Question about hacking

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
30,495
So I'm curious about something and the people on this board knows way more than my IT department so I thought I'd get some good information here.

We all get phishing emails where we are sent something that looks like an adobe file or what not saying "invoice, please open," or things along those lines. More often lately, I have been getting these emails from people I know. I have been thinking that in most of these cases, the hackers are spoofing people's email. As such, I have made it my practice to send an email back to the person I know to tell them someone got into their contacts or what not, and they are grateful.

On two different occasions in the last week, I received emails basically saying, "Here is the updated project description." One was from a person I'm actively working with; one is not.

In both cases, I sent the email back to the account and said, "I don't think you meant to send this." And in both cases - here is what gets me - the hacker replied to me, "Yes, I did. Please review."

So here's my question. I'm not surprised that hackers can take over someone's email address, but what does it mean that the hacker is replying in real time? If it doesn't really mean anything other than the hacker is in the system, that's fine, I just wanted to know. But I'm just wondering if this means that something even worse has happened to the other users' systems - i.e., the hack is deeper or the hacker has more control.

Sorry if this question is dumb but I just had not seen that before this week and it happened twice!
 

Hawk68

New Member
Feb 29, 2008
172
Massachusetts
This sounds like your system has been compromised. Notify IT for their action. If your org does not have a dedicated department, get outside consultant.
 

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
30,495
Thanks. Just to be clear, it is not my system. I'm just receiving emails from people whose systems are compromised.

I guess my question can be boiled down to this: if the hackers are responding to me in real time, does that mean that the system is more compromised than just a phished account? Or is there really no way of knowing.

Again, I'm just being curious.
 

Myt1

educated, civility-loving ass
Lifetime Member
SoSH Member
Mar 13, 2006
41,576
South Boston
So I'm curious about something and the people on this board knows way more than my IT department so I thought I'd get some good information here.

We all get phishing emails where we are sent something that looks like an adobe file or what not saying "invoice, please open," or things along those lines. More often lately, I have been getting these emails from people I know. I have been thinking that in most of these cases, the hackers are spoofing people's email. As such, I have made it my practice to send an email back to the person I know to tell them someone got into their contacts or what not, and they are grateful.

On two different occasions in the last week, I received emails basically saying, "Here is the updated project description." One was from a person I'm actively working with; one is not.

In both cases, I sent the email back to the account and said, "I don't think you meant to send this." And in both cases - here is what gets me - the hacker replied to me, "Yes, I did. Please review."

So here's my question. I'm not surprised that hackers can take over someone's email address, but what does it mean that the hacker is replying in real time? If it doesn't really mean anything other than the hacker is in the system, that's fine, I just wanted to know. But I'm just wondering if this means that something even worse has happened to the other users' systems - i.e., the hack is deeper or the hacker has more control.

Sorry if this question is dumb but I just had not seen that before this week and it happened twice!
The behavior that you’re describing is consistent with a business email compromise in which the hacker has full access to the email account of the sender and responds/sends emails in real time. They’ll do that sometimes after sending the initial email because they know they might get a follow up.

https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
Picking up the phone to call a number you looked up yourself (that is, not in the signature block of the suspicious email) is key to confirming legitimacy.
 
Last edited:

InstaFace

The Ultimate One
SoSH Member
Sep 27, 2016
21,759
Pittsburgh, PA
it's also possible that the email address you're seeing was spoofed but under the hood it's being routed to a very different address from which they are actually sending and receiving mail. That's not always readily obvious from the headers, but your IT guy could look at the headers and probably tell you what's up.

There's a nice Outlook plugin called Cofense that a lot of enterprises are using for recognizing phishing attacks, might be worth a look.
 

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
30,495
The behavior that you’re describing is consistent with a business email compromise in which the hacker has full access to the email account of the sender and responds/sends emails in real time. They’ll do that sometimes after sending the initial email because they know they might get a follow up.

https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
Picking up the phone to call a number you looked up yourself (that is, not in the signature block of the suspicious email) is key to confirming legitimacy.
it's also possible that the email address you're seeing was spoofed but under the hood it's being routed to a very different address from which they are actually sending and receiving mail. That's not always readily obvious from the headers, but your IT guy could look at the headers and probably tell you what's up.

There's a nice Outlook plugin called Cofense that a lot of enterprises are using for recognizing phishing attacks, might be worth a look.
Interesting, thanks to both of you. Just trying to get educated.
 

garlan5

Member
SoSH Member
May 13, 2009
2,684
Virginia
Maybe you're dealing with an idiot who thinks he's emailing someone else legitimately. I had a coworker from another branch send me project info and meeting invites. Ive messaged back a few times and the acknowledge the mistake but always happens again. I have a similar name in the company directory as someone else
 

wade boggs chicken dinner

Member
SoSH Member
Mar 26, 2005
30,495
Maybe you're dealing with an idiot who thinks he's emailing someone else legitimately. I had a coworker from another branch send me project info and meeting invites. Ive messaged back a few times and the acknowledge the mistake but always happens again. I have a similar name in the company directory as someone else
understand but no, the people who held the accounts had no idea what was going on. I followed up with phone calls. But tahnks for your thoughts.
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,271
The behavior that you’re describing is consistent with a business email compromise in which the hacker has full access to the email account of the sender and responds/sends emails in real time. They’ll do that sometimes after sending the initial email because they know they might get a follow up.

https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
Picking up the phone to call a number you looked up yourself (that is, not in the signature block of the suspicious email) is key to confirming legitimacy.
Myt1 speaks the truth. We see these all the time in our client base. Even better is the attacker sitting in a suppliers mailbox. You send out an invoice with payment info. The hacker sends an email immediately to the person you just invoiced and says.

“Oh sorry I sent you our old routing numbers \ payment info use these instead” then deletes the message from your outbox and also creates an email rule that filters their replies. I had a family friend lose $325k because of it and is still fighting to get it back.

As you’ve seen often the hackers reply and do all sorts of stuff. Most of it is not detectable by security solutions unless you are monitoring email communications. A lot of these customers are also O365.
 

j44thor

Member
SoSH Member
Aug 1, 2006
10,961
understand but no, the people who held the accounts had no idea what was going on. I followed up with phone calls. But tahnks for your thoughts.
What is likely happening is the attacker has compromised their mailboxes and set up auto-forward/delete rules so that when certain emails are replied to the compromised user never even sees the email come in it just goes to a mailbox monitored by the attacker. This definitely sounds like an attempted BEC attack.
 

AlNipper49

Huge Member
Dope
SoSH Member
Apr 3, 2001
44,853
Mtigawi
If you are using g-Suite or o365 without multi factor authentication then just assume that you’ll get hacked.