CEO Wire Transfer Fraud ceoaccounts@email.com

Update 13th May 2016: These people are still operating but are now using “ceomail.mail@yandex.com” and were phishing for “What is our limit on same day transfers?”

And attempted to request a transfer of ~10,000 GBP to the following:

G Tarasiewicz Co.
Sort code: 30-90-88 (Lloyds Bank)
Account Number: 23838860

Today I was asked to investigate a suspicious e-mail that a client in the financial industry received this morning.

The recipient is currently out of office / on holiday. The supposed sender is in the office.

Here is the initial scam message purporting to be from one of the directors at the company.

On Monday, October 19, 2015, Adam REDACTED <Adam.REDACTED@REDACTED.co.uk> wrote:

Hi Scott,

I will need you to make a wire transfer for me today. What information will you need?

Adam

Sent from my iPhone

The out of office (victim) recipient then replied:

Sent: Monday, October 19, 2015 at 10:20 AM
From: “Scott REDACTED” <scott@REDACTED.co.uk>
To: “Adam REDACTED” <Adam.REDACTED@REDACTED.co.uk>
Subject: Re: Request for October 19, 2015

Hi Ad – is this you?

Let me know what you need.

S

It is just a quirk of the e-mail client so it looks like the reply went to an address at the company domain. However their normal e-mail format is firstname@domain.co.uk and _not_ the Firstname.Surname@domain.co.uk as shown in the quote above.

Then came the reply from the scammer:

From: “Adam REDACTED” <Adam.REDACTED@REDACTED.co.uk>
Date: 19 October 2015 05:51:15 GMT-4
To:scott@REDACTED.co.uk
Subject:Re: Request for October 19, 2015
Reply-To: “Adam REDACTED” <ceoaccounts@email.com>

Hi S – yes, I started thinking you did not receive my email.

I need to make an urgent payment this morning, in the form of a wire transfer. Can you tell me what information you need to make this transfer?

Ad

Note that this time the e-mail shows a “Reply-To:” address off-domain. This is more what I would expect from a scam like this.

The details they want to payment sent to is the following:

Hi S – I need you to make a quick wire of £24,730 to cover a payment, I will send you the expenditure details for proper coding later today.

Details as follows:

Barclays Bank Plc

Account name: Milica Solutions
Account Number: 03865479
Sort code: 206412

Reference: REDACTED

Let me know when it’s done. Thanks

Ad

aka. Sort code: 20-64-12

It seems the e-mails were sent with a spoofed from address using a GoDaddy authenticated webmail session with he username “support@mainlineinteriordesign.com”.

Headers of the messages show that the IPs using the webmail account were:
82.3.214.69 “cpc29-rdng20-2-0-cust68.15-3.cable.virginm.net” a UK cable provider customer
82.10.239.46 “cpc64742-cmbg14-2-0-cust45.5-4.cable.virginm.net” a UK cable provider customer
78.129.173.184 (An IP address assigned to BCM Netco Solutions hosted at RapidSwitch in the UK)

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to CEO Wire Transfer Fraud ceoaccounts@email.com

  1. Pingback: Bank account used in Nigerian “Invoice” fraud from hacked email accounts | thecomputerperson

  2. Pingback: Further CEO Email fraud.. | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s