Man in the mailbox fraud (MITMB) HOWTO

This has come up twice, so it’s time to tell the world how it’s done.  Basically, if someone has control of your mailbox (e-mail address and password), then you’re going to lose your money: someone (not you, and not your friend) is going to say to use a different account to receive payment.  This control can be by means of a simultaneous login, or by a forwarding rule that sends critical mail away.

Here’s how to do it:

  1. Choose a victim: someone that pays money, or receives money
  2. Get control of the victim’s e-mail box: send a phishing mail, and wait for the magic click
  3. Wait for the victim to negotiate a payment
  4. Send a correction to the payer (“sorry, please use this account instead”)
  5. Add mailbox filtering rules to ensure that the payer is not in communication with the victim: forward the mail to your own address, or add a filter rule to move it to some other mailbox, like Archive/2007/YearEndReporting
  6. Withdraw money
  7. Go to jail, go to hell, etc. Bread of deceit is sweet to a man; but afterwards his mouth shall be filled with gravel.

What you think is happening

So vic@VICTIMcorp is buying a crate of frumbles from his supplier SUPPLYCORP, and shipping them to his client CHUMPSHOP.  Here’s how it should go:

  • CHUMPSHOP says: “Hey Vic@VICTIMcorp, Please send me an invoice, and I’ll pay.”
  • SUPPLYCORP says: “Hey Vic@VICTIMcorp, Here’s your invoice, please pay.”
  • CHUMPSHOP pays Vic@VICTIMcorp
  • Vic@VICTIMcorp pays SUPPLYCORP
  • Everyone is happy

What is actually happening

Here’s how it happens when the attacker interferes:

  • CHUMPSHOP says: “Hey Vic@VICTIMcorp, Please send me an invoice, and I’ll pay.”
  • SUPPLYCORP says: “Hey Vic@VICTIMcorp, Here’s your invoice, please pay.”
  • Vic@VICTIMcorp says: “Hey CHUMPSHOP, here’s your invoice”
  • The evil attacker spoofs a mail in the name of the SUPPLYCORP:  “Hi Vic@VICTIMcorp, I’m SUPPLYCORP, sorry, please pay into our new bank account. Sorry about the error.”
  • The evil attacker spoofs a mail in the name of the victim to the client CHUMPSHOP: “Hi CHUMPSHOP, I’m Vic@VICTIMcorp, sorry, please pay into our new bank account. Sorry about the error.”
  • CHUMPSHOP pays the attacker, and sends a mail to Vic@VICTIMCORP saying he’s paid
  • Attacker receives mail, modifies it, and forwards to Vic@VICTIMcorp.
  • Vic@VICTIMcorp feels paid, so Vic pays the attacker, and mails proof of payment to SUPPLYCORP.

While the attacker runs off to the bank to move the money along, this is what everyone else is doing:

  • SUPPLYCORP notices that Vic@VICTIMcorp paid the wrong account, and mails him. Attacker deletes the mail.
  • Vic@VICTIMcorp notices that he didn’t get money from CHUMPSHOP, so he queries it. CHUMPSHOP says he did pay, and sends details. Attacker deletes the mail.

By the time the people figure out that someone is filtering their communications, the money has been withdrawn by the attacker.

Bonus points are awarded for controlling the sender and the recipient’s mailboxes, cell phones, etc.

The moral of the story is: do not negotiate payment details by computer.  Talk to a real person.

Lay not up for yourselves treasures upon earth, where moth and rust doth corrupt, and where thieves break through and steal:
But lay up for yourselves treasures in heaven, where neither moth nor rust doth corrupt, and where thieves do not break through nor steal:
For where your treasure is, there will your heart be also.

Wilt thou set thine eyes upon that which is not? for riches certainly make themselves wings; they fly away as an eagle toward heaven.

This entry was posted in Stuff and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *