This morning, our finance department was targeted by a specific social engineering attack. An individual claiming to be Mike Mahon, sent the following email:
From: Mike Mahon [firstname.lastname@example.org]
Sent: Friday, May 09, 2014 8:51 AM
Hope you are having a splendid day. I want you to quickly email me the details you will need to help me process an outgoing wire transfer to another bank.
I will appreciate a swift email response.
After an intial response occurred with the transfer information, we received a request to transfer $45000 to a Bank in Hong Kong. Fortunately, the employees involved were smart and decided to put the brakes on right then.
As you can see from the information stripped from the email message transmission headers, the attacker spoofed many values which weren't obvious to the reader on initial receipt.
From: "Mahon , Mike " <email@example.com> (This is just a fake from address)
Reply-To: "Mahon , Mike " <firstname.lastname@example.org> (Different Email Address than the from address for reply's. Typical operational tactic from a scammer)
Received: from localhost ([22.214.171.124]) (Arizona - The attacker bounced the email between different servers)
X-Originating-IP: 126.96.36.199 (Nigeria - The original sending IP address)
Email, although a great communication tool, is not known for being very security minded. It is indeed possible to send emails from individuals that have no knowledge of things being done in their name.
So, the moral of our story is to pay attention to the actual information received in your emails. It may be fraudlent, and if something looks suspicious, please contact the Information Security Office and we can help you determine if the requests are legitimate.