azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

report(kittle): IC3 BEC/ACH-fraud complaint package

Browse Source 
Consolidated FBI IC3 report for the Kittle payment-redirection fraud: victim/payer info,
fraudulent mule accounts (Truist 053201607/1410020505238; Foam Factory First State + Chase),
targeted City of Tucson payments (Inv #31400 ~$8,818 6/9 EFT; Inv #31468 $123,776.75),
attacker IPs/domains/phone, full timeline, and evidence inventory. Evidence package assembled
to Downloads/Kittle-IC3-Package (report + 2 ACH form PDFs + recovered emails + 171-event audit CSV).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-09 07:52:24 -07:00
parent ce8401a093
commit c5a7c15cff
1 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md Normal file
View File

@@ -0,0 +1,92 @@
# FBI IC3 Complaint Package — BEC / ACH Payment-Redirection Fraud
> Prepared by Arizona Computer Guru (ACG) for Kittle Design & Construction LLC
> Incident date: 2026-06-08 to 2026-06-09 (UTC) · Package date: 2026-06-09
> Submit at: https://www.ic3.gov · Complaint type: Business Email Compromise (BEC) / EAC — Wire/ACH fraud
---
## 1. VICTIM INFORMATION
**Primary victim (compromised business):**
- Kittle Design & Construction LLC — Tucson, Arizona
- Domain / M365 tenant: kittlearizona.com (tenant ID 3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
- EIN on the fraudulent form: 86-0942406 (purported Kittle EIN — verify; attacker likely copied the real EIN)
- Point of contact: Ken Schagel (owner), ken@kittlearizona.com, cell 520-310-1525
- Compromised mailboxes: Ken@kittlearizona.com (entry point, Global Admin), Accounting@kittlearizona.com (finance — accessed via Ken's delegate rights)
**Intended payer targeted by the fraud:**
- City of Tucson, Business Services Department (BSD) — Accounts Payable
- Finance contact in the fraud thread: Randi Arnett, Finance Manager (Randi.Arnett@tucsonaz.gov); AP: HCDAccountsPayable-Finance@tucsonaz.gov
- Other City staff CC'd by the attacker: Monica Barcenas, Angelica Favela, Alexa Johnson, Katharine Mitchell; Buyer: Casey Adams (Casey.Adams@tucsonaz.gov)
**Reporting party / IT provider:** Arizona Computer Guru (Managed Service Provider). Contact: Mike Swanson.
## 2. FINANCIAL TRANSACTION INFORMATION
**Nature:** Attacker submitted a fraudulent ACH/EFT banking-change ("BSD ACH Application", "Change" box) to the City of Tucson, impersonating Kittle's bookkeeper, to redirect Kittle's incoming City payments to attacker-controlled accounts.
**Targeted / exposed payments (City of Tucson → Kittle, EFT):**
- Invoice #31400 — KDC Job #5700.25B, "COT Knights Inn — Fire Suppression" (PO-007291); City indicated EFT processing **2026-06-09**. Approx. amount referenced in thread: ~$8,818.00 (confirm with City).
- Invoice #31468 — Job #5654.25, "MMC Generator Upgrade" — **$123,776.75**.
- NOTE: an approved ACH banking change would redirect ALL future City-of-Tucson payments to Kittle, so exposure is not limited to a single invoice.
**Fraudulent receiving (mule) accounts:**
| # | Bank | Routing/ABA | Account # | Name on account | Source |
|---|---|---|---|---|---|
| 1 (submitted to City) | **Truist Bank** | **053201607** | **1410020505238** | "Kittle Design & Construction" | BSD ACH Application form attached to the attacker's 2026-06-08 email |
| 2 (second form in mailbox) | First State Bank (Eastpoint, MI) | 072410165 | 62100616 | FOAM FACTORY INCORPORATED | ACH-FoamFactory.pdf found in Ken's mailbox |
| 2b | JPMorgan Chase Bank, N.A. (New York, NY) | 021000021 (wire) / 072000326 (ACH); SWIFT CHASUS33 | 2906183268 | FOAM FACTORY INCORPORATED | same form |
**Attacker contact phone on the fraudulent form:** (659) 221-9243
**Loss status:** Redirect ATTEMPTED. Detected by ACG before confirmation of any completed transfer. Kittle is verifying with the City of Tucson and their bank whether any change was processed. Actual completed loss: to be confirmed (likely prevented if caught in time); attempted/exposed amount as above.
## 3. SUBJECT (PERPETRATOR) INFORMATION
**IP addresses used:**
| IP | Use | Geolocation | ASN |
|---|---|---|---|
| 64.44.131.168 | OWA access to Ken + Accounting mailboxes; sent the fraudulent ACH emails; deleted evidence | Chicago, IL | AS20278 Nexeon Technologies (VPN/hosting) |
| 40.126.41.96 | Contact harvesting via python-httpx | Microsoft Azure | Microsoft Corp |
| 45.134.224.220 | Bulk phishing send (1,000 emails) | Kansas City, MO | AS147049 PacketHub S.A. (hosting) |
