1

I've tried searching a few terms but can't really answer my question.

We have a system which sends out invoices and we have had a couple of instances with one individual where the PDF attachment has somehow been altered between us sending it and the recipient opening it. The PDF normally contains a 'pay now' link but this has been deleted and replaced with spurious bank account details. This individual was sent two emails with different PDF attachments on the same day but at different times, and both have been altered in the same way.

At this stage I am just looking for possible ways this might have been done so we can investigate further. Emails are sent by Amazon SES and the customer has a bigpond.net.au email address. We are using DKIM signatures on sent emails.

I'm trying to get hold of the header from the email that was sent. I only have a forwarded copy of it.

Would appreciate any suggestions so that we can gather some more information about it.

DarrenM
  • 11
  • 1
  • 2
    How do you know the PDF was altered in transit and not at the recipients system or at storage at the final mail server or even at your site? What are these "spurious bank details", i.e. do they have anything to do with the original bank data or are these bank data from a potential attacker? Was any DKIM verification done and what was the result (i.e. did it fail since the body hash did not match)? Apart from that: PDF which work like you describe (i.e. "pay now" button) are very similar to PDF one finds in credential phishing mails. – Steffen Ullrich May 09 '19 at 03:45
  • Thanks. I now have the original email header and it appears that the email was received by their mail server within a second of us sending. DKIM passed, according to the header. The bank account details that have been added are for someone else's bank account, we don't know who yet. The recipient has paid amounts into that bank account. We will probably remove the PDF attachment and use a different method going forward. – DarrenM May 10 '19 at 07:03

0 Answers0