I’m a web designer and I started using invoiceplane 1.5.5 on January 1st for my invoices.
I think it’s amazing and I started suggesting it to many friends of mine.
Now, after just two months, something very weird happened, that id’ like to share with you all for an opinion.
One of my clients, instead of my invoice send through Invoiceplane, received a fake one, where everything is the same, but the IBAN code where to pay.
How I discovered that? After calling him for past-due payment, he gave me the wire tranfer receipt. I was about to faint.
I immediately checked my Invoiceplane installation, the database, the template file (where I wrote the IBAN directly as html text within PHP) looking for something, an error. Found nothing.
I checked my email account, where Invoiceplane sends in bcc all the invoices I send to my clients. Fortunately the invoice attached to the e-mail was right, the IBAN was mine.
I tried to send the same invoice to my e-mail and another account I manage through Invoiceplane interface and everything was right. The pdfs were right.
(Invoiceplane is configured to send e-mails through the same SMTPS account of the website’s domain where it’s installed).
Yes, it’s what they call a “man in the mail” attack: my client paid the invoice to the wrong IBAN, the thief ran away and now we’re trying to get money back with the help of the bank, but probably we won’t succeed.
The question is: it’s me or it’s my client? .
So far, it has happened with just one client. Some others have already paid on the right IBAN, but I did not have time to call them all to verify the code on all the invoices.
So, as the hours go by, I think that probably the problem is on my client’s computer: maybe someone else is really reading and changing his e-mails. Maybe he has a virus/worm… He said he uses Outlook on Windows… And he doesn’t even know what version…
But I changed all my involved passwords. I disabled e-mail send function in Ivoiceplane. Just to be more sure.
I asked my client to send me the wrong pdf and yes, I cannot see any difference between this and mine. Just the IBAN is different. The file size is different (mine 50kB - his 81kB). In the file info, I cannot see anything different. For my experience with pdf format, I suppose that the great file size difference is caused by opening, modify and then save again the same file: surely it wasn’t created in one shot.
But something like this never happened to me, neither I heard of it in 10 years I regularly send almost my invoices via e-mail.
The question is: it’s a coincidence? Or someone found a way to brute force my Invoiceplane installation?
What else could I check?
Remember, just two month using it.
I do not believe in coincidences.
Still can’t believe it…
What do you think?
Thanx for reading.