Attackers are often motivated by money. The focus has been the cash flow for their nefarious operation. One area that receives significant attention as an attack method is social engineering or phishing. With either active or passive attacks, the effects can be substantially expensive and costly in terms of expense and hours spent fixing this issue. A sub-attack along this same idea is spear phishing or a targeted phishing attack. A very profitable version of this involves targeting the finance or accounting office staff members, as this area controls the cash and vendor payments.
In order to initiate the fraud and attack, the attackers have to make contact with the staff members. This contact is generally an email from someone in a senior position (e.g. the CEO or CFO) directs the accounting or finance staff member to wire a specific amount of funds to a bank, which happens to be in a different country and to a different bank and account number. As an alternative, the attackers could fraudulently claim to be a vendor. These attacks have been names the executive wire scam (EWS) and business email compromise (BEC).
Recent Successful Attack
The prior recent attacks have grossed the attacker anywhere from a few hundred dollars to tens of thousands of dollars. An exemplary incident occurred in April 2017 with a significant pay day for the attackers. Southern Oregon University published it had been a victim of this attack. The attackers perpetrated a massive attack and fraud against the educational entity. The attackers, pretending to be Andersen Construction, sent an invoice from an email account that appeared correct, wired to an account.
This account was not Andersen Construction’s account. The attackers completed their reconnaissance of the current situation for the University, noting that Andersen Construction had been contracted to construct the University’s McNeal Pavilion and Student Resource Center. Fortunately for the University, a portion of the funds may be recovered.
Training, Training, Training
Although this is not the optimal situation for the University, this does provide a great opportunity for training. This teachable moment is for any business. When the staff receives one of these requests, the staff member should verify the direct request from the C-level or manager. This attack only requires is a simple call or email. The email however would need to be a newly created email, and not a reply. Also, if there were to be significant or odd changes, such as a newly created email, and not a reply to the initial email. Also, if there were to be significant or odd changes, such as a new bank, bank account number, or if the new bank is in a different country, the transaction should be verified with the appropriate parties.
The email itself should be reviewed. When there are grammar errors and/or spelling errors, there generally is a problem. Common-sense should be applied to these circumstances. This and other successful attacks may all be used for training and to improve the business security stance.
Arsene, L. (2017, June 12). Southern Oregon university victim of $1.9 million email fraud. Retrieved from https://hotforsecurity.bitdefender.com/blog/southern-oregon0university-victim-of-1-9-million-email-fraud-18197.html
Cluley, G. (2017, June 13). How a single email stole $1.9 million from Southern Oregon University. Retrieved from https://www.tripwire.com/state-of-security/security-data-protection/single-email-stole-1-9-million-southern-oregon-university/#new_tab
Dellinger, A.J. (2017, June 13). Fraudulent email: Business email compromise attack costs southern Oregon university $2M. Retrieved from http://www.ibtimes.com/fraudulent-emial-business-email-compromise-attack-costs-southern-oregon-university-2m-2551724
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!