Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Lost $10k as my email was hacked. Any ways to recover it?
109 points by milanmot on Oct 26, 2018 | hide | past | favorite | 86 comments
I have suffered a loss of $10k due to an extremely unbelievable case of my client's as well as my own email domain was hacked.

–----

So, I run a very small pharma export company in India. I have a client in Ontario, Canada with whom I have been doing regular business.

2 weeks ago I got an order worth $10000 from them. So as usual I dispatched the material to them and then raised the invoice with my bank details from my email address called "abcde@mydomain .com".

Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.

Now an email like "abicde@mydomain.com" doesn't exist at all.

My client asked me for a confirmation email again but this email never reached me. So the client made the payment and the money is already deducted from his account.

Also, what makes this even more strange is that I received a fake email from my client's company with 3-4 times about not asking for payment as it will be delayed.

I got this email from an email address like "klye@clientdomain.com" instead of "kyle@clientdomain.com".

Now $10000 in an extremely huge amount for survival of my company. I want to know what are my options and is there any way of recovering it.



I'm surprised I'm the first person to point this out, but you have not lost any money, your client has.

You sent the goods to the client, and they have yet to remit the payment to you. So they still owe you the money and you should insist they pay it.

Granted, they're not going to like that, but the reality is they sent payment due to you to some other person. That's something they did not something you did.

They may be in a position to take steps to recover the payment they sent to someone else, given the banks involved and so on, and they should try to do it. But that's not something you're really in a position to be involved in, you didn't have anything to do with it and aren't a party to the fraudulent transaction.

In the meantime they should return the goods or send you the payment they owe.


If this single transaction is key to the survival of his business this may be one of few, if not the only client they have. In that case it may make longer term sense to "negotiate" a settlement. That could either be a payment plan or percentage of the 10k obligation.


this is an issue in real estate transactions as well, where a client or law firm executed fraudulent wire instructions received via spoofed email.

see last paragraph: https://themortgagereports.com/39665/cash-to-close-what-is-i...


I strongly disagree with you. The person who sent that money will want to get their money back and you are in the middle. At the very least I would want to stop doing business with someone who communicates bank information in such a careless manner. It's possible these are such tiny companies that they do things like that. In any case, I'd blame the other person whom I thought I was sending money to.


> my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.

Emails sent from your domain usually constitute valid contracts. If you're letting other people send emails from your domain because you don't have SPF configured then there's a good chance a court would either rule that you've allowed them to enter into a legally binding contract on your behalf, or else that you were negligent and owe the $10,000 back in damages.

That's why you need to take away the email addresses of people who no longer work for your company, so that they can't enter into contracts on your behalf.

That said no one should ever wire money based on anything they receive via email. So if the sender email had SPF but the recipient just didn't see it flagged because it was in SOFTFAIL mode or whatever, then it's probably the client's fault at that point.


That’s highly doubtful.

I think it would maybe be arguable if someone actually hacked the OP’s account and the emails really did come from their outbox, but spoofed email is a different thing entirely.

It seems more equivalent as a legal precedent to someone sending a forged letter from a nonexistent employee on similar looking letterhead. Or maybe someone showing up at the door and collecting payment wearing a stolen or counterfeit uniform.

If you think of it in legal terms, in a lawsuit say, the client would have to acknowledge the existence of a contract and an obligation to pay the supplier, and then somehow make an argument that a spoofed email from a third party that the supplier had no awareness of, that never entered the posession or control of the supplier at all, somehow invalidates that contract, or proves that the client has satisfied their obligation.

That’s quite a stretch.

Arguing negligence on the part of the supplier still wouldn’t do anything to satisfy the payment obligation, at best it would seem to be a counter-claim, saying they they suffered a loss because of the suppliers negligence, but then that’s a separate tort and the burden of proof would be on them.


> It seems more equivalent as a legal precedent to someone sending a forged letter from a nonexistent employee on similar looking letterhead.

Well that's the question I guess, if you don't have SPF enabled is it like what you said, or is it more like allowing random people to come into your office at night and send out whatever they want on your actual company letterhead?

I don't know if there is legal precedent there or what a judge would rule, but it doesn't strike me as being completely obvious that this is a simple cut-and-dried case where the client still owes the full amount of the original payment.