**Impersonation infrastructure:**
- `Accounting.kittlearizona@gmx.com` — GMX free account impersonating Kittle's Accounting dept (inserted into the City invoice thread starting 2026-06-05)
- `tucsonoz.com` — lookalike domain of the City's `tucsonaz.gov` (e.g. randi.arnett@tucsonoz.com)
- Attacker tooling: python-httpx/0.28.1 using an OAuth token for the Microsoft Desktop app (`d3590ed6-52b3-4102-aeff-aad2292ab01c`)
## 4. INCIDENT NARRATIVE
On 2026-06-08, an external attacker compromised the Microsoft 365 account of Ken Schagel (owner / Global Administrator) of Kittle Design & Construction LLC, accessing it via Outlook on the Web from IP 64.44.131.168 beginning 13:24 UTC. Ken's account held standing FullAccess (delegate) permission to the company's Accounting (finance) mailbox (a legitimate permission Ken granted himself on 2026-05-15, ~3 weeks before the incident). The attacker used that delegate access to enter the Accounting mailbox.
From the Accounting mailbox, the attacker — impersonating Kittle's bookkeeper ("Darline Cabrera") — submitted a fraudulent ACH/EFT banking-change form to the City of Tucson's Accounts Payable, attempting to redirect Kittle's incoming City payments (including Invoice #31400, EFT scheduled 2026-06-09) to a Truist Bank account they controlled. The attacker had pre-positioned by inserting a GMX lookalike address (Accounting.kittlearizona@gmx.com) into the legitimate Kittle↔City invoice thread as early as 2026-06-05. The attacker hard-deleted the EFT and invoice emails from both Ken's and Accounting's mailboxes to conceal the activity (recovered by ACG from the audit-log dumpster).
Separately/concurrently, the attacker harvested contacts (18:3618:53 UTC) and sent ~1,000 phishing emails ("Ken Schagel shared a file with you") from 45.134.224.220 between 21:1421:26 UTC (747 delivered). ACG detected the incident ~21:30 UTC and performed containment/remediation. The payment-redirection fraud was identified by ACG on 2026-06-09 via mailbox-audit and message-trace analysis.
## 5. TIMELINE (UTC)
- 2026-06-05 ~11:52 — Attacker (via Accounting.kittlearizona@gmx.com) inserts into the Kittle↔City invoice thread.
- 2026-06-08 13:24 — First attacker OWA login to Ken's account (64.44.131.168).
- 2026-06-08 14:5121:09 — Attacker accesses Accounting mailbox as delegate (21 access events); reads Inbox\Customers, Assured Partners, Employees, Sent, Deleted.
- 2026-06-08 15:52 / 16:45 / 18:52 / 20:29 — Attacker sends "EFT UPDATE" / ACH-change emails on behalf of Accounting@ to Randi Arnett (City of Tucson); hard-deletes the thread after each.
- 2026-06-08 18:3618:53 — Contact harvest (python-httpx, 40.126.41.96).
- 2026-06-08 21:1421:26 — 1,000-recipient phishing blast (45.134.224.220).
- 2026-06-08 ~21:30 — ACG detects, begins containment.
- 2026-06-09 — ACG identifies the ACH payment-redirection fraud; password resets; client notified; this package prepared.
## 6. EVIDENCE INVENTORY (preserved by ACG)
- `Downloads/kittle-bec-attachments/FRAUD_BSD_ACH_APPLICATION.pdf` — the fraudulent ACH change form submitted to the City (shows Truist 053201607 / 1410020505238).
- `Downloads/kittle-bec-attachments/Ken_ACH-FoamFactory.pdf` — second ACH form (Foam Factory Inc accounts).
- Recovered email thread (EFT UPDATE / ACH, Accounting@ ↔ Randi Arnett) — recovered from the M365 Recoverable Items dumpster via Graph (the attacker hard-deleted the originals).
- Microsoft 365 Unified Audit Log: MailItemsAccessed (delegate, IP 64.44.131.168), SendOnBehalf, SoftDelete/HardDelete events for Accounting@ and Ken@ — exportable on request.
- Message trace confirming delivery of the fraud emails and the original recalled message.
- Prior incident report: `clients/kittle/reports/2026-06-08-breach-check.md` (full BEC remediation, phishing campaign, inbox rules).
## 7. ACTIONS TAKEN BY ACG / VICTIM
- Compromised accounts' sessions revoked; passwords reset (Ken's password changed in person 2026-06-09).
- Malicious inbox rules removed; mailbox forwarding, transport rules, and delegate access re-verified clean (2026-06-09).
- Kittle contacting City of Tucson AP (by phone) to halt/verify the ACH change and confirm the June 9 EFT routes to Kittle's verified account; Kittle contacting their bank.
- Client advised to file this IC3 complaint and notify Truist / First State Bank / JPMorgan Chase fraud departments to freeze the receiving accounts.
---
*Package compiled from M365 unified audit log, message trace, and recovered mailbox evidence. Dollar amounts to be confirmed with the City of Tucson. ACG can provide raw audit-log exports and the recovered emails/attachments on request.*