48 comments

  1. This is a very interesting article and one in which I will be happy to share.
    I work with a company that offers identity theft protection plans and we do offer the ability to monitor an individuals online email and web presence.
    This article creates a curiosity as to whether our plans would be helpful for the individual or would it have been necessary for the company “First National Title” to have an email monitoring plan. I’m not aware if our company offers plans on the corporate level. However, I did want to thank you for sharing this information as it might open a whole new area for us.

    • Security should be increase, this social engineering technique is harming since long time, its time to introduce some anti technique. two steps is good but not excellent!

  2. Could you please elaborate on how two factor authentication would have protected the recipients from this kind of phishing?

    • Another piece of information would be required instead of just username and password, For example, let’s say I have your email address and I guess your (presumably) weak password for your Web email account not using 2FA (two-factor authentication). I’m at my home and I now can control your email. I login as you and impersonate you. I can intercept your emails, etc. With 2FA, I would also need to have not only your username and password, but also a pin/code, usually sent via text to your phone. Without that, I can’t access your account (unless of course, I also have your phone). Here is an example using Google: https://support.google.com/accounts/answer/180744?hl=en

    • It wouldn’t have protected them, if the sender is the one hacked. Krebs article doesn’t state which side gets hacked, just that it gets intercepted.

      If it is the client that gets intercepted that is easy to explain. Hackers delete real email and send fake, but real looking, replacement.

      But then how does the hacker know what client-account to hack? Seems you have to hack the right account at the right time, and be *very* lucky as hacker.

      Although I understood that is not the case here, it seems more effective to hack the sender. Those sender-accounts (which aren’t Hotmail or Gmail but business accounts) typically don’t use 2-factor. In fact that kind of emails are often semi-automatically generated, from a server.

      So that begs the main question, are we really talking about client-hacks? Seems they got really ‘lucky’ then, *unless* they somehow knew the victim was about to buy a house. In that case, that side of the story seems to be the real news-angle …

  3. Digitally signed emails would also help in this arena…

    • Hmmm, I am not using digital signatures anymore. Even in the last century emails were deep scanned by our company firewall which broke the signature. I got used to the broken signatures. Never used it anymore…

  4. DMARC is another way these email phishing schemes could be prevented. It should be mandatory for any financial institution to be using DMARC. If we can’t make it mandatory legally, then we should be shaming non DMARC-compliant financial institutions into adopting it, or at the very least making it difficult for them to continue to do business.
    AFAICT, not a single one of my financial services uses DMARC yet.

    • BTW if I’m about to wire a amount of money sizable to buying a house, I expect to (also) get a postmarked notice in writing, not just an email …

      But of course I understand it is easy to miss if just the numbers are different, and you copy-paste the numbers form email to your bankwebsite …

  5. Yeah, digitally signed emails is the solution here. This is something that’s long overdue. The tech is available, but implementation isn’t easy, and users would have to be trained. Key management is probably one of the biggest obstacles to it. I would love to see a serious effort to mainstream digital signatures for all emails. Think of the tools that anti-spam software could then use.

  6. TheOreganoRouter.onion.it

    Interesting article

  7. I do agree with having digitally signed email would help.
    As well as the 2FA.

    But what if we just didn’t use email to gather such sensitive data like Wire Instruction Information??

    I believe a rigid, strict workflow in the Title Agency’s Office should be in place to get sensitive information.
    The home buyer should be aware of this in the beginning after they sign the Sales Agreement.

  8. If I’m understanding this correctly, the victims receive an email from a fake title company and that email is coming from a gmail, yahoo, msn, aol, etc domain and not a company name domain, that in itself should be enough of a flag to ignore it. Now if it’s spoofing the domain and address to an official lender the links addresses alone should be enough of a warning. People need to learn how to better use their security system that’s installed on their shoulders more and not purchase some 3rd party application to guess for them.

    • No, the hackers have intercepted the victim’s emails (see first sentence of article). We see this all the time where I work. Some client’s email gets hacked and the attacker now controls the email account an email conversations. The hacker, who now has access to the email conversation between the home buyer and title agency, inserts his own bank account information into the email (replaces the real account information with his own).