It’s not like having someone come into your office at night if it’s a spoofed email. It’s just someone figuring out what your letterhead looks like.

Either way though the client owes the original payment. That’s not in dispute. Legal issues don’t work in some holistic “who do you think should have the money” way, there are specific causes of action.

The first thing a court would ask is does the client owe the money, and is the obligation satisfied. The first answer is yes the second one is no, the client never sent the supplier the money. Nobody claims they did. Period.

Then the client would have a cause of action for negligence, due to someone else spoofing their email. Who wins that one? I don’t know but you’d have to look for some precedent and claim that the supplier was actually the proximate cause for some third party defrauding you. Maybe but it’s a pretty tenuous argument and you’d have to demonstrate clear causality.


I'm not a lawyer, but is that really true?

I could see the instance of an ex-employee that still can login can enter into contracts on your company's behalf, but a hacker doing so gets the same protections (for lack of a better word)?

That seems very wrong to me. I'm sure it makes things harder to determine the actual issue, but I just don't believe that a judge would look at this and conclude that fraud is ok as long as it comes from your email address...

(ignoring issues like gross negligence where a company is doing significantly less to secure their systems than should be expected)


> Emails sent from your domain usually constitute valid contracts

Gonna need a source on that one, chief.


> Gonna need a source on that one, chief.

The example I always use is when a college coach tells an athlete they've been accepted to a college before the admissions committee formerly approves them, and they actually get rejected. This happens dozens of times per year, and the reason you never see any lawsuits about it is that the colleges just let them in to avoid the bad publicity.


Hardly seems like the same thing -- the coach is a representative of the organization and communicated something (by whatever means) that they shouldn't have. The organization honored that commitment.

If the athlete turned up waving a _spoofed_ email and they let them in then that would be a more appropriate example.


> If the athlete turned up waving a _spoofed_ email and they let them in then that would be a more appropriate example.

Fair, I was just making the point about the validity of email agreements in general.

But let's say Harvard let others send email that appeared to come from their domain (by not having SPF enabled) and some kid withdrew all their other college applications because one of their friends was playing a prank on them or whatever, almost certainly the college would either let them in or else settle and pay damages. No way in hell they would want that going to trial even if they thought they could win.


I think you’re greatly mistaken in your assumptions. Harvard would suffer much greater damage to their reputation if they honored a fake acceptance email. To my knowledge, no university has ever honored a fake (physical) acceptance letter either, and those have existed (as pranks or otherwise) for a while.

It’s highly unlikely that such a case would even get to trial without being dismissed. For example, see this Quora thread [1] about the case of the university itself sending out the actual acceptance letter. Columbia University also had an incident where a system error accidentally sent out acceptance emails, which they quickly retracted, and no lawsuit or settlement came out of that.

I think it would be incredibly difficult to prove damages in such a case, especially since a fake acceptance letter doesn’t prevent you from going to another college. Your example of the student withdrawing their other applications is also unlikely to be blamed on Harvard, particularly before the student has officially accepted (at which point Harvard would notice they didn’t accept the student).

[1] https://www.quora.com/Can-a-university-be-sued-if-it-first-s...


The point here really is the company who sent the money out is the only company that can try to get that money back. If they have no reason to (OP doesn't follow up) then what's the point? They have no motivation to follow through with their bank or government..


If I send you a letter from your house address, are you going to send me a check to whatever address I want if I say I'm your Mum?

Email domain spoofing is super easy.


SPFs are not a legal enforcement and a court cannot penalize an entity for not having an SPF.

It is sort of like saying "because you are not sending encrypted emails, you are purposefully and negligently jeopardizing your privacy and information security."


> It is sort of like saying "because you are not sending encrypted emails, you are purposefully and negligently jeopardizing your privacy and information security."

Of course a court can say that. The phrase used to describe email is literally like a postcard. If you sent out HIPAA or FERPA protected information on a postcard, would you really expect not to pay a huge fine or go to prison?


Amusingly in a thread on email scams and such you didn't read quite closely enough (plus OP didn't do a great job of differentiating either, maybe on purpose) :). Even ignoring the "sent from your domain = contract" assertion:

>Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account. > >Now an email like "abicde@mydomain.com" doesn't exist at all.

