CEO CFO and other management caught up in scam emails to transfer funds using fake accounts

my-account-was-hacked-and-all-my-money-stolenScammers are reportedly claiming to be corporate CEOs in email scams designed to steal up to hundreds of thousands of dollars from targeted companies.

Sterling IT has had one of its clients be hit with this twice and we believe they phished the email addresses from their website.
The staff also had their titles with their email addresses making it very easy.

Stay Smart Online has received a report that scammers misrepresenting themselves as corporate CEOs are sending fake emails to the CFOs of targeted companies. These emails request that up to hundreds of thousands of dollars be transferred urgently from targeted businesses to apparently legitimate bank accounts held by third-party individuals. However, these bank accounts may have been established using the details of people who have been victims of identity theft.

The relatively sophisticated scam appears to be identical to, or a recurrence of, the ‘Business Email Compromise’ or ‘Wire Fraud’ scam that Stay Smart Online provided an Alert about in October 2014. Details of the 2014 scam were provided by CERT Australia. The FBI has published similar reports regarding the ‘Business Email Compromise’ scam.

Businesses are advised to be suspicious of unexpected, urgent demands for large sums of money by any person – including CEOs and other senior leaders. You should always verify these requests directly with the person involved, and follow all governance and due diligence processes.
CERT Australia provides the following advice:

  • Consider adding a second method of verification for large financial transfers, such as verbal verification between employees.
  • Alert employees to be vigilant with regard to these incidents, especially those conducting or authorising wire transfers or similar financial instruments.
  • Do not reply to the email.
  • Sender Policy Framework (SPF) checking should be implemented to detect and prevent sender address forgery.
  • Review network logs for evidence of the indicators provided in this Alert.
  • Configure mail servers and mail scanners to block and remove emails with the indicators provided in this Alert.
  • Report identified activity to CERT Australia.

If a company has been defrauded as a consequence of these emails, report the matter to local police for investigation and escalation as appropriate.

 

 

Source: staysmartonline.gov.au 

Netregistry Email Issues 28.9.2015

29.9.2015 09:15
Problem has reoccured and has been escalated to Netregistry again
( Service Status – currently showing all GREEN however it is a known issue as Sterling is not the first company to call it in)
https://status.netregistry.com.au/

28.9.2015 11:05
Problem rectified

28.9.2015 10:45
Netregistry is encountering email delivery issues.
People sending emails to your domain may get rejected and bounce.
Netregistry is currently looking into this.

 

Fake Email Warning : ISIS terrorist threat to Sydney comes in a legitimate looking email with malicious payload in attachment and/or link.

hackerFake Emails re ISIS threat
You are advised to be cautious about opening any emails you receive that refer to any ISIS threat.
New emails referring to ISIS terrorism activities carry a malicious attachment that can be used to infect your computer.

ACMA (“The Australian Communications and Media Authority”) is receiving a surge in reports of emails with the subject ‘ISIS attacks in Sydney?’. The emails request people to open an attached Word, RAR or other file by claiming the attachment includes an article naming the Sydney locations ISIS plans to attack in 2015.

Clicking on the attachment could result in malicious code being installed that allows an attacker to take control of your computer.

The email includes the contact details in an attempt to represent itself as a legitimate email. It is highly likely similar malicious emails are in circulation using references to high profile, terror-related events.

The full text of the malicious email is provided below:

Subject: ISIS attacks in sydney?
Body: ISIS has warned Australian Police today about new attacks in Sydney.
Attached the places in word file which ISIS planning to attack in Sydney this year 2015.
These terrorists have Australian Citizen why they attack us?
Read more in the detailed story in word file.
Please address any correspondence to:
[news address inserted here]
The switchboard number for [news] is:
[news phone number inserted here]
Telephone: [news phone number inserted here]
Email: [news email inserted here]

To stay safe, it is important that you do not click links in phishing emails or reply to the sender if you do not know them.
Source : Stay Smart Online , a Government initiative.

How to setup SMTP server to send email using Microsoft Office 365 Connector with Exchange Online

This article is for clients that have moved to the Microsoft Office 365 platform that needs to be able to SMTP from devices. Example of this is multi-function scanner/copier/printer device and using the scan-to-email capability.

The most common solution that is suggested by Microsoft and others is to use an internal Exchange Server to relay the mail or use an IIS server with SMTP service enabled to relay the mail. However because the client is going CLOUD, they would be decommissioning old servers. To install SMTP servers in the business is just another added cost.

The other option is to use the ISP SMTP server that the office is connected to.

The solution is described here will work with or without TLS encrypted connections and also supports either port 25 or port 587 and does not require any type of authentication.
In fact, no user accounts or additional licenses are required to make this work. This is good because many older devices/applications only support clear text across port 25.

The first step is to create a connector on the Exchange Server to allow for the connection by an unauthenticated user. This sounds like it is an open relay but we are going to take steps to allow this connection ONLY from known IP Addresses that should be allowed to use the connector. All other attempts will be denied as an unauthorized relay attempt.