      • Thanks for the clarification Michelle. It still leaves me to wonder why transactions like this are left to email instead of a call. I’d view emails as a terribly informal way to handle transactions of 5+ figure payments. Then again I’m sure that would lead to phone spoofing. I’ve never seen an example of this and am actually a bit curious on the frequency and if there are any triggers that can be recognized when looking at these interceptions.

        • I don’t know for other states/agencies, but in our office, 99% of all closings do not require Wiring Instruction Information from buyers or sellers.

          All the proceeds from the closing are checks.
          Any wiring, to pay off loans, etc are Lenders providing us the information when we request the payoff.
          This information is provided in many ways depending on the lender, but never in an insecure email or over the phone.

        • Yeah, I agree as to why that information would be in an email in the first place unless I’m misunderstanding how the fraud is taking place. Where I work, we use a DLP (Data Loss Prevention) type tool to look for certain key words or phrases in emails that tend to signal a fraudulent email has been exchanged. Many times we are able to tell that a client’s email has been hacked and someone in the company is now conversing with the hacker instead of the client. In those cases, we call the individuals within our company to let them know to immediately stop emailing and call the client to let them know their email account has been hacked.

        • First, not all countries really have checks. The first property I purchased was in a country that didn’t.

          Second, while it was really exciting for me to bicycle uphill for half an hour to hand deliver a cashiers cheque for a down payment, it also meant that I risked missing my deadline. The penalties for missing a deadline when buying a property can be severe (loss of a down payment, missed opportunity to purchase).

          As for email instead of phone…
          Transcription errors are easy to make.
          I’ve personally accidentally messed up wire instructions for money crossing the Atlantic. Thankfully, my error resulted in the funds being returned, but that isn’t guaranteed (and might even be uncommon).

          Personally, the European security I dealt with was mostly bad theater. I’d prefer to deal with real people and real checks (I’m an American, some cheques I deal with have their own opinions’ about spelling). But if you aren’t physically in the right city, state / province, country, continent, or hemisphere, then you will have to use some electronic communication method. You might be able to designate a proxy, but only if you know and really trust people.

          Oh, international calling – that can be both expensive and painful – especially when business hours and time zones get in the way.

          I’ve actually done all of the above…

        • These types of transactions get handled by e-mail in the name of customer service. Customers ask for them that way. The average people involved in the transaction are not as security conscious as the people reading this forum. The more security minded ask that the e-mails be encrypted, and some institutions do so. The even more security minded prefer to handle it by phone.

          But e-mail is quick, so people like it.

      • Michelle, maybe I’m misunderstanding what you mean by “client”. The alert says:

        “The messages were actually emails that were intercepted by hackers who then altered the account information in the emails to cause the purchasers’/borrowers’ funds to be sent to the hacker’s own account.”

        This means that the title insurance company’s email account was hacked. So, the buyer got an email from someone appearing to represent the title company and then wired funds to the account indicated in that email. Obviously, this could also happen in reverse on the seller’s side – someone hacks the seller’s email account and emails fake wire instructions to the title company…..

    • Would be especially easy if the traffic isn’t encrypted or malware is on the machine sending the emails out – they could basically snoop and swap at the network level with various tools.

  9. This may be one of the reasons real estate is adopting Bitcoin so far in advance of many other industries. Bitcoin has its security issues as well, but they’re relatively simple to avoid using a little common sense. If you can keep your wallet safe from thieves and avoid dodgy exchanges, the transfer of money in Bitcoin is very secure, direct from wallet to wallet, plus it’s practically free. It’s a lot to learn, but the economy and security obviously appeal to the real estate companies who’ve been forward looking enough to overcome all the barriers.

    • I really would love to know what areas of the country are actually using them. I have to travel over a hundred miles to use Bitcoins in any meaningful way. There’s a couple places in a sketchy parts of town that will exchange money for Bitcoins, but that’s it until I cross a couple state borders.

      • While the in-store, in-person Bitcoin market is very slowly developing, most people transact and trade Bitcoin online. Bitcoin was born on the internet, and it may get a more substantial toehold on the ground eventually, but it will be as a secondary development. (This post is about fraudulent wire transfer requests though, and I don’t want to derail it into a discussion about Bitcoin. But it seemed worthwhile to raise it as a new possible means of avoiding this kind of fraud that some people are already taking advantage of.)

