Ross BentleyA major software supplier has successfully identified and
pursued an e-mail spoofer who was mailing the firm's customers with
damaging messages, following an offer of a £25,000 bounty for
information leading to the perpetrator.
ERP software supplier Geac had been blighted by a series of
e-mail break-ins over the summer, wheremail purporting to come from
Geac staff was sent around the company intranet as well as to
several hundred customers and partners.
The case is a lesson to IT managers in all industry sectors who
may have to limit the damage caused by someone maliciously spoofing
company e-mail.
Geac managing director Chris Allen detailed the path to the
spoofer. "We employed security specialist Vogon to locate those
responsible. It tracked down the e-mail ID to the ISP. We then
needed to get a court order against the ISP so it would release the
telephone number which had been used.
"We had to obtain a second order to recover the computer
equipment from the corresponding address. This was enough to
convince the court to issue an injunction against the man,
prohibiting him from sending more spoofs."
The spoofer turned out to be a disgruntled ex-employee who was
made redundant last year. On finding the culprit, Geac ended the
suspension of a second employee who was initially the prime suspect
because the e-mails had been routed through his mailbox.
Allen said the effort in tracking down the spoofer was necessary
in order to send out a signal to others thinking about doing the
same thing, and also to free others from suspicion.
In addition, Geac needed to prove to customers action was being
taken. "Because our customers received some of the spoof e-mails,
we had to work to show them that we were in control of the
situation," said Allen.
Fran Davey, legal adviser at law firm DLA, who worked on the
case, said this was only the second example he could recall where
an e-mail spoofer in the UK had been identified and faced court
action.
"This is a sensitive case," he said. "Throughout the
investigation we had to be sure we were targeting the search based
on information, rather than carrying out a blanket search that
would have contravened some of the new laws."
What to do if you suspect a spoof attack
Clifford May, computer investigations manager at Vogon
International, offers some advice on dealing with spoof
e-mails:
- Secure back-ups of all mail files immediately (electronic
copies of e-mails are vital, as such information as Internet
headers are not available on printed copies)
- Maintain secrecy (inform as few people as possible - the
perpetrator could be in-house)
- Act quickly (ISPs, for instance, do not maintain logs for long,
and this may be vital in tracing the sender)
- Seek professional advice (if you don't know what you are doing
you could destroy the "chain of evidence")
- Secure all dial-in access (ensure nobody can withhold their
telephone numbers, enable dial-back, etc).