The Classic M57 Case:  Document Exfiltration

The Classic M57 Case: Document Exfiltration

Digital Forensics 101

One of my all-time favourite characters "Jimmy McGill" once said : image.png That applies to cyber security as well, you're not usually having security measures on your top priority list when setting up your business, but once you get hit, you'd wish you'd had it on.

Once I witnessed a case where a particular business was embezzled when a supplier had been chasing them to settle payment to start shipping their commodity, and you may have guessed it, the company had paid the full amount already; sadly, it was such a hefty bill. That sums up a few obvious questions:

  • "Where did the money go?" obviously, to the wrong person!
  • "How did it even happen?" The invoice and payment details were sent from the supplier to the company containing the payment methods and the account info
  • "Who did that?" a middle-man, so-called hacker
  • "How to get our money back?" Continue reading...
  • "How to avoid that in the future?" Continue reading...
  • " And how to get the person who did this?" Continue reading...

Well, when I encountered this issue, I remembered the M57.biz case. It's a pretty classic (yet super helpful) exercise for whoever studied Digital Forensics one day. The case was the following: " M57.biz is a web start-up developing a body art catalogue. A few weeks into inception, a personal spreadsheet containing the names and salaries of the company's key employees was posted in the "comments" section of one of the firm's competitors. The spreadsheet only existed on one of M57's officers—Jean." then, a few interviews were carried out with the company staff, and of course, Jean confirmed she'd sent the document to the CEO upon their request, but the CEO claims they've never received it; their email credentials were shared and so on.

I thought of this case study as the steps taken to solve it was similar to what helped out with solving the company that settled the bill for a middle-man (hacker) rather than their actual supplier without knowing that.

To make it less tedious for the readers, I will list them out in steps:

  1. The staff must stop using their computers immediately, and the investigator has to back up each computer's full disk images instantly.
  2. The investigator must ask each of the staff some questions regarding the incident and evaluate the answers; in our case, everyone told the same story, which means they were spoofed.
  3. The investigator has to load up the disk images to forensic software Autopsy, for example, and start analyzing the data, such as files, and emails, with the consideration of timestamp validity.

Findings:

  1. An email was sent to the company FROM the supplier's email requiring a down payment to start shipping.
  2. The email looks like it is FROM the supplier's email, which contains the supplier's name and address, but it was spoofed. The values of reply-to and return-path in the email headers were modified to be returned to the attacker's bogus email address.
  3. The company's accountant recognizes the supplier's email as a known email address trustworthy and asks for the invoice that includes the payment details.
  4. Similarly, the attacker sent out to the actual supplier requesting their invoice (to maintain the right cover and to make the final invoice looks authentic)
  5. The attacker sent an email back to the accountant containing an original invoice that looked like the usual supplier's invoice but contained the attacker's payment details, and then the loss happened.

The answer to the remaining questions:

  • "How to get our money back?" once the incident occurs, the authorities must be informed, as the bank will need a valid police report to persuade the money interception. The investigation to be carried out by the authorities or an independent investigator depends on how the authorities advise.
  • " And how to avoid that in the future." by increasing cyber security awareness among the staff, this particular incident is majorly a human fault. It could have been avoided without applying any extra software but by adequately training the staff.
  • " And how to get the person who did this?" there are two ways to track down the attacker:
  • The payment details which were in the invoice
  • The email message the attacker has sent can identify the source-IP field in the email headers; if not masked, it can lead to his location. And, of course, an investigator can trace his email address down if it is related to other activities on the internet, using Open Source Intelligence (OSINT) to find out more about his identity. And that would be in my future posts ...

More about Email Spoofing

More about Document Exfiltration