Notice the "i", different from abcde@mydomain.com. He's saying it wasn't sent from the normal email account. The question I'd have is that OP uses "hacked" but there aren't actually any technical details here at all. Was one or the other mail servers genuinely compromised, or someone phished? Or were these emails simply spoofed? Or what? It sounds like it could have just been a forged From which is utterly trivial, every mildly serious spammer let alone spearphisher has done that forever. If the client "asked for a confirmation email" but the "email never reached" because it was a spoofed From and got blackhole'd but the client then took no response as confirmation that would probably be on the client.

Of course whatever the legal case there are other practical considerations, if this is a very valuable client then a certain amount of bending may be in order. It sounds like a pretty hokey order mechanism all around vs even just a simple HTTPS LE plain text web form and static invoice. And there is still the question of how exactly the phishing (if that's what it was) information was gathered for the spoofed invoice in the first place, insider job? Some other leak or hack?

But at least asking the client to try to get the money back seems fair enough. Money in that amount to a developed world bank should absolute be traceable. Alerting the banks and law enforcement should have been the absolutely immediate first move the instant anything amiss was realized. If it was the client's fault and the money really is gone somehow (or even will just take along while to recover) then at least splitting the different shouldn't be unreasonable.


> Notice the "i", different from abcde@mydomain.com

The username on the domain doesn't matter, only the domain itself.


>The username on the domain doesn't matter, only the domain itself.

Of course it matters if it means that it wasn't actually sent from the domain in the first place and there were no "hacks" involved. You said "emails sent from your domain..." but you do know the "From" address in standard email is utterly meaningless from a security perspective right? You can just

  sendmail -f any.address@example.com any.target@example2.com < email.txt
and that's it. There are ways to mitigate that these days and someone can always examine the headers of something suspicious but a lot of older desktop clients and mailservers won't.

Your entire (dubious and uncited) assertion rests on an assumption that it was in fact "sent from their domain". If someone forged it instead then it doesn't even get into law at all, OP simply had nothing to do with it period. Their account wouldn't have been hacked, neither they nor their kit would have any involvement.


Additionally, it could very well be that one of the letters in the domain name looks like but isn’t one of the normal English ascii characters. I’ve seen scans like this before — they are visually indistinguishable (or extremely close to, eg I’ve seen one that had a tiny dot above the character it was mimicking) from the real thing, but are a completely different Unicode character.

But if you don’t check the email headers, emails are easy to spoof, hell, I did it when I was a kid...


> but you do know the "From" address in standard email is utterly meaningless from a security perspective right?

That would be the argument as to why the domain owner would have a duty of care when also using the domain to send legitimate business email. Again I'm not saying there is a duty of care here, I'm just saying that it's not obvious to me that there isn't one.


This is one of the most hilariously wrong things I've ever heard of. So if I send an invoice to billing@facebook.com and reply from (my account) uh_what@facebook.com agreeing to the terms, Facebook legally owes me the amount on the invoice?


Clearly not. It's a general principle of law, not an ATM machine.

E.g. employers are on the hook for damages due to sexual harassment among their employees, but that doesn't mean you can sexually harass yourself and then automatically collect free money.


Your email did not get hacked most likely. Your client got tricked. They spoofed an email with your domain, but the reply-to email was their own (the attacker). So the client thinks they responded to you, but they responded to the fake address. Also, generally when they do this, they spoof the body and the conversation of the email.

Most likely, your client's emails were compromised in this case. Ask them to forward you the original email received as an attachment, and the reply-email as an attachment.

Your client likely has to reach out to their banking institution. Most companies have safeguards against this on their end when sending money, specifically, when accounts change they get on the phone with someone using their Vendor list, not the communication from the email. Also, having multiple parties authorize a transfer.


I agree. A few (10? 20?) years ago it was very easy to spoof email and send an email "from" mickey@disney.com if you wish. The original email specification has almost no security features. Now, most of the email servers will sign the outgoing email, and if you receive an email with the signature gmail and others big webmail providers will show a big warning.

