Hat tip to WW for sending this in!
https://krebsonsecurity.com/2014/04/phishers-divert-home-loan-earnest-money/#more-25690
Real estate and title agencies are being warned about a new fraud scheme in which email bandits target consumers who are in the process of purchasing a home.
In this scheme, the attackers intercept emails from title agencies providing wire transfer information for borrowers to transmit earnest money for an upcoming transaction. The scammers then substitute the title company’s bank account information with their own, and the unsuspecting would-be homeowner wires their down payment directly to the fraudsters.
This scam was laid out in an alert sent by First American Title:
“First American has been notified of a scheme in which potential purchasers/borrowers have received emails allegedly from a title agency providing wire information for use by the purchaser/borrower to transmit earnest money for an upcoming transaction.”
“The messages were actually emails that were intercepted by hackers who then altered the account information in the emails to cause the purchasers’/borrowers’ funds to be sent to the hacker’s own account. The emails appear to be genuine and contain the title agency’s email information and/or logos, etc. When the purchasers /borrowers transferred their funds pursuant to the altered instructions, their money was stolen with little chance of return. This scam appears to be somewhat similar to the email hacking scheme that came to light earlier this year that targeted real estate agents.”
“It is apparent in both scams that the hackers monitor the email traffic of the agency or the customer and are aware of the timing of upcoming transactions. While in the reported instances, a customer was induced to misdirect their own funds, an altered email could conceivably be used to cause misdirection of funds by any party in the transaction, including the title agent themselves.”
Email is not a secure form of communication. Unless you encrypt end-to-end (e.g. PGP), someone can intercept or spoof an email.
An email is just a text file where you can just replace “Sender: address” with another. Also hyperlinks in HTML emails can link to something other than what is in the email.
Something like this should be done in person or by snail mail.
After thinking about this for a bit, the most likely scenario would seem to be for users of Web-based email (GMail, Yahoo, Hotmail, etc.) whose account credentials have been stolen. This is based on the presumption that it is far more likely that a typical end-user’s PC has been compromised than the title company’s.
If you have access to a user’s email server (and if I’m understanding the IMAP protocol correctly), you can copy an email message from an account, delete it, then upload a new message in its place with a modified body that is in all other respects indistinguishable from the original. This still requires the thieves to pay super-close attention to email activity so they know when the “juicy” message arrives and can alter it.
The use of public key cryptography (PGP, GnuPG) would obviate such an attack, since the thieves would not be able to generate a valid cryptographic signature for the modified message, and it would be flagged as a fake. But nobody does this because [*barbie voice*] crypto is hard, mneh mneh mneh…