Case on FDM.dk and FakturaIT.dk – Invoice Reminders and Phishing Susceptibility

Background

Danish Automotive company FDM, contracts another company to handle invoice reminders. The IT setup behind the process raises concerns due to multiple security vulnerabilities, unclear privacy policy and susceptibility to phishing.

As a security professional I do not consider this invoice reminder email as legitimate, based on the fact that there is no clear and legitimate link between FDM and the elements of the email, indicating a probable phishing attempt.

As a regular user I cannot assess whether this email is legitimate or not and I am inclined to disregard. In case the email is a scam and my PC is compromised, i would attribute this to FDMs failure to devise a secure setup, thus losing trust in their services.

Business risks

FDM customers are subject to the following risks

  1. customer membership payment theft
    1. Impact – FDM customers can lose the money for their membership fee and FDMs reputation can be affected, reducing number of current or new memberships
    2. Description – FDM customers can be easily tricked into sending their membership fee to a fake account. This can be done by either compromising the servers delivering the emails or by mimicking the email flow and replacing payment details with those of the attackers.
  2. customer endpoint compromise
    1. Impact – FDM customers can have their machines hacked, leading to a potential exposure of their financial and sensitive personal data stored on their PC, potential violation of their intimacy and privacy and a loss of trust in FDM as a service
    2. Description – This can be done by either compromising the servers delivering the emails or by mimicking the email flow and replacing the PDF attachment with a malicious executable or injecting malicious content in the PDF

FDM is subject to the following risks 

  1. FDM infrastructure compromise due to vulnerable subcontractor
    1. Impact – online services offered by FDM can be intrerupted or stopped due to a breach in FakturaIT. Dependent of the setup and further assessment is required.
  2. violation of the data protection act / GDPR  due to inadequate technical safeguards for protecting personal data  and lack of transparency on processor/subprocessor usage
    1. Impact – fines from the Data protection authority
    2. Description – as a data controller, it is FDMs responsability to ensure that it data processors process data with adequate technical safeguards
  3. decrease in customer support productivity
    1. Impact –  increased customer support calls/tickets
    2. Description – the lack of professionalism and trustworthyness of the IT setup can generate operational overhead for FDM

Recommended actions for FDM

  1. Vendor Management – require FakturaIT and all other data processing subcontractors to have an adequate level of security. If the processors cannot comply in a reasonable amount of time, consider switching to a different processor or monitoring improvements through regular vulnerability scans.
  2. Transparency of processing – update the privacy policy with a list of data processors that FDM relies on (including FakturaIT and Microsoft)
  3. Personal data requests – must include personal data handled by subprocessors as well. FDM should extend their process by collecting information from the systems handled by subprocessors
  4. Email validity – format the email reminders to customer so that they look trustworthy and are easily associated with FDM. This can be done by a) including additional text in the email ensuring the user of the true nature of the contract, pointing to FDMs privacy policy and b) digitally signing emails to a public key

Investigation of issues

2 weeks after receiving a physical invoice for the FDM membership fee, I receive an email that raised some suspicion.

The email received has multiple indicators of a potential scam (phishing email) , looking unprofessional and lacking trustworthiness.

Description of the indicators :

  1. sender domain is not related to FDM – how do I know if FakturaIT is related to FDM ?
  2. The “reply-to” is a no reply address – as a user, I would press reply instead of forwarding this to the address mentioned in 5. This indicates a technical incapability of properly setting headers in an email, showing the work of an amateur scammer.
  3. The email is marked as valid as it signed with a DKIM key but the signing domain is not related to the sender domain nor FDM – how do I know if the signing domain is legitimate ?
  4. The referenced link is not related to sender domain (FakturaIT) nor FDM – how do i know if this is legitimate ?

Digging deeper for the answers to the questions above leads to even more issues. This time more of a technical security and legal transparency nature.

Question – How do I know if FakturaIT is related to FDM ? 

Direction 1 – privacy policy 

My natural tendency was to check in the FDMs privacy policy for a list of data processors. This lead me to the following 3 links :

  • https://fdm.dk/om-fdm/persondatapolitik
  • https://fdm.dk/sites/default/files/inline-files/fdm_dataopbevaring.pdf
  • https://fdm.dk/om-fdm/fdms-forretningsbetingelser#persondata

Neither of these indicates a list of processors, indicating a failure from FDM to be transparent in the way the process customer data. The closest thing to it is a list of affiliates, but neither of them seems close to FakturaIT.