So, to understand the problem it is very important to get a copy of all the complete emails with all the hidden headers that have the automatic signatures of the servers the email passed through. (See https://www.google.com/search?q=email+headers )

With the emails headers it is posible to see if your server was hacked or if the sender field was spoofed.


Or an employee of his used this information to email the client and steal the money


This is not limited to an employee at OPs organization. It can be an employee from the corporation he is doing business with. Alternatively, someone could have printed an old email and one of the facilities providers (i.e. cleaning crew) found it and used it.


This is very common issue; I've personally helped a company after they lost much more than this, and had to help prove to insurance/govt agencies/etc. Turn on DKIM, DMARC, and SPF records for your mail domain. Also, never send invoices over email that contain any payment terms (eg: accounts, addresses to mail check to, etc) they should always be in some sort of protected portal. Tell every customer never to accept payment term details from you over email, phone, etc. If you or your client has insurance, start documenting every part of your case with screenshots into a file, and document everything you know NOW, including timestamps, etc.

EDIT: Also, I'd suggest taking orders via a secured portal, and also autheticating large orders by calling a number for a client you already have (never trust their website, or an email from them). Unfortunately, you're out of luck that money.


Is there anyway to recover that money?


They need to file a police report, and get in touch with their bank. It's likely the money has already been transferred to a different bank, but the corresponding bank might still be able to freeze the account if it is still sitting there.

Then again, it might be transferred again as well. Money is hard to trace if it moves through different jurisdictions, as every country has different banking and privacy laws. Your client might very well hit a dead end for such a (in the grand scheme of things) small amount of money.


Highly unlikely - but also, a side fact to keep it from happening again. The attack similar to this I had to help address, someone had sent an email to a client, over an Indian shared office space network. That network was found compromised, and man-in-the-middled. Suggest doing business communications like email over VPN (F-secure VPN or simlar) only.


Highly unlikely.


Not sure if a portal is any better. Can't an email point to a fake portal?


Absolutely it could. However, with a secured portal - the client would know to go there, rather than email for many interactions already. Once DKIM,SPF,DMARC are on - the spoofed email is harder to do. In this particular case, I'd suggest giving them a file of contact information, and not ever publishing it (email, etc). Also, in my view, it is much easier to spoof emails, than to attack a proper web app.


If I'm reading your story correctly, it matches up with a tactic my clients have been seeing more lately. The scammer has already accessed your account because you fell for a phishing scam, typed your email credentials into a fake login site for a fake Office 365 or Dropbox page or something.

Now the scammers are watching your email closely waiting for the opportunity to do this. Waiting for you to send an invoice to your client, so they can jump in and send a revised invoice with their own payment details on it.

This can happen with intrusion into your email box, or your clients'. Hard to say exactly from your story. But either case, someone's mailbox was accessed by the intruder. A similar scam is possible by just using similar domain names, but in such a case you wouldn't know precise details of the invoices. You can just send a random fake invoice and hope the mark pays it or provides payment details in some way.

One thing worth noting in your story is that you aren't out $10,000. Your client is the one who paid the money to the wrong party. They are the ones who need to work with their banks and reverse the payment. It's not your fault that they paid the wrong person.


> The scammer has already accessed your account because you fell for a phishing scam

> It's not your fault that they paid the wrong person.

How is this not the OP's fault? It's absolutely their fault - the fault that lead to their email being compromised


I stated in the next paragraph that the situation could just as easily be reversed. We do not have any way to know in this situation whose mailbox was accessed, the OP, or their client.


Seems more likely it was the client. If the OP was hacked, the thief could have sent a completely legit email with correct headers and etc.


If OP's mail was hacked, the attacker wouldn't have needed to use a confusingly-similar email address ("abicde@mydomain.com" instead of "abcde@mydomain.com"). They could have used OP's actual address.


Good theory but not necessarily true. The attacker might still wish to use a spoofed domain to ensure that they get delivery of all replies.

In cases where Gmail and Office 365 accounts get hacked like this, the attacker will enable email forwarding to an address they can monitor for replies, and delete replies from the clients so that the compromised person does not see them. I am not sure if you can do this easily with a godaddy mailbox.


