{"id":1254,"date":"2018-05-18T11:42:39","date_gmt":"2018-05-18T09:42:39","guid":{"rendered":"https:\/\/www.mcgill.org.za\/stuff\/?p=1254"},"modified":"2018-05-18T12:56:07","modified_gmt":"2018-05-18T10:56:07","slug":"man-in-the-mailbox-fraud-mitmb-howto","status":"publish","type":"post","link":"https:\/\/www.mcgill.org.za\/stuff\/archives\/1254","title":{"rendered":"Man in the mailbox fraud (MITMB) HOWTO"},"content":{"rendered":"<p>This has come up twice, so it&#8217;s time to tell the world how it&#8217;s done.\u00a0 Basically, if someone has control of your mailbox (e-mail address and password), then you&#8217;re going to lose your <strong>money<\/strong>: someone (not you, and not your friend) is going to say to use a different account to receive payment.\u00a0 This control can be by means of a simultaneous login, or by a forwarding rule that sends critical mail away.<\/p>\n<p>Here&#8217;s how to do it:<\/p>\n<ol>\n<li>Choose a victim: someone that pays money, or receives money<\/li>\n<li>Get control of the victim&#8217;s e-mail box: send a phishing mail, and wait for the magic click<\/li>\n<li>Wait for the victim to negotiate a payment<\/li>\n<li>Send a correction to the payer (&#8220;sorry, please use this account instead&#8221;)<\/li>\n<li>Add mailbox filtering rules to ensure that the payer is not in communication with the victim: forward the mail to your own address, or add a filter rule to move it to some other mailbox, like Archive\/2007\/YearEndReporting<\/li>\n<li>Withdraw money<\/li>\n<li>Go to jail, go to hell, etc. Bread of deceit is sweet to a man; but afterwards his mouth shall be filled with gravel.<\/li>\n<\/ol>\n<div id=\"attachment_1260\" style=\"width: 160px\" class=\"wp-caption alignright\"><a href=\"https:\/\/www.mcgill.org.za\/stuff\/wp-content\/uploads\/2018\/05\/fr-what-you-think.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1260\" class=\"wp-image-1260 size-thumbnail\" src=\"https:\/\/www.mcgill.org.za\/stuff\/wp-content\/uploads\/2018\/05\/fr-what-you-think-150x150.jpg\" alt=\"\" width=\"150\" height=\"150\" \/><\/a><p id=\"caption-attachment-1260\" class=\"wp-caption-text\">What you think is happening<\/p><\/div>\n<p>So vic@VICTIMcorp is buying a crate of frumbles from his supplier SUPPLYCORP, and shipping them to his client CHUMPSHOP.\u00a0 Here&#8217;s how it should go:<\/p>\n<ul>\n<li>CHUMPSHOP says: &#8220;Hey Vic@VICTIMcorp, Please send me an invoice, and I&#8217;ll pay.&#8221;<\/li>\n<li>SUPPLYCORP says: &#8220;Hey Vic@VICTIMcorp, Here&#8217;s your invoice, please pay.&#8221;<\/li>\n<li>CHUMPSHOP pays Vic@VICTIMcorp<\/li>\n<li>Vic@VICTIMcorp pays SUPPLYCORP<\/li>\n<li>Everyone is happy<\/li>\n<\/ul>\n<div id=\"attachment_1261\" style=\"width: 160px\" class=\"wp-caption alignright\"><a href=\"https:\/\/www.mcgill.org.za\/stuff\/wp-content\/uploads\/2018\/05\/fr-what-actually.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1261\" class=\"size-thumbnail wp-image-1261\" src=\"https:\/\/www.mcgill.org.za\/stuff\/wp-content\/uploads\/2018\/05\/fr-what-actually-150x150.jpg\" alt=\"\" width=\"150\" height=\"150\" \/><\/a><p id=\"caption-attachment-1261\" class=\"wp-caption-text\">What is actually happening<\/p><\/div>\n<p>Here&#8217;s how it happens when the attacker interferes:<\/p>\n<ul>\n<li>CHUMPSHOP says: &#8220;Hey Vic@VICTIMcorp, Please send me an invoice, and I&#8217;ll pay.&#8221;<\/li>\n<li>SUPPLYCORP says: &#8220;Hey Vic@VICTIMcorp, Here&#8217;s your invoice, please pay.