Hi All
I am an EnCE and have a strange case where my client is certain that his wife's lawyer is viewing his emails. I have been going through the email correspondence between them and there has been something quite curious about one particular email.
The lawyer sent him an email which he received but it was not his address she outwardly sent it to. Curiously the address is "myclient@Lawyersdomain.com". My client never noticed.
When checking the email headers the original-recipient is indeed my client's proper email address hence why he received it.
I am thinking that for some reason the lawyer did this and BCC'ed my client hoping he would not notice the difference in the email address. I am also thinking that she setup an address ("myclient@Lawyersdomain.com") on her domain to somehow capture his incoming and/or outgoing messages and in some way sending that email and perhaps receiving a reply from that email facilitated her escapade.
The problem is that I have absolutely no idea the logic behind this. I cannot think of any way how doing something so simple could cause or assist in a breach of this sort.
I also contacted Apple to see if they would provide the IP addresses of those that would have logged into my client's account(iCloud) but they said they do not log ip addresses(really?) of such.
Please if anyone has any ideas about the significance of that Blind Copy to my client please let me know.
Thanks in advance.
Maybe I misunderstood but you did not elaborate why your client is suspicious that his emails are being viewed. It seems unlikely that a lawyer would engage in unlawful surveillance of the opposing party–do they charge extra for thatLOL? The lawyer gets paid win or lose and they have no motivation to risk everything for just another divorce case. Perhaps I am naive–though I know IT and security, I am new to forensics.
To me it seems more likely that the lawyer is using a system to manage client and opposing counsel/party communication and the 'to' line is just an alias used by that system/process. This is speculation of course, but seems to be a possible explanation.
Like you, I see very limited ways this could cause a breach and mostly in a sort of social engineering. Perhaps your client using 'reply all' and then not properly attending to the address line. Maybe in a stretch they could hope to collect info by the not being forwarded around or an unknowing person mistakingly using that email. Seems very far fetched.
I would say get your client on and using two factor auth for their mail service (EG Gmail) if they are that concerned about it. His soon to be ex might have dropped a keylogger on him somewhere and keeps getting new passwords.
Maybe it is just a "plain" use of a Carbon Copy.
I mean, it would be normal if a lawyer has set up in his/her study an e-mail client/server (or *whatever*) that sends a copy of all correspondence from/to a given client (or related to a given case) to a given storage space/media.
I guess that using a BCC would be a convenient simple way to have this without particular setups.
The "myclient@Lawyersdomain.com" would then become a "storage only" mailbox where e-mails sent by the lawyer to the parts and their replies (unless they edit/remove the BCC field) are stored.
It is possible that something got "mixed up", like inverting by mistake the main "send to" field with the "BCC to".
jaclaz
Thanks for your replies!
Maybe I misunderstood but you did not elaborate why your client is suspicious that his emails are being viewed. It seems unlikely that a lawyer would engage in unlawful surveillance of the opposing party–do they charge extra for thatLOL? The lawyer gets paid win or lose and they have no motivation to risk everything for just another divorce case. Perhaps I am naive–though I know IT and security, I am new to forensics.
Suspicion arose after my client noticed his ex using some terms in court that only certain people would know( that she was not privy to). He also sent some emails to the "myclient@lawyersdomain" and since then the site was abruptly taken offline. He also recently received a tip from inside the opposing legal party that indeed some inappropriate business has been going.
The "myclient@Lawyersdomain.com" would then become a "storage only" mailbox where e-mails sent by the lawyer to the parts and their replies (unless they edit/remove the BCC field) are stored.
It is possible that something got "mixed up", like inverting by mistake the main "send to" field with the "BCC to".
Yes I have thought of this and you could be right but due to the recent supposed confirmation of suspicion I am wondering if there isnt something more to this. The reaction alone after my client sent the emails seems to warrant further investigation. Emails never bounced back nor did anyone reply to them. They definitely went somewhere since I found out their mail server has "catch-all" enabled(disabled by default) which would forward any email address@lawyersdomain.com whether right or wrong to a default address.
All in all we seem to have a fairly good idea that something underhanded has gone on. All that is left to do is prove it.
All in all we seem to have a fairly good idea that something underhanded has gone on. All that is left to do is prove it.
Well, with all due respect ) , what you have right know are some suspects, some hearsay and little more, which does not mean that definitely there was not "foul play" but that it may be completely unconnected to the BCC thingie.
As well, it is perfectly "normal" for any "owner" of a domain to have a catch-all enabled, as this is the way to receive also important e-mails where the sender mis-spelled the first part of the e-mail addy, nothing IMHO "suspect" in this.
As an example let's say - hypothetically - that a keylogger or other forms of recorders (audio/video) were "installed" or "placed at your client's home, that - as well as a number of alternative possibilities, including the "cleaning lady hack" 😯
http//
would explain how these "reserved informations" reached the other party.
jaclaz
LOL @ cleaning lady hack. Yes I do recognize and appreciate that it could be completely unrelated to the BCC. Could be a completely legitimate exercise that was being done and the mistake made by inverting addresses raised suspicions to a real threat. Could be a tiny thread that when pulled leads to the uncovering of a much bigger deal.
Or not.
I just wanted to make sure that there was not a technique unknown to me that somehow incorporated this type of scenario.
Beyond the BCC we do feel that the tip is credible for reasons i cant explain here therefore warrants some digging.
Thanks for all your comments!
Occam's razor says it is a keylogger. They are easy to get, easy to place. Probably has been there from before it all started. It maybe why he is getting a divorce.
Have your client send a note to his lawyer like this
"I forget that I stuffed away about $10,000 in a Chase bank account (#1234 432) that my wife does not know about. I was saving for a gift for her, (expletive). Should I tell her about that at this point?"
See if a request for this fake bank account all of sudden comes up in a request for discovery.
Obviously run that by the lawyer first–that may or may not be a good idea legally. No question that it has great potential for entertainment value.