Did you edit it in? Either that paragraph was not there when I replied or I'm losing my ability to read


You don’t know t was the OP’s email that was compromised. It could have been the clients or something else entirely.


Fair point that. I'd not considered all the possibilities


Immediately contact all the banks involved and report the fraud. They should be able to reverse the transaction.


I can confirm this. Something similar happened to an acquaintance, although the amount was even higher. They immediately called the police, and the transaction was reversed. When the thieves tried to withdraw cash, they were able to catch them. This happened in China, although the transaction was international.


Your client got defrauded, arguably through no fault of your own. They never paid you, so they still owe you. Good luck with this approach, though. IANAL

Edit: I see CPLX has said it much better than I in the meantime. Note that it’s not at all clear that the hack happened on your end, rather than your client’s (or perhaps at some intermediate ISP).


Banking standards here in the EU impose a 13 months period during which the sender (order sender) can ask for a full refund. Check your local rules. This has to be talked about with the respective banks involved (that of your client + the one that received payment), as I believe you can't do anything anymore.

Next time, use more than one communication channel (Facebook, phone, signal, telegram, whatsapp... anything, really)

You should also see with your domain registrar and mail provider what happened.


My domain and email provider is GoDaddy. Unfortunately, they said that they cannot do anything about it but still asked me to send IP email headers to their abuse team.


> Banking standards here in the EU impose a 13 months period during which the sender (order sender) can ask for a full refund

Is this really true? Do EU bank transactions really take 13 months to fully clear?


No, they don't take 13 months to clear. The idea is to protect the payer (the one losing money) from either their human error, or an unlawful debit.

See https://www.europeanpaymentscouncil.eu/what-we-do/sepa-direc... .


Is that for “direct debit” only or all transactions?


Just so you know, the Reply All podcasts takes on (and helps solve) cases just like these.


My two cent: any business should have ALSO a phone number, perhaps not immediately reachable, but still a phone number. Perhaps also a fax number, old but still useful in emergency.


Hear hear.

If I can't reach flesh on a phone during business hours, I do my business with somebody else. No exceptions. A friend was trusting money and login details to a site with no mailing address or phone number and I pointed this out. He was suddenly aghast, another who did the same shrugged, I shuddered. Some people insist on learning the hard way.


here in the US, we have the financial fraud kill chain for transfers greater than 50,000 dollars. Other countries have used it as well. you may wish to contact the CSIS for methods they use to short-circuit these transactions.

https://rmacounts.com/uncategorized/financial-fraud-kill-cha...


A couple of humble suggestions:

1. Get/Hire someone to do a proper analysis of the "breach". This may require your client's cooperation.

2. Regardless of whose fault that was, try to improve the process to protect yourself and your clients in the future (e.g. email signing, confirmation via a different channel, different way of collecting payments etc.)


have you ever done this? a proper analysis will cost more than the money lost, and is itself not recoverable.


This is fairly common fraud in the UK. See this for background:

https://www.theguardian.com/money/2018/oct/18/banks-to-check...


one important thing you didn't state, was this $10k order typical for them, or especially outsized. another important thing, you didn't state how any discussion to date has already gone with the client.

anyway, no matter, you are in india, the client/customer is in canada? the amount is only $10,000 and you are a "very" small company? you have no practical recourse.

i'd even give small odds that the client is in fact scamming you.

regardless, good luck but in the face of an uncooperative client, you're out of luck.

many of the arguments here are around legal correctness, who is at fault, etc. but they fail to take into account that you are too small and the amount is too small and across international borders, for you to do anything about it. now if the amount were $100,000 you'd be able to pursue it.


You need to speak to the bank regulators an consider talking the press

In the UK the Daily Telegraph finance team they have been covering this in their weekend issues and have had some success in getting things changed here.


I wonder if a client has ever set up a scam like this.

They send a fake-looking email to themselves (using existing invoices as a template), then feign ignorance and refuse to pay for goods/services because "we sent the money, not our fault you didn't get it".

Even better that they'd send a few emails saying "we're working on paying you, don't bug us about it" -- payments are harder to collect as time passes for a number of reasons (in my experience).


As others have pointed out, it's the client's fault if they have been duped. Although for sure, they'll try to put the onus on the seller, and will claim the seller has been hacked etc..


