No matter how smart the IT security team is, sometimes a little thing gets overlooked that cost an enterprise a lot of money.
That’s what happened to an unnamed company last year which lost a big chunk of change in a wire fraud scam despite ample checks and balances designed to prevent it from happening.
According to the recently-released Verizon Data Breach Digest, protocol at the firm called for an accountant to email an invoice requesting a wire transfer to a C-level exec, who had to approve the customer, bank account information and invoice amount. Then the accountant forwards the email approval and other documents to the wire transfers department, which reviews the information for accuracy and processes the transfer.
Only in one case the exec didn’t see or approve the transfer, but the OK was given and the money was sent.
How did the criminal fake the approval?
Through a spear phishing attack on the email of one of the accountants. A message from someone claiming to have paid a “late invoice” went to the staffer, who was asked to click a link and provide email domain credentials to authenticate and review the payment receipt. “Apparently,” Verizon found, “the accountant provided his email account credentials and then forgot to follow up on the fact that he didn’t receive the payment receipt.”
The criminal then used the accountant’s credentials to log into his email account and study the company’s wire transfer approval process by searching through emails. Using previously sent invoices and tax forms, fake versions were used for the fraudulent wire transfers, then an approval email chain was fabricated.
The company’s URL filtering tool should have blocked the link in the spear phishing attack and it would have — had the accountant been working in the office when he got the email. However, he was working from home that day on his personal network.
The lessons from this incident not only include security awareness training but also requiring two-factor authentication for access to email, requiring secondary authorization for wire transfers over a certain amount, requiring virtual private network (VPN) access for those accessing the corporate network when out of the office, and prepend a marker (e.g., “Subject: [External] … ”) to the subject line denoting externally originated emails.
These and other studies are part of Verizon’s second annual Data Breach Digest (registration required), a useful collection of real cyber security incidents investigated by the communications provider’s RISK team but with the names of victims and other identifying information withheld.
Not all of the cases involve a breach. One, for example, is about a CSO who reported odd behavior on his smartphone after a foreign business trip. Ultimately the problem was traced to a vulnerable application installed to avoid overseas call charges by using Wi-Fi and Voice over IP, and not a deliberate compromise. Still, this and other cases show how investigative staff worked through and solved a problem. Other infosec pros can do the same.
Other cases described include
- A university DDoS attack done through its own vending machines, smart light bulbs and over 5,000 IoT devices throughout the campus;
- Janitorial staff angry over unilateral pay cuts are approached by an individual offering “bonus pay” – cash for plugging in a malware-filled USB stick into the company’s PCs;
- A water utility had a major breach of customer bank account data which was used to fraudulently transfer money to overseas accounts then withdrawn to purchase Bitcoin. The culprit was the cousin of a worker in a third party call centre and;
- A criminal who created a phoney e-commerce site to harvest credit card details from a retailer. On check-out customers initially connected to the phoney site, entered their information, and then were told to re-enter the data on a refreshed page. The refreshed page was legitimate, so the purchase went through and no money was diverted. The phoney page was just for capturing the credit card and other data.
Arguably there’s some marketing in the report — it makes Verizon’s RISK team look good — but there’s value in showing an IT team how each case was investigated.