$300k wired and lost.

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,414
My client is the lawyer for an national insurance company. They were supposed to receive $300k from a small construction company. The lawsuit alleges that the insurance company never received the money and can prove that they never received the money. The construction company alleges the money was sent in three $100k payments.

My client (the lawyer) contacted me to take a look at the email correspondence and it appears that illegitimate domains were registered on both ends to make this happen.... think the company was contosollp.com and contosoillp.com was registered.

I was tasked, essentially to take a look at where the compromise may have occurred. The illegitimate domains have already been decommissioned and the money is gone. The national insurance company appears to be using ProofPoint as a spam filter. I'm not sure how to look beyond that to see who their host actually is but I'd put money on it being M365.

The construction company has a CNAME record pointing to mail.contoso.com - when visiting mail.contoso.com I get redirection to a mail service called SmarterMail. Upon further investigating it appears SmartMail is a pop/imap only email service maybe linux based?

SmarterTools Incorporated

Our business email server, team chat, online help desk and web analytics software will help your business succeed. For business or personal users worldwide.
www.smartertools.com www.smartertools.com

The further complicate things, the owner of the construction company was using a Hotmail account and was CC'd on all these emails a lot of which were using the illegitimate domain.

I explained in an email to my client (the lawyer) that without being able to get hands on either domain it would be impossible to determine with absolute certainty where the compromise occurred but in my opinion it is likely that the compromise occurred on the construction companies end due to not adopting a true business class email solution like M365 or Google Apps, additionally using a Hotmail account in all of this further complicates the matter as it also does not, in my opinion fulfill the requirements for an acceptable business class email solution.

THEIR lawyer, basically send a letter saying that for us to call "SmarterMail" and "Hotmail" inadequate and less superior than a M365 email service is completely incorrect as Hotmail is a "Cloud-Based Microsoft Server"

Any suggestions on further investigating this?
 
Common and fully automated attack vector.

Shame on your client for failing to MFA the transfer, pick up THE PHONE and CALL the person you're sending cash to, and validate all connection details. Wire transfers are cash, and not traceable or reversible. The person that pushes "send" is at fault, end of discussion. The Construction company is on the hook for the balance, it's not anyone else's fault they didn't validate the destination information before transmission of the funds.

Hotmail is M365 by the way... but isn't secured the same way.

Investigation is a waste of time, users didn't validate the senders and receivers of a financial transaction. Unless you have evidence that one of your accounts was improperly accessed, the fault is with the humans not the tech and digging doesn't matter.

If there is legal actions pending based on evidence, hire a forensics team, you need to get out of the way.

Smartermail is a solid mail server too... always sad to see it abused.
 
Last edited:
Sky-Knight said:
Common and fully automated attack vector.

Shame on your client for failing to MFA the transfer, pick up THE PHONE and CALL the person you're sending cash to, and validate all connection details. Wire transfers are cash, and not traceable or reversible. The person that pushes "send" is at fault, end of discussion. The Construction company is on the hook for the balance, it's not anyone else's fault they didn't validate the destination information before transmission of the funds.

Hotmail is M365 by the way... but isn't secured the same way.

Investigation is a waste of time, users didn't validate the senders and receivers of a financial transaction. Unless you have evidence that one of your accounts was improperly accessed, the fault is with the humans not the tech and digging doesn't matter.

If there is legal actions pending based on evidence, hire a forensics team, you need to get out of the way.

Smartermail is a solid mail server too... always sad to see it abused.
Click to expand...

Got it ... thanks!

Thankfully it wasn't my client that was at fault here, my client is representing the insurance company. They are saying the burden of proof when it comes to the compromise and the logs in that compromise is on us or my client. Ultimately it really doesn't matter.

I told my client this is barely an IT related issue. Ultimately it's a human to human error.
 
This is exactly what a lawyer's Trust account could help with. For that amount, I would have been transferring the money to the lawyer's Trust account, then have it forwarded to the payee from there.
 
thecomputerguy said:
The further complicate things, the owner of the construction company was using a Hotmail account and was CC'd on all these emails a lot of which were using the illegitimate domain.

.....

THEIR lawyer, basically send a letter saying that for us to call "SmarterMail" and "Hotmail" inadequate and less superior than a M365 email service is completely incorrect as Hotmail is a "Cloud-Based Microsoft Server"
Click to expand...
The fact that the owner of the construction company was using a Hotmail account for important business matters shows a wanton disregard for proper IT best practices. Chances are pretty good that someone somewhere repeatedly warned against and advised against him using that account for work and the warnings were ignored.

In other words it shows that the construction company had no clue about cybersecurity or information protection.
 
timeshifter said:
The fact that the owner of the construction company was using a Hotmail account for important business matters shows a wanton disregard for proper IT best practices. Chances are pretty good that someone somewhere repeatedly warned against and advised against him using that account for work and the warnings were ignored.

In other words it shows that the construction company had no clue about cybersecurity or information protection.
Click to expand...
HA! You assume anyone was there to warn him.

People like that are so stupidly cheap if they do have IT assistance around it's not qualified to work on my service desk. So I'd say odds are pretty good no warning was directly offered.
 
You must log in or register to reply here.

Similar threads

HCHTech
[SOLVED] Exchange Mail Flow Rules and + addresses
Replies
4
Views
226
HCHTech
HCHTech
britechguy
The Domain and Defederation (from GoDaddy) Dilemma
2
Replies
21
Views
2K
Sky-Knight
Sky-Knight
thecomputerguy
New clients MFA is all out of whack and not sure how to fix it.
2 3 4
Replies
60
Views
4K
Rosco
Rosco
thecomputerguy
It's the clients, they just kill me.
Replies
16
Views
2K
frase
frase
HCHTech
SPF Record Rabbit Hole
Replies
6
Views
2K
Sky-Knight
Sky-Knight
Back
Top