There is a big difference between Webmail vs Email Client Security.

The underlying issue is that if you have an email account with an email service provider you probably have a webmail interface available even if you do not use it. Even on-premise private servers can provide a webmail service.

Whereas many, many email users have a desktop or device based email client or software that they use to connect to the email account and they ignore the webmail interface.

The problem is that if the webmail access is compromised a scammer can do a lot of stuff there that will not appear in the desktop email software. Essentially, it is a back-door to your email account.

Do Not Ignore Webmail

If you are getting some weird emails or missing emails you should be getting it may be that your

Webmail Account has been hacked!

A big scary headline, but it is more frequent than you might think or hope.

This article stems from a recent examination of a series of scam / phishing emails that were sent to a WrenMaxwell client.

The emails appeared to be correct, from the right people, and containing a lot of legitimate information, except that they asked for the recipient to update the bank account details for the payment.

Here is some information which applies to all emails you receive, and while the specifics relate to Bigpond email account holders, this could equally apply to any webmail based server, as the process is very similar on all webmail.

Some rules to consider are included as well, here is the first one.

Rule #1. Never accept a request to change the bank account details for your outbound payments unless you have verified it in person or on a call with the business or individual concerned. For good measure do not use phone numbers that are provided in the same email, they are probably altered as well.

Ok, so the background on this is that the client received an email from another client of WrenMaxwell and between them had a phone call to confirm the back account change. This was very fortunate as the email had been compromised.

I’d note here that if you receive an email asking for you to change to an AMP bank account, it should be an automatic alarm for you. These emails included 2 different AMP bank accounts. I have tried to report them to AMP, but frankly, they are not interested in knowing that their accounts are being used for scamming. But I digress.

Overview of a Webmail Scam

Lets get back on track. Whats the technical summary ?

1. Bigpond accounts are compromised for access via webmail, i.e. the password is identified through brute force attack most likely using a dictionary of passwords. There is history that lends itself to this. Yes, 3 Bigpond accounts were involved in this specific case, and I will assume a lot more are also hacked or at risk of doing so.
2. Each account has the feature to create folders to store email. Adding a folder in webmail will not necessarily display the folder in the desktop mail client. This means it will effectively be a hidden folder for the scammer to use.
3. As well, each account has a setting option under Settings->Mail->Organise Inbox to allow for server-based rules to be configured. The hacked accounts all have rules added by the scammer to redirect any inbound email with the words ‘invoice’ or ‘statement’ to be diverted from the inbox to the folder created in step 3. The end user of the account is generally oblivious to this activity as their client software, like Outlook on the desktop, does not see the rules, and may not show the folder. So the user does not know.
4. The scammer reviews inbound email until they find an invoice or statement email from a legit sender, like a supplier or someone the user is ordering from. The scammer copies the email information in its entirety, loads it up in another hacked account, modifies the content so that the sender name is spoofed to look like the legit sender, and changes the content to add the ‘Please update our bank account details to BNO Bank xxxxx-1234565 etc.
5. If the user is not suspicious, they will add the new bank account details for payment of the expected invoice and send the money. Final step, the scammer drains the illicit account in some way, moving the money so that it cannot be reclaimed. Job done.

Understanding a Webmail Scam Step by Step

Ok, so there are a number of steps, but there is nothing really complex here. Lets look at each of the steps in turn.

Step 1. Webmail Password Compromise

Bigpond email is of course part of Telstra, Australia’s largest communications service provider. Love ’em or hate ’em, that’s a fact. The issue is that they have been around for a long-long time and if you look back in time, there are millions of email accounts that have been registered with them.

How many are still current, I do not know, but I’ll use the highly technical measure of umpteen. Now with all those accounts, there will be many that have very weak passwords. This is a literal gold-mine for scammers. If they can, with various techniques, attack enough accounts, for long enough they will gain access.

An added bonus for the scammer is that for many years the Bigpond account passwords were restricted to a maximum of 8 characters and only alpha-numerics, no symbols. This makes for very weak passwords.

On top of that, many users have done ‘set and forget’ with the account, on the basis that as long as Outlook or their preferred email software, connects then its all good.

There are also many Bigpond email accounts that exist because an account is included and created for every customer with a Bigpond modem or internet connection. However many of these accounts are never used as the customer has a work or other email service that does not rely on Bigpond. These accounts are the ones that will never be checked and can be used by scammers for years undetected.

Rule #2. Change your password, regularly. Use a Passphrase and not just a password. You will need to update the password in Outlook or on your phone / device after making the change in webmail.

The use of multiple accounts that have been compromised, helps to hide the source of the compromise. I think it might also help using a Bigpond account to send the scammy email to another Bigpond account as any external email filter is bypassed. Not sure on that one, just guessing.

Step 2. Are You Missing Emails You Should Receive?

With the account password compromised, the scammer can now access the account and create a folder or folder-structure to manage incoming emails for their needs.

They can add a folder in the webmail Folders section. In this instance, the scammer created a ‘Stored Items’ as a folder and ‘Creative’ as a sub-folder, confident that the user would not notice it.

The Creative folder looks so innocent!