&#8221;<\/li>\n<li>Vic@VICTIMcorp says: &#8220;Hey CHUMPSHOP, here&#8217;s your invoice&#8221;<\/li>\n<li>The evil attacker spoofs a mail in the name of the SUPPLYCORP:\u00a0 &#8220;Hi Vic@VICTIMcorp, I&#8217;m SUPPLYCORP, sorry, please pay into our new bank account. Sorry about the error.&#8221;<\/li>\n<li>The evil attacker spoofs a mail in the name of the victim to the client CHUMPSHOP: &#8220;Hi CHUMPSHOP, I&#8217;m Vic@VICTIMcorp, sorry, please pay into our new bank account. Sorry about the error.&#8221;<\/li>\n<li>CHUMPSHOP pays the attacker, and sends a mail to Vic@VICTIMCORP saying he&#8217;s paid<\/li>\n<li>Attacker receives mail, modifies it, and forwards to Vic@VICTIMcorp.<\/li>\n<li>Vic@VICTIMcorp feels paid, so Vic pays the attacker, and mails proof of payment to SUPPLYCORP.<\/li>\n<\/ul>\n<p>While the attacker runs off to the bank to move the money along, this is what everyone else is doing:<\/p>\n<ul>\n<li>SUPPLYCORP notices that Vic@VICTIMcorp paid the wrong account, and mails him. Attacker deletes the mail.<\/li>\n<li>Vic@VICTIMcorp notices that he didn&#8217;t get money from CHUMPSHOP, so he queries it. CHUMPSHOP says he did pay, and sends details. Attacker deletes the mail.<\/li>\n<\/ul>\n<p>By the time the people figure out that someone is filtering their communications, the money has been withdrawn by the attacker.<\/p>\n<p>Bonus points are awarded for controlling the sender <strong>and<\/strong> the recipient&#8217;s mailboxes, cell phones, etc.<\/p>\n<p>The moral of the story is: <strong>do not <\/strong>negotiate payment details by computer.\u00a0 Talk to a real person.<\/p>\n<blockquote><p>Lay not up for yourselves treasures upon earth, where moth and rust doth corrupt, and where thieves break through and steal:<br \/>\nBut lay up for yourselves treasures in heaven, where neither moth nor rust doth corrupt, and where thieves do not break through nor steal:<br \/>\nFor where your treasure is, there will your heart be also.<\/p>\n<p>Wilt thou set thine eyes upon that which is not? for riches certainly make themselves wings; they fly away as an eagle toward heaven.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>This has come up twice, so it&#8217;s time to tell the world how it&#8217;s done.\u00a0 Basically, if someone has control of your mailbox (e-mail address and password), then you&#8217;re going to lose your money: someone (not you, and not your &hellip; <a href=\"https:\/\/www.mcgill.org.za\/stuff\/archives\/1254\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[160,245,246,16,190],"class_list":["post-1254","post","type-post","status-publish","format-standard","hentry","category-stuff","tag-fraud","tag-hacking","tag-passwords","tag-security","tag-stuff"],"_links":{"self":[{"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/posts\/1254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/comments?post=1254"}],"version-history":[{"count":7,"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/posts\/1254\/revisions"}],"predecessor-version":[{"id":1263,"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/posts\/1254\/revisions\/1263"}],"wp:attachment":[{"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/media?parent=1254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/categories?post=1254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcgill.org.za\/stuff\/wp-json\/wp\/v2\/tags?post=1254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}