How hackers used the letter ‘i’ to almost steal $2.5 Million

The day started like most with the morning staff meeting filled with the usual banter.  There were discussions of upcoming vacations and time off. Someone had to leave early to pick up kids from day-care. There was talk about future projects and another about equipment delivery expected today.

Afterward came the regular flow of calls and emails. It kept up through lunch, with a brief break for sandwiches and coffee, then back to the flow.

At 2 pm a call from the President of a client. He’d been in the middle of a wiring transaction, and something strange had happened — could we take a look.

The investigation

The President was completing a transaction that had been going on for several weeks.  There were email messages between himself, lawyers, trust fund managers, and a remote firm into which they were set to wire funds. Today was the day to wire $ 2.5 Million. At noon, the remote firm reported an issue with their bank and asked the transaction to pause for an hour.

An hour later the firm reported the bank issue was ongoing, and would the President instead wire the funds to another bank.  It was curious but not unheard of. The President scanned the emails, and everything looked ok.

The wiring instructions specified an unfamiliar bank. The President asked for more details, and it turned out it was an overseas bank. Time was essential, and the funds needed to go now, or the opportunity would pass. It seemed strange there was a sudden urgency to the emails. Further checking revealed the bank was in Shanghai and the remote firm had no offices in China.

The President forwarded us a copy of a long email thread with weeks of replies.  Pretty typical threaded conversation with lots of responses and ongoing dialog.  Comments from lawyers and business colleagues expressing optimism for the impending transaction.  Nothing looked unusual in the forwarded thread.

Deeper dive

A typical email thread will obscure most headers. The headers provide the information System Administrators need to trace email flows. We turned our attention to the mail server where the messages and headers were stored.

We found the thread in the President’s Inbox and noticed something strange. The email was sent via Google. The remote firm was a publicly traded institution, and it seemed unlikely they’d use Google.  We noticed earlier messages had been sent using the remote firm’s business servers and not through Google.

While scrutinizing the President’s forwarded thread, we noticed a slight change in the spelling of the remote firm’s email address. The letter ‘i’ was added to the middle of the domain. The President was not emailing the remote firm at all, but instead a new domain that was different by a single letter.  The ARIN whois database confirmed the new domain had been registered at noon today and then pointed to Google for email services.

The story came into focus

Sometime around noon, the hackers downloaded a copy of the email thread, likely a simple cut and paste from someone’s mailbox. They saw what was about to transpire and hatched a plan intercept the wired funds.

The hackers registered a new domain that was a close approximation of the remote firm and spun up a Google email account to start receiving email. They carefully edited their copy of the email thread and replaced all references to the real domain with their new domain. These edits would fool anyone who scanned down the thread. They sent the President their fake thread and added the ruse about the bank having wiring problems.

The hackers gambled the President would see a familiar subject and the text of messages he’d sent and received and not scrutinize the sender’s domain spelling. The request to pause the transaction was a simple way to test if their plan would work.

The gamble paid off, and the President replied.  That ensured all future replies routed to them. They needed to act fast. They’d need to complete the wire before anyone noticed the President was no longer sending them emails.

The wiring to Shanghai, however, finally put the breaks on their ruse.

Lingering questions

The only question that remained was how the hackers had managed to intercept the email thread. The answer was simple, an employee from the remote firm had had his email password stolen, which he finally admitted. The hackers had used his credentials to access his email box and make a copy of the email thread. The thread the hackers copied was on the day the transaction was set to take place, so they had up-to-date details of the plans.

The fact the domain was registered on the day the wire was to take place likely meant the hackers didn’t have much time to prepare. If they did, they might have registered earlier and used the time to open an account within a region where the remote firm had offices and been able to allay suspicion.  If they’d had more time and been more careful, they could have gotten away with 2.5 Million.

How can you protect yourself from this type of attack?

First and most importantly, always scrutinize a sender’s email address.  Even if you recognize the name and the subject line, you should have an idea of the correct address and verify before replying.

Second, there’s nothing wrong with sending or receiving wiring instructions in an email. The last step of a transaction should be to call the receiver and verbally confirm the instructions. You should never wire based strictly on email.

Finally, you should always be suspicious of emails where the tone of the other party has changed, or there is a new sense of urgency to actions on your part. If something doesn’t feel right, stop, and make the call.  Always trust your instincts.

Carroll-Net was founded in 1994 with the singular goal of providing datacenter services our clients require at a price they can afford, delivered everywhere they need them. The industry now calls this cloud services — we call it common sense.