The goal for the scammer is to redirect emails from the inbox to these obscured folders so that they can review and learn about the emails the user would normally receive. With the account readily accessible they can check-in at any time to see what emails have been received, whats in ‘their’ folder, and what looks good for scam material.

Rule #3. Regularly review your email folders and subscribe to all IMAP folders so that you can see what is on the server and not just the folders on your device.

Step 3. Email Rules On the Server

Server-based rules, are only visible if the user logs into the webmail account. They do not appear in desktop or device email software and the affected emails are processed on the server before they can be processed by the desktop or device software.

Using the “Organise Inbox” option to set up rules to manage the email that may provide the scammer with relevant information is also too easy. Bigpond call it “Organise Inbox” while others may refer to “Mail Rules” or similar.

Using a desktop client like Outlook means that webmail is rarely used, so the scammer has it all to themselves. Even if the user does drop by and have a look, the scammer does not give the rules names, so they just show as a blank list and may well be ignored.

Selecting any of the rows with a tick symbol and selecting Edit will show the content of the Inbox Rule. Which will look something like this with no name, but Active ticked. If the Subject line of an incoming email contains the letters ‘Inv’ then the email will be caught and stored in the ‘My Folders -> Stored Items – Creative’ folder.

You should also check Email Forwarders or Mail Forwarding options as these can be configured to automatically send copies of your legitimate email to a scammer so they can identify other potential attack points.

Rule #4. Regularly login to your Webmail and review all the settings. Look for folders you did not create and automation rules that could be signs of scamming activity.

Step 4. Webmail Access by Scammer

The scammer can then drop by any time to check what incoming emails have been caught and potentially exploit the factual content to create a new email which they send from another hacked account to the user with the request for new bank account details wrapped in content that is otherwise accurate.

These emails look legitimate because they are based on a legitimate email with all the same information with some minor exceptions:

• The email sender address shows as the legitimate senders address but its actually from another account
• The phone numbers may be changed to redirect your calls to the scammer
• The links in the email may redirect your web browser to a scamming website which looks correct but is not
• Requests to change the bank account might be added to the email content

At this point you could receive a compromised email and could be sending money to the wrong bank account. Refer to Rule #1.

Step 5. Scamming or Phishing Emails

Hopefully Step 5 never occurs as you are monitoring what goes on.

But just some quick pointers on spotting scammy emails. These are general ideas and not specific to the instance above which was all about social engineering with ‘change the bank account’.

With most systems you can use the right-click on your mouse to ‘inspect’ website links and email links to view the hidden actual address behind the text. If the right-click information is different to the text presented in the email, it is most likely a scam.

When checking website links always look for the first ‘/’ character after the https:// bit and read backwards from there to check for the actual server host and domain name. e.g https://www.wrenmaxwell.com.au/ is the domain for WrenMaxwell, ‘wrenmaxwell.com.au’, while the host or server name is ‘www’. What some scammers will try to do may look like this:

https://unrelated.website.com/www.wrenmaxwell.com.au/faked-website/address

Which kind of looks ok, except that everything to the right of the first ‘/’ is faked and managed on the scammers server at https://unrelated.website.com/. Be wary of hotlinks in emails. A website link like the above says that the owner of https://unrelated.website.com has had their site compromised with a phishing site. Stay away.

The same thing with attached files in the emails. .PDF documents may look innocent and the subject line of Overdue Invoice may imply you need to open the PDF to see who and what you owe, but the file can include malware that will get into your system and create havoc with your data in many different ways.

How can you tell if the senders email is correct ? You need to check the email source content or email headers for valid information. This may require some technical knowledge of your email system and where to look for that information. There are too many options that are beyond the scope of this post. If you have concerns and need some help contact the team at WrenMaxwell.

Rule #5. One final general rule. Never send an email with both user account details and the password in an email. Always separate the user name and password via different systems. Email username and SMS/TXT the password, or make an old-fashioned phone call to the recipient to provide the password verbally. At the same time, be sure you are providing access only to someone you know and have trusted for some time.

Webmail Security Review and Cleaning

The clean up and testing of security on the client systems took about a day. Tracing the emails within the relevant Bigpond accounts, and reporting same to Bigpond, got a very good, quick and thorough response from Bigpond security, thanks to Scott.

A key issue is the hacking of the account occurred with minimal visibility for the client. It was only after the emails had been compromised the issue was identified. Given that the scammer could read ALL the email in the account, the next steps include updating passwords for any other system that was referenced in the emails. The issue being that emails commonly contain user account and password details which could be easily viewed and copied.

Webmail Security Checklist

The primary purpose of this post was to document the check points to monitor webmail. Having covered a lot of peripheral topics, here is the core items you should check:

1. If you have an email account, anywhere, then it most likely provides a webmail interface that you can access from any web browser.
2. Login to that webmail interface on a regular basis just to check the settings. Put it in your diary it should only take 5 minutes each time.
3. Change your email Passphrase on a regular basis and do not use simple passwords.
4. Check All the setting options for anything that you have not specifically created. Folders, Rules, Forwarders in particular.
5. Remember that settings in the webmail are not directly visible in Outlook or your desktop/device email software.

I hope this helps someone to avoid an email scam and make their webmail a safer and more secure system.

If you would like some help with understanding or fixing a security issue with your system feel free to contact WrenMaxwell Support at any time.