苏州机械巨头企业被诈骗未遂，电子邮箱后缀被篡改

近期一家苏州的知名出口外资机械企业，在邮件中的往来被黑客盯住了，并且逮住目标，篡改了附件里面的合同汇款内容并且想要账号打钱转移，新好客户发现及时询问了下原账号的员工。才保证了不被利用。下面是对方客户发来的收到邮件头，其实我们分析下，各位大虾们就知道能看懂这些诈骗犯是怎么操作的。 第一他们是利用了一个假的地址emailsos.at.hm和苏州公司的域名非常相似emailsos.net,然后模糊客户的感觉，至于有些IT朋友说为什么不直接架设一个系统然后在邮件服务器上直接添加域名emailsos.net,然后发出去更像，说的很好。这样做确实对于一些企业的简单系统可用，关键在于有没有做SPF反向认证和IP反向解析。如果做了，那么像gmail，hotmail,yahoo这些大免费邮箱都会做反向认证。所以不成功会退信。 下面是一种很简单的手段，真正更高明是破解客户员工若密码，然后直接利用你的客户端或者邮件服务器作为肉鸡来冒用邮件账号发送虚假邮件。打倒指定账号，这样才是正真的可怕，好下次跟大家分析下这些手段的具体方法和应对措施 Delivered-To:?[email protected]???这个是收件人呀 Received: by 10.194.125.40 with SMTP id mn8csp61224wjb; Fri, 18 Apr 2014 20:10:16 -0700 (PDT) X-Received: by 10.182.117.195 with SMTP id kg3mr19636386obb.17.1397877015264; Fri, 18 Apr 2014 20:10:15 -0700 (PDT) Return-Path:?Cilia.Pan@emailsos.net?这个是发件人 Received: from gemini.websitewelcome.com (gemini.websitewelcome.com. [192.185.81.196]) by mx.google.com with ESMTPS id eh9si24266262oeb.28.2014.04.18.20.10.13 for?[email protected] (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Apr 2014 20:10:14 -0700 (PDT) Received-SPF: neutral (google.com: 192.185.81.196 is neither permitted nor denied by best guess record for domain [email protected]) client-ip=192.185.81.196; Authentication-Results: mx.google.com; spf=neutral (google.com: 192.185.81.196 is neither permitted nor denied by best guess record for domain [email protected]) [email protected] Received: from [127.0.0.1] (port=11146 helo=webmail.ikmc.net) by gemini.websitewelcome.com with esmtpa (Exim 4.82) (envelope-from <[email protected]>) id 1WbLfR-0001kz-1a; Fri, 18 Apr 2014 22:10:13 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_8f8f6267a6095691a02610726512e6f2" Date: Fri, 18 Apr 2014 22:10:12 -0500 From: =?UTF-8?Q?=E6=BD=98=E6=85=A7?= <[email protected]> To: Thorsteinn Sigurdsson <[email protected]> Cc: =?UTF-8?Q?=E5=BC=A0=E6=AC=A2?= <[email protected]> Subject: new order PI 14ICHT008 Message-ID: <[email protected]> X-Sender:[email protected] User-Agent: Roundcube Webmail/0.9.5 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gemini.websitewelcome.com X-AntiAbuse: Original Domain - gmail.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - emailsos.at.hm X-BWhitelist: no X-Source-IP: 127.0.0.1 X-Exim-ID: 1WbLfR-0001kz-1a X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (webmail.ikmc.net) [127.0.0.1]:11146 X-Source-Auth:[email protected] X-Email-Count: 2 X-Source-Cap: aWttY25ldDtlc3J1ZGFzbTtnZW1pbmkud2Vic2l0ZXdlbGNvbWUuY29t ? --=_8f8f6267a6095691a02610726512e6f2 Content-Type: multipart/alternative; boundary="=_754590fb5b86fb0285c6acc49791a589" ? --=_754590fb5b86fb0285c6acc49791a589