Hey hacker! Is that you?

Did you ever imagine that your business partner who you have contacted for a long time can turn out to be an email hacker that wants to steal your payment?

We would like to share a story about exposing a hacker, which happened recently to one of our clients (overseas buyer), his Chinese supplier and us, V-Trust. This story has a happy ending, since we helped the customer to reveal the hacker before the customer transferred a large-sum payment to him, and thus would like to keep you alert when settling payments for your overseas purchases.

Story prologue

First, let’s show how he intercepted our online communication. For confidentiality reasons, we will code-name the involved parties and their correct contact details as following: the customer – let’s say is Benjamin from the company A with his email address being ben@A.com; the supplier – Emma from the company B (proper contact email: emma@B.com); and me, Sophia from V-Trust, with the email address sophia.ma@v-trust.com.

So, the hacker tried to begin the game by tapping into our communication by creating three new fake email addresses, such as benA@gmail.com, emmaB@mail.ru, sophiam.a.vtrust@gmail.com to pretend to be the client, the supplier and V-Trust.

How it started

In June 2019 the supplier’s email box was attacked by a hacker, and from that moment the hacker manipulated communication between the client and the supplier – their real communication was blocked since then, and both parties were instead in contact with the online scammer. The hacker had replaced the real customer’s email (ben@A.com) with his own fake email box (benA@gmail.com), meanwhile replacing the supplier’s email address (emma@B.com) with emmaB@mail.ru.

Both the client and the supplier did not realize that the person they were contacting was a scam, and communicated with the hacker for 9 months before V-Trust intervened and revealed the fraud.

In Feb. 2020 the customer booked a Sample Check with V-Trust, and provided the email box of his supplier as emmaB@mail.ru, which in fact was a fake email created by a hacker and used to communication with the client. At that time, the hacker also created another mail box (sophiam.a.vtrust@gmail.com) to pretend to be V-Trust communicating with the supplier, and then forwarded our emails to the supplier with revised content.

The hacker took over the whole three-way conversation: the client and V-Trust contacted the hacker-supplier by emmaB@mail.ru, while the supplier contacted benA@gmail.com (the hacker-client) and sophiam.a.vtrust@gmail.com (the hacker pretending to be the inspection company).  

How we found the truth

• I noticed that the email domain of the supplier’s address was @mail.ru, quite abnormal for a Chinese supplier to have – it is a widely used Russian public email domain.
• Also, it felt somewhat strange as the hacker-supplier was replying to our emails in English only for quite a long time, although I was writing to them in Chinese. On top of that, there was no phone number in the supplier’s email signature. (The hacker had removed that contact information in the supplier’s mail signature to prevent V-Trust from calling the supplier directly).
• To confirm the inspection, usually the supplier has to fill in an online confirmation slip for us. Once the confirmation slip was sent to the hacker-supplier, they immediately replied to us that the link didn’t exist, but after about 30 minutes they said it was available to them. The fact is, that due to network synchronization between inland-China and outside China, our system emails going abroad are delayed by ~30 minutes. So, when this happened to the hacker-supplier, I wondered if the supplier was located abroad.
• As the 1^st sample check had failed, the real supplier called us to ask about the customer’s requirements for improvement and to book the 2^nd sample check. I talked to the real supplier by phone and requested that they fill in the 2^nd confirmation slip online. However, the supplier didn’t seem to understand what link she should follow, and said that she only filled one document last time to confirm the inspection arrangement. Suddenly, I suspected that whoever filled in the notice for the 1^st inspection was not the same person as my current contact.
• Before settling the payment, the client asked us to help double confirm the provided bank details with the supplier. While checking the documents, I found that the bank name was quite different, and the payee wasn’t the supplier’s company name. I immediately emailed the supplier to check the difference with the bank name, but instead got a reply from the hacker-supplier (emmaB@mail.ru) that the bank details were correct, without explaining the pointed-out difference.
• Following that concern, I called the real supplier by phone to confirm the information for the payee, bank name, and bank address. Once the real-supplier assured me that the details they provided were correct, I insisted on comparing them to the details I that had. Still over the phone, the real supplier told me that there was no screenshot with bank details from my email, but the bank details from the email sent by fake-V-Trust could have been tampered with.
• Sensing that things were not right here, I called the real supplier on WeChat and rechecked the email with bank details provided via our video call. What we found was disturbing. The email received by the supplier was sent from a hacker pretending to be V-Trust, who revised the email content. And the bank details that the client provided for checking (and which were forwarded to them by the hacker-supplier) were different from the bank details of the real-supplier. We discovered that all our email conversations were hacked, and immediately contacted the customer to notify them that the supplier they were in contact with was a hacker, and asked to stop email communication with that contact.

The hacker case came to light right in time, as we in V-Trust managed to prevent a client from settling payment to an online scam. In the end, our customer was very thankful for the saved project costs.

How to avoid dealing with a hacker

From the above hacker story we would like to give you some advice:

1. Pay attention to the email domain of your contact person, - in most cases it should be the email domain containing the contact person’s company name, for ex. @v-trust.com.
2. Revise and update your email password regularly to ensure the email box safety.
3. Double-check bank details with your supplier before payment: not only by email, but also through phone or video call. A video call especially would be most helpful to verify that all the bank details are correct.
4. With regards to payment safety, your company can set up a management system to check your supplier’s information and the bank details.  
5. During sample checking, mass product inspections, or factory audits, we in V-Trust can help to take a photo of the supplier’s bank details confirmation issued by their bank. We can help to check their bank details, and are always ready to provide you with any assistance.

Here at the end of this article, we would like to say to the hacker, “Hey hacker! Is that you? We know you are there. Please stop meddling with us.”  

I hope that this story will be educating and helpful for you. Welcome to contact us at any time and share your comments.

Thank you very much for your time!