Is my Invoiceplane under attack?


#1

Hi everyone.

I’m a web designer and I started using invoiceplane 1.5.5 on January 1st for my invoices.
I think it’s amazing and I started suggesting it to many friends of mine.
Now, after just two months, something very weird happened, that id’ like to share with you all for an opinion.

One of my clients, instead of my invoice send through Invoiceplane, received a fake one, where everything is the same, but the IBAN code where to pay.
How I discovered that? After calling him for past-due payment, he gave me the wire tranfer receipt. I was about to faint. :flushed:

I immediately checked my Invoiceplane installation, the database, the template file (where I wrote the IBAN directly as html text within PHP) looking for something, an error. Found nothing. :sweat:
I checked my email account, where Invoiceplane sends in bcc all the invoices I send to my clients. Fortunately the invoice attached to the e-mail was right, the IBAN was mine.
I tried to send the same invoice to my e-mail and another account I manage through Invoiceplane interface and everything was right. The pdfs were right. :sweat_smile:
(Invoiceplane is configured to send e-mails through the same SMTPS account of the website’s domain where it’s installed).

Yes, it’s what they call a “man in the mail” attack: my client paid the invoice to the wrong IBAN, the thief ran away and now we’re trying to get money back with the help of the bank, but probably we won’t succeed. :scream:

The question is: it’s me or it’s my client? . :exploding_head:

So far, it has happened with just one client. Some others have already paid on the right IBAN, but I did not have time to call them all to verify the code on all the invoices.
So, as the hours go by, I think that probably the problem is on my client’s computer: maybe someone else is really reading and changing his e-mails. Maybe he has a virus/worm… He said he uses Outlook on Windows… And he doesn’t even know what version… :roll_eyes:
But I changed all my involved passwords. I disabled e-mail send function in Ivoiceplane. Just to be more sure. :nauseated_face:

I asked my client to send me the wrong pdf and yes, I cannot see any difference between this and mine. Just the IBAN is different. The file size is different (mine 50kB - his 81kB). In the file info, I cannot see anything different. For my experience with pdf format, I suppose that the great file size difference is caused by opening, modify and then save again the same file: surely it wasn’t created in one shot. :face_with_monocle:

But something like this never happened to me, neither I heard of it in 10 years I regularly send almost my invoices via e-mail.
The question is: it’s a coincidence? Or someone found a way to brute force my Invoiceplane installation?
What else could I check?
Remember, just two month using it. :astonished:
I do not believe in coincidences.
Still can’t believe it… :astonished:
:rage: :dizzy_face: :face_with_symbols_over_mouth:

What do you think? :disappointed:

Thanx for reading.

Cheope :hugs:


#2

Hi there!

First of all sorry for this trouble and I really hope that you will be able to solve this problem out with your bank.
About the “attack” itself: it sounds pretty much like there is a security hole or any other access to the infrastructure of the email server or the computer your client is using.

As you already said you checked your own emails as InvoicePlane sends them all as BCC for you. You stated that the email you got was correct.
So there are two options:

  1. the attack happened on the way from your email server to the email software your client is using. As you said: maybe a virus on the PC or maybe a security flaw on the server, who knows. Windows is not the most secure operating system out there.
  2. the attacker managed to get into your InvoicePlane instance and found a way to send the email twice: a correct version to you, to make it look like it’s correct. And a second one that is faked within the PDF file and that is send to your client. Without any code changed this seems to be not possible for me and as you received other payments from your client this must have been a one-time change.

To be honest, the second option seems a little bit too complicated. I mean I don’t know the sum of the invoice but I don’t think that it’s hundred thousands of dollars so it may be worth all the effort.

I would also keep a copy of the fake PDF and involve the police. It may be likely that the PDF contains meta information (at least it’s 30kb larger…) about the attacker.

Another tip would be to protect your invoice PDFs with a password you shared with your client in personal. This would prevent an attacker from modifying the PDF files. At least I don’t know anything about easy methods to crack password-protected PDFs.

Just to be sure, please update your instance and overwrite all files except the uploads directory and your templates as I don’t expect you change the source code itself.
Version 1.5.7 1.5.8 is available. :slight_smile:

If you have any further questions please ask. And please keep me informed about this topic.


#3

Thank you very much for your reply.
I’ll follow your advices. :slightly_smiling_face:

The sum of the invoice has 3 zeroes. But I sent 10 other invoices with the wire transfer payment until now, so you can imagine why I’m worried. :disappointed_relieved:

Anyway I don’t think that password protection of pdfs is an effective solution because out there you can find tons of softwares or websites cracking pdf passwords for free. And surely someone who can steal money through e-mails is able to crack pdf passwords too. :sweat:

Thank you for your support. :hugs:
Keep updating.
Cheers

Cheope


#4

Hi cheope,
What horrible news. There must me header information in the second email that your client received with the wrong PDF.
I’m no expert, but he sent an email with the wrong PDF through the SMTP of that server. Check timestamps etc. There should be something in there…
Does your PDF have a background? Or just a logo?