    • Oh, please. While Bitcoin offers a slight bit of protection in this particular case, it’s like having a locked glove box in a car with its keys left in the ignition. The lock doesn’t do much good if the entire infrastructure is ripe for the stealing and disappears.

      • Yep bitcoin has no way to force a refund, it would be pretty easy to also give a fake address for that, and even less traceable than if it went through bank account or credit cards.

    • Citation needed.

      Anecdotally, I used PayPal to move funds across borders to pay for my first property. Even that tripped up a transfer limit.

      People trying to actually buy an entire property using Bitcoin should run afoul of anti money laundering laws very quickly.

  10. Why would anybody accept instructions to send money anywhere except from a known, trusted and *verified* source?

    Known and trusted means contact either in-person, phone, video Skype, etc. and then verify with the bank the ABA and account number for any transaction. It means looking up bank phone numbers yourself and not trusting anything you have not verified yourself.

    • People are naïve and trusting. Yes, you should verify ABA numbers out of band, but…

      Banks post their information on non-https servers and if you visit such a site, a MITM attack could trivially rewrite what you see.

      Of course, if your computer is comprised, even https:// save you.

      Brian: I haven’t heard much about investment accounts, retirement accounts, and live insurance being emptied. When you update the value of a person, please include a note about them too.

  11. Err … even https:// *won’t* save you.

  12. Continuous reading of Brian blog gave me understanding that living with information stored digitally is dangerous adventure and not good at all. All fraud types – loan, tax return, credit and debit card fraud and all in many billions – it looks like the overall reason for the majority of fraud is United States itself as it apparently has unsustainable payment network and all the world has penetratable digital security. Scary though.

  13. Intercepted as in criminals logged in to the recipient’s e-mail account, deleted the original and sent their own?

    • Brian Krebs does not state, and to be fair that is because the press release isn’t clear either. Brian seems to suggest it is the client-side.

      However reading the wording from the actual press-release, it *may* also be the other side. That may actually more sense, as how can a criminal know who to target, happen to be lucky to catch the client-email address and be at the right time…

      Of course it could also be the NAD who issued the press release, does not know for sure yet, and decided to make the right call to at least already warn its members ASAP.

    • Probably something more like Ettercap that could see and replace it in the packet instead..

  14. thanks for the tip about DMARC..had not heard of that one

  15. Just a word on how it works somewhere else, for instance in France

    There is a state-run service called conservation des hypothèques that tracks who owns what real estate goods. When purchasing a house, seller and buyer deal with a profesionnal called a notaire, whose job is to certify everything is fine (the seller is the owner…) and to have the hypothèques records updated.

    Transfering funds usually works this way: buyer asks its bank for a bank check, which is really a check signed by the bank after the bank removed the funds from the buyer account. The notaire will transfer it to the seller after doing the hypothèque paperwork. The notaire is responsible on its own funds if something goes wrong.

    The only place where something can go wrong is if the notaire decides to flee abroad with the funds, but that is not a very common situation.

  16. This story is pure FUD.

    An attacker has to get access to email AND notice that a real estate transaction is happening AND have the person use wire rather than check AND get the transaction number from email rather than fax or letter.

    What then? Transfers in the US are reversible. Title companies and home buyers tend to be pretty twitchy and keep monitoring if the money has been received (the property isn’t in contract and is still for sale until it has).

    Is there a single verifiable fact in the story? Krebs says that First Title says that it has been notified that this has reportedly been happening.

    You can never have too much FUD. Shame on you for spreading this kind of garbage Krebs. Shame on you.

  17. Title companies, in my past experience, have little or no idea that it is a good idea to secure their email transactions. The last time I refinanced my home my entire loan documentation package was sent via email in the clear to a national Title company by a Fortune 100 bank. After not so gently calling the bank on this, I called the Title company to ask them how it was that they accepted unencrypted transmissions, why wasn’t every customer transaction protected since almost all of them contained sensitive information. What the VP told me is they did not use encryption and that they always received loan information “every day of the week this way,” i.e. unencrypted. Her tone of voice told me that she either didn’t understand why that is a problem or didn’t care. So when you do a loan with a Title company, you might want to first find out what kind of info security measures they have in place to secure your data and whether they will guarantee that all transmissions related to your data will be encrypted using strong encryption.

