Site icon IT World Canada

How an attacker beat anti-fraud protocols, and other cyber security incident cases

Ten tips for more secure sofware

Image from Shutterstock.com

No matter how smart the IT security team is, sometimes a little thing gets overlooked that cost an enterprise a lot of money.

That’s what happened to an unnamed company last year which lost a big chunk of change in a wire fraud scam despite ample checks and balances designed to prevent it from happening.

According to the recently-released Verizon Data Breach Digest, protocol at the firm called for an accountant to email an invoice requesting a wire transfer to a C-level exec, who had to approve the customer, bank account information and invoice amount. Then the accountant forwards the email approval and other documents to the wire transfers department, which reviews the information for accuracy and processes the transfer.

Only in one case the exec didn’t see or approve the transfer, but the OK was given and the money was sent.

How did the criminal fake the approval?

Through a spear phishing attack on the email of one of the accountants. A message from someone claiming to have paid a “late invoice” went to the staffer, who was asked to click a link and provide email domain credentials to authenticate and review the payment receipt. “Apparently,” Verizon found, “the accountant provided his email account credentials and then forgot to follow up on the fact that he didn’t receive the payment receipt.”

The criminal then used the accountant’s credentials to log into his email account and study the company’s wire transfer approval process by searching through emails. Using previously sent invoices and tax forms, fake versions were used for the fraudulent wire transfers, then an approval email chain was fabricated.

The company’s URL filtering tool should have blocked the link in the spear phishing attack and it would have — had the accountant been working in the office when he got the email. However, he was working from home that day on his personal network.

The lessons from this incident not only include security awareness training but also requiring two-factor authentication for access to email, requiring secondary authorization for wire transfers over a certain amount, requiring virtual private network (VPN) access for those accessing the corporate network when out of the office, and prepend a marker (e.g., “Subject: [External] … ”) to the subject line denoting externally originated emails.

These and other studies are part of Verizon’s second annual Data Breach Digest (registration required), a useful collection of real cyber security incidents investigated by the communications provider’s RISK team but with the names of victims and other identifying information withheld.

Not all of the cases involve a breach. One, for example, is about a CSO who reported odd behavior on his smartphone after a foreign business trip. Ultimately the problem was traced to a vulnerable application installed to avoid overseas call charges by using Wi-Fi and Voice over IP, and not a deliberate compromise. Still, this and other cases show how investigative staff worked through and solved a problem. Other infosec pros can do the same.

Other cases described include

 Arguably there’s some marketing in the report — it makes Verizon’s RISK team look good — but there’s value in showing an IT team how each case was investigated.

Exit mobile version