Update 13th May 2016: These people are still operating but are now using “email@example.com” and were phishing for “What is our limit on same day transfers?”
And attempted to request a transfer of ~10,000 GBP to the following:
G Tarasiewicz Co.
Sort code: 30-90-88 (Lloyds Bank)
Account Number: 23838860
Today I was asked to investigate a suspicious e-mail that a client in the financial industry received this morning.
The recipient is currently out of office / on holiday. The supposed sender is in the office.
Here is the initial scam message purporting to be from one of the directors at the company.
On Monday, October 19, 2015, Adam REDACTED <Adam.REDACTED@REDACTED.co.uk> wrote:
I will need you to make a wire transfer for me today. What information will you need?
Sent from my iPhone
The out of office (victim) recipient then replied:
Sent: Monday, October 19, 2015 at 10:20 AM
From: “Scott REDACTED” <scott@REDACTED.co.uk>
To: “Adam REDACTED” <Adam.REDACTED@REDACTED.co.uk>
Subject: Re: Request for October 19, 2015
Hi Ad – is this you?
Let me know what you need.
It is just a quirk of the e-mail client so it looks like the reply went to an address at the company domain. However their normal e-mail format is firstname.lastname@example.org and _not_ the Firstname.Surname@domain.co.uk as shown in the quote above.
Then came the reply from the scammer:
From: “Adam REDACTED” <Adam.REDACTED@REDACTED.co.uk>
Date: 19 October 2015 05:51:15 GMT-4
Subject:Re: Request for October 19, 2015
Reply-To: “Adam REDACTED” <email@example.com>
Hi S – yes, I started thinking you did not receive my email.
I need to make an urgent payment this morning, in the form of a wire transfer. Can you tell me what information you need to make this transfer?
Note that this time the e-mail shows a “Reply-To:” address off-domain. This is more what I would expect from a scam like this.
The details they want to payment sent to is the following:
Hi S – I need you to make a quick wire of £24,730 to cover a payment, I will send you the expenditure details for proper coding later today.
Details as follows:
Barclays Bank Plc
Account name: Milica Solutions
Account Number: 03865479
Sort code: 206412
Let me know when it’s done. Thanks
aka. Sort code: 20-64-12
It seems the e-mails were sent with a spoofed from address using a GoDaddy authenticated webmail session with he username “firstname.lastname@example.org”.
Headers of the messages show that the IPs using the webmail account were:
22.214.171.124 “cpc29-rdng20-2-0-cust68.15-3.cable.virginm.net” a UK cable provider customer
126.96.36.199 “cpc64742-cmbg14-2-0-cust45.5-4.cable.virginm.net” a UK cable provider customer
188.8.131.52 (An IP address assigned to BCM Netco Solutions hosted at RapidSwitch in the UK)