Creating the Exchange Connector:

  • Log into the Microsoft Online Portal as a user that has Global Administrator access
  • Click on the Admin menu and then on Exchange to open the Exchange Admin Center.
  • Click on the Mail Flow category and click the Connectors sub menu.
  • Add an Inbound Connector
    • Give the connector a descriptive name
    • Set the Connector Type to On-premises
    • Set Connection Security to Opportunistic TLS
    • Set Domain Restrictions to Restrict domains by IP addresses
    • Add a single Sender domain and use an * wildcard character here to allow all.
    • Add the public IP addresses that you will allow to relay
    • Save the Connector
  • Enable the connector if it is not already.

The SMTP Server you use in your sending application/device is a little different but easy to locate. There are many ways to get this info, I am going to show you only one.

Finding the SMTP Server:

  • Go back to the O365 portal and click the Admin menu and click on Office 365
  • Click on the Domains category
  • Select your primary domain (or the domain you wish to use) and then click Manage DNS
  • Find the MX record and copy the Point To Address for that record.
    • The format will be in this format: -.mail.protection.outlook.com or I have also seen -.mail.eo.outlook.com. If your domain was “XXYYZZ.COM” then your MX record would look like this: XXYYZZ-COM.mail.protection.outlook.com as an example.

That value will be what you use as the SMTP Server when you define your outbound mail settings in the application/device you want to send relay email.

One additional setting you may want to enable on the Exchange Online Server which will prevent all of your relay email from going directly to the Junk Folder. This process will create a mail filtering rule which will bypass the filters altogether.

Creating Bypass Rule:

  • Go back to the Exchange Admin Console.
  • Click on the Mail Flow category and then the Rules sub menu.
  • Add a new Rule of type “Bypass Spam Filtering…”
    • Give the rule a good descriptive Name.
    • Set Apply this rule if… to “The sender is…” and add the email addresse(s) you will be using for sending relay email. Keep in mind this can be anything you want butit must match exactly, else this rule will not work.
    • Set Do the following… to “Set the spam confidence level (SCL to…” and then set the action to Bypass spam filtering.
    • The remaining options can be left as default.
    • Save the rule.
  • If you have multiple rules, you may want to adjust the order of this rule so it fires properly. I would suggest that you make it the first rule while you test things and then adjust all of your rules to accomdate the order in which you ultimately want to process the rules. Mail Flow in general is complex and I am not giving much detail in this walk through on how best to manipulate these features.

The final step of this process is to put it all together and make it work. Modify your SMTP settings for the Application/Device as follows:

  • SMTP Server: Set this to the MX data that we gathered from the above step “-.mail.protection.outlook.com”.
  • SMTP Port: 25 or 587
  • SMTP TLS: Enabled or Disabled (Enabled is recommended if it is an option)
  • SMTP Username: This can be anything you want as it is not used at all. Leave it blank if you can. If you do need to populate this info, use the email address of the FROM address you set in the Spam bypass filter above.
  • SMTP Password: This can be anything you want as it is not used at all. Leave it blank if you can.
  • SMTP TO: Set this email address of the recipient of the email message. Be aware, this does not have to be a user within the domain defined by the MX record or the SMTP Server above.
  • SMTP FROM: Use the email address you specified in the Bypass Spam Filtering rule. This MUST match exactly.

That should be all there is to make this work. Of course, the client side configuration will be different on every application/device you try to set up this way but I can say that I have made this work with a number of different MFP devices as well as Routers that send notifications. I have also made this work with Mozilla Thunderbird which is a good simple testing application. If you can make things work using Thunderbird, you should be able to translate the settings to any application/device and make it work as well.

WARNINGS:

  • The first thing you want to check for is to see if you can even use port 25 or not.
  • Not all applications/devices support anything but port 25. If you have one of these AND you have a port 25 port block ISP, you may need to take some fancier steps within the router to make this work. I have found that not all providers will turn off port 25 blocks and if they do, it is very common for the block to get turned back on randomly.
  • Microsoft frowns heavily on bulk email and will block your ability to send any email outbound if you use this to abuse their mail platform. Microsoft uses the phase” Reasonable Limits” when describing how many emails they will allow you to send using this technique so be reasonable… If the mail is being sent internally, you really should not have much issue but if you send a lot of email externally, then you might run into some limits problems.

 

 

Source : http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_15699-SMB-Office-365-Exchange-Online-SMTP-Relay.html

Forward or redirect problem on exchange 2007/2010 not working

When trying to do a redirect on a mailbox externally, it was not processing the email.
Internal was fine.

Apparently forwarding / redirects to external domain names is disabled by default in Exchange 2007 and 2010.

To change this setting, open the Exchange Management Console, and drill down to the Organization Configuration -> Hub Transport.  Under the Remote Domains tab, open the Default domain.

image

Then, on the format tab, check the “Allow automatic forward” box.

image

Alternatively, from the Exchange Management Shell (PowerShell rocks!), this will do the trick:

set-remotedomain -identity Default -AutoForwardEnabled $true