All of us have seen the headlines over the last several months related to phishing attacks or hacking events that have led to stolen data. Even email content released to Wiki Leaks, businesses being held hostage by Ransomware, and other vulnerabilities.
So, I wanted to touch on some things that we may not think about, after reading these articles.
These vulnerabilities are no longer being created by the bored but talented teenager living in his parent’s basement. To the contrary, these new attacks are being developed but career criminals and nation states that wish to generate cash or perhaps cause chaos or disruption to the target.
Case in point: The Ransomware Issue
These are targeted attacks against an organization. They may utilize a phishing attack or spoofed email to gain an entry into your network and then encrypt data and hold it hostage. Without a good backup, most will attempt to pay the ransom and then may or may not get their data back intact. More likely than not they will not be made whole again once paying the Ransom. But may retrieve some of their data.
However, there are more insidious and clever attacks that are being deployed. A great example is the “wire transfer fraud” attack. We have seen this on a number of occasions and I know of significant losses to area business due to this attack. It is far more complex that one would imagine at first glance.
Social Engineering an Exploit
It begins with a CFO or Bookkeeper receiving an email
from what they believe to be their CEO or owner of the company. The email will ask the CFO or Bookkeeper to wire substantial funds to the CEO immediately. Typically, they will ask for 100,000.00 to be wired to a specific entity.
In this case, the bookkeeper responded to the email requesting more information. The, “owner” provided this information and the bookkeeper sent the wire transfer out. The bank nor the bookkeeper had questioned the transaction and the money was gone. POOF! $25,000.000 USD was gone.
The CEO then returned to work the following week to discover the transaction – along with the fraudulent email…. but how could this be? They are using Microsoft Office 365, so how could this happen.
How It Happened
- In every case we have seen, the person requesting the wire transfer was out of the office at the time the email request was being made. Therefore, there are only two logical conclusions as to how the perpetrators had this knowledge: They harvested the information from social media accounts, such as linkedin, facebook, or possibly the company website which may have noted in a blog that the CEO\Owner was attending or conducting a meeting out of town. The other method is a direct call to the company to ask to speak with the CEO\Owner. (This was actually confirmed to be the case during one investigation. The caller was told that the CEO\Owner was not in the office and would not return for 3 weeks. In this instance, the malicious party was unable to confirm the CEO\Owners absence but they were able to confirm a name. For example, they may be have asked for John Smith, but the receptionist replies, “Jack is not in today”. This might not have directly provided them the CEO/Owner’s schedule but gave them valuable information for spoofing an email to their staff.)
- The felons now have some key information to create that original email that they send to the CFO\Bookkeeper. They have the CEO\Owner’s common name, and the fact that they are not in the office and wont be for at least several days. Then they create an email spoof. They did not hack into the CEO\owners email account, but rather crafted a very believable spoof of the email account. They then send this info to the CFO\Bookkeeper that gets the ball rolling.
There were many deflection points during this exploitation process that could have stopped the damage and caused the attack to fail sending the perpetrators on to the next victim.
- Be careful about what is posted in social media – This information is now being combined with other information to be used as a potential window for attack.
- If you are the CFO\Bookkeeper or otherwise receive a request by email for anything of value or importance, confirm this in any other manner than replying to that original email. Make a phone call to that person. If you respond to that email, you are now corresponding with the felons. Remember this may not be cash in the future. Maybe it is intellectual property, such as a new product drawing or other valuable corporate information.
- If you receive a request of this type by any means. Email, Written letter, Voice Mail message. First think of the following; Is this something that has happened before? Is this highly unusual? Does the language used in the correspondence sound like my CEO\Owner. Were there spelling errors in the correspondence. If anything is odd or unusual. Take a step back and question the correspondence and demand direct confirmation.
- Assure that there are proper checks and balances in place at your organization. Do not setup one individual with the banking privileges to be able to create and approve a wire transfer. Provide that security to two separate entities. One that can create and another that can approve the final transaction.
We must all become hyper vigilant in our connected society as we all have tendencies to trust. Understanding the nature of our modern world and the connections that are complex and multi-layered is key to protecting yourself and your company. Try to be aware that there are teams and groups of hackers, felons and otherwise evildoers that are now making a business out of attacking the general business community.
If you are a business owner or leader, make sure you make your people aware of these types of complex issues. Remember, in the cases of an attack such as this, the CFO\Bookkeeper is simply trying to please and accommodate the CEO\Owner. As an owner discuss this and make sure you empower your people to make good decisions.