#5

Hi, your message made me search for identical issues and i found an article in a Belgian newspaper about this kind of fraud:
See: https://www.tijd.be/nieuws/archief/Slim-virus-verandert-rekeningnummer-in-facturatiemails/9924299
Maybe your customer has the same issue as mentioned in this article. September 2017 banks in the Netherlands started working on a name/iban check. I think this would solve this kind of problems (at least for the Netherlands).


#6

Thank you UnderDog and Benny54 for your support. :relieved:
The police is already investigating.
But I can’t give them the original e-mail sent by Invoiceplane to let them analyze the headers and our ISP will take weeks to give me the SMTP log.
I just have the bcc e-mail. :cold_sweat:
Does Invoiceplane keep a log of sent e-mails? I can’t find it anywhere.

Thank you all

Cheope :hugs:


#7

Sorry to hear that.

Besides all, i want to add that it is TOO EASY to edit an PDF document.

a) Somebody got the pdf (who hacked your customer’s email). Downloaded the pdf. Edit it with word.
b) Did u had a chance to check his emails? I mean the wrong pdf is in the email? Or it is on the computer?
If it is in the mail attached, then i don’t know how.


#8

@Cheope I’m sorry for the trouble you’re facing :frowning: It seems hackers find a new “trick” every day. Would it be convenient for you to ask the customers to always check the invoice URL and compare the contents with the contents of the PDF, especially the bank details? That way, even if the PDF is replaced with a malicious one, the URL would still show the correct bank accounts.

@Kovah would you consider OpenPGP feature request for encrypted emails? That would require a new field in client information, containing the client’s PGP key. If the field contains a valid key, then the email sent to the customer is encrypted using this key and only the customer can decrypt it.

I understand that this kind of encryption isn’t used by a lot of people… yet! But once it’s setup it’s almost trivial to use.


#9

@Aykut I totally agree. I think the 30 kb difference is an indication that the pdf file has been modified and overwritten.
And sure, hackers find a new “trick” every day. My Invoiceplane installation runs on https and the mail account I used to send invoices requires auth on SSL, 465 port. I thought I did everything I could to make my system “safer”… but I was wrong and upset when I found on the web on the web many tutorials on how to intercept and read in plain text encrypted https communications… :scream: I also discovered that SSL for SMTP is obsolete, so changing provider for the domain and the e-mails is a good option for sure. :unamused:

@Felix Yes, a solution could be avoid the attachment and send just the URL of the pdf invoice. Anyway if there’s a man in the middle (as the police thinks), he could show you whatever he wants, even a wrong URL.

A “good” news is that my client let slip that something similar happened to him few months ago :angry: with another furnisher. The payment was not successful because the thieves’ bank account had already been closed. :roll_eyes:
No comment. :rage:
So the hypothesis that the problem is in his system becomes very probable. :grimacing:

Another update is that the very same happened to another company near my customer on november. Their IT technician blamed a malaware that could remote control one of their computers.
Weird coincidence, anyway. :thinking:

Is there a virus or someone is sniffing the internet traffic in our area? We don’t know yet. The police is still investigating and suggests to send our invoices via PEC, a certified e-mail system we have in Italy, similar to what @Felix says.

My objection is that if someone controls your computer, he can show you whatever he wants, even on a certified e-mail downloaded by Outlook via pop3s. :face_with_raised_eyebrow:
But at least in that case the message would have legal value because there is a third party that guarantees data integrity. So, if it happens again, it would be clear where is the problem and who has to pay. :relieved:

Thank you all
Il’keep updating


#10

@Cheope It is %100 virus (or malware). What you can do is adding password to ur file. It will be more secured and the virus can not touch it (i guess).

Even u give the password in the same mail, it won’t be dangerous. That virus i ve read about is just changing IBAN nr. So :slight_smile:


#11

Guys, I’m sorry to read that, it puts us all in evidence, but there are tools to combat or at least be a few steps ahead:

I think that a direct payment window should be opened in the same IP. so we could have (customer - quotes - invoices - payments) shown to the customer:

  • Create an account for customer payments to verify your invoice and the corresponding payment directly from the same portal with a random token key generated by the same system destined for that same payment to be executed.
  • Bar code on the same invoice and quote with security certificates that authenticate such files as veridicos.
  • Keys exchanged. To open file in the email with PGP encryption

In pdf:

  • Watermark and signature
    -Restring printing, editing and copying
    -Add a password to a PDF file
    -Restrict the edition of a PDF file

I hope this gives us better results.