    • Digital Aszz Poking

      damn. this is what you find everywhere where people blissfully have no clue about their digital insecurity where they are really digital virgins who are ripe to be poked. they’ll say never happen to us before and we have been doing it this way for years. blah blah blah. then they’ll get hit with a hack of some sort that rips into the monetary treasures to be found in their digitally exposed aszzes.

  18. Yes I agree it sounds like FUD but its most probably true.
    Whoever is too “clever” to transfer information about an escrow account for a real estate property transaction via internet, is likely to get scammed. The problem lies in the behaviour of these mugus. And as we know, the perpetrators are likely to be tracked.
    Here in Europe this sort of scam is highly unlikely to happen. I dont think any “protection” or business model is going to prevent these man in the middle attacks, as long as such transactions are not done on the classical basis: face to face and in person. Here such transactions need a notary and one can always make a phone call to him to verify the escrow account before transferring large amounts of money. And I do the transfer in the bank office, not based on an email or even via online banking!!!
    How stupid can you get???
    Here we have a saying: the mother of the idiot is always pregnant :-)

    • Large amounts of money? No. From what I read the transfers that were highjacked were earnest money. I’m not sure what’s used these days but in over 10 years ago I paid 200$ in earnest money for a house.

      FUD is probably not that answer either because it’s possible that the compromise happened on the title company’s computer so all the hacker has to do is modify the email being sent to the buyer by adding a different account and routing number. Now the email is from the right domain and the right person but contains bad info. I can see that happening very easily.

      A quick search on earnest money got a hit on realtor.com which indicates that earnest money is 1-3% of the purchase price (1500$ to 4500$ on a 150k home) so it is not the price of the home itself, just the deposit, but any money stolen is still a crime.

  19. Why are such important transactions being handled over email in the first place? That seems terribly sensitive to all kinds of issues, including messages not arriving at all.

    All the times when I have bought a home, it has been handled in-person at the estate agent. Funds transfers might well be done using Internet bank access, but the target account information was part of the paper setup.

    Or, just send the document through regular mail. Also theoretically interceptable and falsifiable, but at much higher cost.

    Finally, when I do payments online, the various payment account numbers (bankgiro, postgiro in Sweden) auto-resolve online so that I can see whom I am sending this to.

    Looks like quite a few mistakes need to be made in the system setup to enable this.

  20. Write a check and hand deliver it to the attorneys office handling the transaction.

  21. The press release refered to hacks similar to the one affecting realtors earlier. I did a search and found http://kansasrealtor.com/scam-be-careful-with-your-clients-wiring-instructions/

    In that version the attacker access the relators gmail account, grabbed details from it and sends an email with the same sender and formatting as the mark expectes.

    Given that description it still could just be a forged email, as most people don’t check message path headers. Also it would explain why 2-factor is a reasonable solution.

  22. Any idea if the banking details they are swapping the legit ones out for are also based in the U.S or overseas?

  23. 1. To the person suggesting that I phone customer with wire instructions–no way. The likelihood of an error is too great. Plus, how do I establish that I gave customer the correct information. We have a clear policy to never give wire instructions by phone and to never receive wire instructions for a seller by phone.

    99% of the time we are transmitting our wire instructions by email. Once or twice a year we give by hand. Never by mail.

    2. Give me a check for $500,000 –no way. You must live in a cave if you aren’t familiar with counterfeit bank checks.

    3. Encryption–you got me on that one. The title industry is moving towards encryption but it isn’t there yet. Many lenders are sending loan packages to us as encrypted documents.

    • So in essence, what this article tells you is that email is potentially bad because:

      1) the client might be hacked.
      2) *you* may be hacked. And yes, this can happen to you *especially* if you are using some form of system to semi-automatic generate the emails..

      What is wrong with a expedited/certified mail/etc letter? The contract itself is in writing, so why not the instructions?

      • Because Jim’s customer’s don’t want it that way. The customers at my institution don’t want it that way either. They want fast responses in e-mail. When things are sent to them encrypted (through a system like Zixcorp), they complain that it’s “hard” or “they don’t understand.” Jim’s company is in a competitive environment trying to make money. Some of Jim’s customer’s may want security and as more of them demand it then more gets added in to the mix; but when the customer isn’t demanding more security the customer gets really irritated when you add it to the process. They don’t want the information tomorrow or two days from now. They want online electronic commerce.