofense that a lot of enterprises are using for recognizing phishing attacks, might be worth a look.
Interesting, thanks to both of you. Just trying to get educated.
 

garlan5

Member
SoSH Member
May 13, 2009
2,549
Virginia
Maybe you're dealing with an idiot who thinks he's emailing someone else legitimately. I had a coworker from another branch send me project info and meeting invites. Ive messaged back a few times and the acknowledge the mistake but always happens again. I have a similar name in the company directory as someone else
 

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
16,322
Maybe you're dealing with an idiot who thinks he's emailing someone else legitimately. I had a coworker from another branch send me project info and meeting invites. Ive messaged back a few times and the acknowledge the mistake but always happens again. I have a similar name in the company directory as someone else
understand but no, the people who held the accounts had no idea what was going on. I followed up with phone calls. But tahnks for your thoughts.
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
12,959
37
The behavior that you’re describing is consistent with a business email compromise in which the hacker has full access to the email account of the sender and responds/sends emails in real time. They’ll do that sometimes after sending the initial email because they know they might get a follow up.


Picking up the phone to call a number you looked up yourself (that is, not in the signature block of the suspicious email) is key to confirming legitimacy.
Myt1 speaks the truth. We see these all the time in our client base. Even better is the attacker sitting in a suppliers mailbox. You send out an invoice with payment info. The hacker sends an email immediately to the person you just invoiced and says.

“Oh sorry I sent you our old routing numbers \ payment info use these instead” then deletes the message from your outbox and also creates an email rule that filters their replies. I had a family friend lose $325k because of it and is still fighting to get it back.

As you’ve seen often the hackers reply and do all sorts of stuff. Most of it is not detectable by security solutions unless you are monitoring email communications. A lot of these customers are also O365.