Seeing that I cannot get anything from public sources, I reached out to FDM to exercise my data privacy rights by requesting access to my data and the recipients having access to it.

The answer was relatively fast, but for the list of processors I was pointed to the above mentioned list of affiliates, which did not include any trace of FakturaIT.

The email reply was signed by fdmdk.onmicrosoft.com , indicating that FDM is relying on Microsoft as a data processor for email.  My personal data in the email hopped from Denmark to the USA and this is something that FDM failed to mentioned in their privacy policy.

Direction 2 – public information

The second natural tendency was to investigate into what is FakturaIT using open source intelligence (aka public information).

krak.dk – provides an open repositories of companies registered in Denmark

whois – some info , like telephone number seems to match the Krak entry, but not the address

AnswerStill uncertain if FakturaIT is legitimately related to FDM.

FakturaIT is a very small company, delivering IT services related to financial data processing like invoices. Ironic for an IT company processing financial info to not have a TLS certificate on their own website. 

In trying to find the answer, I’ve noticed how FDM failed to provide transparency in the way customer data is processed with countries outside EU and possibly with companies that have inadequate technical safeguards for what they are processing.

Question – How do I know if the signing domain is legitimate ?

The signing domain LALEREKO.onmicrosoft.com indicates that FakturaIT uses Microsoft as a subprocessor to send emails.

Emails seems to be going through Finland for processing.

LALEREKO seems to be the registered of the company , as seen above on krak.dk ( LALEREKO ApS )

Answer – there’s a clear indication that LALEREKO is related to FakturaIT

Question – How do i know if the referenced link and domain are legitimate ?

The domain doctransformer.dk seems related to FakturaIT based on Whois records and description of the service on FakturaITs website, but there is still no clear link between DocTransformer.dk and FDM.

The referenced link -> https://www.doctransformer.dk/pages/DeliverDocument.aspx?g=c0deaa77-f8d4-4b39-8185-73e80c161860&t=6 <- points to a PDF version of an FDM invoice. The invoice looks almost identical to the one received in the email, the only difference being in payment details ( different account number ).

PDF metadata info reveals that the PDF was created using “StreamServe Communication Server 5.5.0 GA Build 1684” . A quick Google Search points to a software acquired by another company back in 2010 and an old forum post about a PDF created by the same software with the exact build/version as above – indicating that doctransformer.dk is relying on outdated technology, possibly out-of-support and susceptible to security vulnerabilities.

The PDF itself seemed harmless, after executing it in a sandbox environment and after checking its’ hash value with known malware repositories.

The server hosting www.doctransformer.dk seems to have multiple high severity vulnerabilities .

And is horribly configured from a SSL certificate standpoint , getting a grade F on SSLlabs (https://www.ssllabs.com/ssltest/analyze.html?d=www.doctransformer.dk&latest) being subject to multiple critical SSL related vulnerabilities.

Answer – the reference domain and link seem to be legitimately linked with FakturaIT but the server hosting this needs some serious improvements from a security point of view.

It does not seem that this service has adequate security measures in place for processing personal / financial data. 

Personal data request – did they get back after 4 weeks ? 

After 3 weeks, i have received the collection of personal data that FDM has on me, including screenshots from their CRM system as well as emails.

Going through my emails I noticed that, 1 year earlier, i have received a similar invoice reminder on email

The email had a link similar to the one above , showing that personal data and payment information is still available online on https://www.doctransformer.dk/pages/DeliverDocument.aspx?g=5ddb3761-5e78-49fd-aef5-c373ad7b310b&t=6

But FDM is probably not aware of this because this was not included the reply to the personal data request.

Data Protection Authority complaint

Everything above was communicated to FDM which refused to give any details to whether this will be addressed.

As a result, I’ve also filled a complaint against FDM to Datatilsynet (the Danish data protection authority), where I’ve noticed how the complaining process could be dramatically optimized (up to 20%).

Conclusion

The Danish Data Protection Authority concluded that it did  find a basis for expressing criticism of
FDM not adequately having fulfilled the obligation to inform the data subject

Faktura IT was responsible for ensuring
that personal data was not stored outside the EU/EØS and that personal data did not get transferred to a third country without prior written acceptance from the data controller. 

Another case where data controllers do not properly inform the data subject of where their data is and where the data processor fails to implement adequate technical safeguards for personal data.

Note – information for this article was collected starting with October 2018. Due to the fact that I filled a complaint against FDM to Datatilsynet and to avoid any compromise of FDM I have not publicly disclosed anything related to the case.  The article was not published freely until the current moment of writing 02/12/2019 14:03 CET