Email headers of the fake email I received are below. Can anyone identify anything out it?

-------

Received: (qmail 30963 invoked by uid 30297); 16 Oct 2018 19:04:18 -0000

Received: from unknown (HELO sg2plibsmtp01-1.prod.sin2.secureserver.net) ([182.50.144.11])

          (envelope-sender <klye@clientdomain.com>)

          by sg2plsmtp19-01-25.prod.sin2.secureserver.net (qmail-1.03) with SMTP

          for <reema@mydomain.net>; 16 Oct 2018 19:04:18 -0000
Received: from se1-lax1.servconfig.com ([104.244.124.86])

               by bizsmtp with ESMTP

               id CUdcgdXtBUMdaCUdegyEaT; Tue, 16 Oct 2018 12:04:18 -0700
Received: from res203.servconfig.com ([192.145.239.44])

               by se1-lax1.servconfig.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

               (Exim 4.89)

               (envelope-from <klye@clientdomain.com>)

               id 1gCUdY-0005Jd-Kn; Tue, 16 Oct 2018 15:04:16 -0400
Received: from [::1] (port=46403 helo=res203.servconfig.com)

               by res203.servconfig.com with esmtpa (Exim 4.91)

               (envelope-from <klye@clientdomain.com>)

               id 1gCUdY-00GWW5-7H; Tue, 16 Oct 2018 12:04:12 -0700
MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="=_cb44418026f16861773c2073108229cd"

Date: Tue, 16 Oct 2018 12:04:12 -0700

From: Kyle <klye@clientdomain.com>

To: Reema<reema@mydoamin.net>

Cc: 'mail' <mail.globax@dr.com>

Subject: RE: pharma zonisamide

Reply-To: Kyle <Kyle.clientname@dr.com>

Mail-Reply-To: Kyle <Kyle.clientname@dr.com>

Message-ID: <4d778f3b89a049b84840dbdb372798b8@clientname.com>

X-Sender: Klye@clientname.com

User-Agent: Roundcube Webmail/1.3.3

X-Get-Message-Sender-Via: res203.servconfig.com: authenticated_id: shahrukh@makamil.com

X-Authenticated-Sender: res203.servconfig.com: shahrukh@makamil.com

X-Originating-IP: 192.145.239.44

X-SpamExperts-Domain: res203.servconfig.com

X-SpamExperts-Username: 192.145.239.44

Authentication-Results: servconfig.com; auth=pass smtp.auth=192.145.239.44@res203.servconfig.com

X-SpamExperts-Outgoing-Class: unsure

X-SpamExperts-Outgoing-Evidence: Combined (0.35)

X-Recommended-Action: accept

X-Filter-ID: EX5BVjFpneJeBchSMxfU5rwL/g85tQulnBE8gPHu3/F602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx

q3u0UDjvO73ACdMYEFGu+gF5O7WstgsinfpazlJl1tCn592ZdmdEXY8S/zCkg36vZ3GfohIs0UGl

z8CJSOMrvzx9TVg3RkVXN8poxUmHw7z8Cv3zSk4rk5hzVqcRQipB56OduRZxKuP+q8NuOKfRBnSy

EKI1nLnoREI39Ng7w+jWwVgutjGnTGAA1gLIPnzkgagc0cD3QuccXSndMw0FQ8jqfUr8AYYpMlsI

IQUIsICEfKR4uJdogE2eQHlogxUcYs0rxQ+mI9H9Xex/9Lq8f02pgNORt7R9OjAEo9UzDH0ARpN0

wUZt3fvT7ao3SadG2ABiWXtkF0i/CT5LMFdUTCs59oTfl5U/c8+QAw6oOeWTc8nT5GWcPd0rEuGj

FyZoidhtHm+WobglkKcTLdh5JwRD9s9xE+dH789QVPIx9duafGFU3kR9F9u9KyBXj+FNLU1SvJx5

/9jlDHh8k6TTdHl8m1/8O/8FS0gu/BXEFm6f2M41IWv/Qw0zmRSx+YTH48mhNBhct/JFBLt+LA62

e0Pg9eDnrJN9b+G2BSscQzbFMcfSu4J7ix6iCoZ5CaKPMqg2RgTcAelen7CXsT6fZe+0gbPIz96e

qtNrhqU0j58VnbXM/vIJoxTw4G77xMwEh26uoYRpiF4am0X83e22zM8wHY/QU2XjdKVHj6Omz2pU

52OZqldRRmxkB/4b3LJEbiGaRFZKY17WKvlei/52nCwh3EKwhLPN528N6lMd564J8QyHtUdRVUYN

O3udn1JlHoAi4F0jBWcShbww79KoIp0Sgs8f/ZTrGlUY2jbf3Q54l9HRkQvIejKclyAbTmc6f/07

0aI4MKggmD9XUhkU65ggFOIOfY0If3FAzbmaNBxeMIrqE6TxR86t2EiC6GwMws7GvvozwLzzGiRR

EvmQrtvSbV4fnBHAY64qloNFm00WuJU2Ru5B4WNJiz4C8c3Na3gFdtxXZg==

X-Report-Abuse-To: spam@se1-lax1.servconfig.com

X-CMAE-Envelope: MS4wfGTkLN5Q3Etz9Wkc3k/s+48X4HLNxcMTgPNW9dd3KWT52iaJK7tSMbsyZjm0/hi9J87LipDUTpWV2p/qyIS3IuuXa62TTzrOmM1SRoaJXZY91Lfa/lzj

i8Jb2TdRHL58hBIRNSmmPIf9tFZ8lSpapy/8CF5h3TDIczyZlwy+0j+T7U+zeMfEALDdLQAg1NCO7Q==

X-Nonspam: None


Your client's /Round Cube/ installation may be exploited, as that is where the email originated from:

  User-Agent: Roundcube Webmail/1.3.3


Do you recognize this domain?

> authenticated_id: shahrukh@makamil.com


No. This is some unknown email address.


https://b2bpk.com/company/ma-kamil-pharma-57113.html

Weird that the domain points to another Pharma company operating from Karachi, Pakistan. Maybe contacting them to find out who "Shahrukh" is might be a good first step.

EDIT: Looks like 0898 found more details https://news.ycombinator.com/item?id=18310807


Looks like it pretty transparently sends all replies to "dr.com". Seems like something our email client should warn us about explicitly, instead of just showing "Reply To: Kyle".


Can we find out something from it?


I think rnotaro solved the whole mystery: https://news.ycombinator.com/item?id=18310631


https://www.mustakbil.com/people/profile/e07492f85c7041b4922...


Well you may be able to get their contact details by contacting InMotion Hosting, who runs the web server they sent the mail out of. If you take 'res203.servconfig.com' and stick it in here: https://www.ultratools.com/tools/ipWhoisLookup , you should be able to get their abuse team email. Although this won't get the money back... it will just help you punish the spoofer a bit.


Maybe this is a dumb question, but have you talked to your customer about this? Such issues are covered by insurance plans that are common for US companies. It may be as simple as your customer makes a police report and then provide it to their insurance. Then 60 days later they get a check and pay you.


Your case is really similar to this attack (`How a fraudster got $12 million out of a Canadian university: They just asked for it`): https://news.ycombinator.com/item?id=18186433


you or your client using Google’s Gsuite as email service provider?

cause the same thing happened to one of client in Chennai, India.

but they client didnt tranfer the funds since he found that the bank account the fake guy sent was new to them. so the client called orginal company back and reported it.


Unless I am missing something I dont see a hack here, just some spoofed emails.


It's not just a random spoof email. Someone was aware of the entire conversation and send a spoof email at the exact situation resulting in my loss.


Doesnt mean you were hacked could be an inside job by someone at either organization or could be a hack on the other company's email. If your email provider has any sort of activity log like gmail does you might want to review those, or if you run your own there should be access logs on the server.


Very common and growing type of fraud sad to say


For a similar recent case, see

https://news.ycombinator.com/item?id=18318226


Make sure you have set up SPF, DKIM and DMARC. Also use email certificate.


An interesting case, I have never heard of this type of fraud


Maybe your business partner is trying to scam you.


You didnt lose 10K, your client did.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: