Phishing
Image from Shutterstock.com

The year is barely a week old and already criminals have shaken off their New Year’s Eve party hangovers and are back to work.

One of the first alerts infosec teams should be spreading to their organization’s hierarchy is that wire fraud is coming their way. According to a posting to the SANS
InfoSec Handlers Diary Blog by Brad Duncan, a security researcher at hosting provider Rackspace, on Monday two waves of phishing email were sent to an unnamed company spoofing an executive’s email and trying to get the recipient to wire money to a phoney customer.

The message looks like this:

Date: Mon, 4 Jan 2016 22:18:08 GMT
From: [spoofed executive’s email address]
To: [each of the targeted recipients]
Subject: Please get back to me on this

Do you have a moment?  I am tied up in a meeting and there is something i need you to take care of.

We have a pending invoice from our Vendor. I have asked them to email me a copy of the invoice and i will appreciate it if you can handle it before the close of banking transactions for today.

I cant take calls now so an email will be fine.

Sent from my iPhone

Would your organization’s staff be fooled by this? Maybe, if they have authorization to deal with invoices — either online or by mail. If staffers do the proper thing and check who the message is from, at first glance it will look legitimate.

How would one know it’s a fake? First, “handle it before the close of banking transactions today.” One of the tricks attacker use in phishing attempts — in addition to playing to people’s respect for authority — is urgent language. A second clue is the line “I cant take calls now.” That means the recipient can’t check in person if the message is legit.

In all 17 emails were sent in two targeted waves to four people (two at a time). Why so many? The sender had their names (so a bit of research was done on the target organization), but not their email, so guesses were made (ie:  [firstname.lastname]@[company].com, [first initial + lastname]@[company].com).

The Canadian Anti-Fraud Centre dubs efforts like this the “Business Executive Scam.” Losses are typically in the excess of $100,000, it says.

The centre groups all categories of wire frauds (the BES, plus schemes where a foreign supplier’s system is compromised and the attacker tricks a Canadian company and financial industry fraud) together. For the first eight months of 2015 there were 207 reported attempts, 57 of which were successful totalling $6 million in losses. For all of 2014 wire fraud totalled $19 million in losses.

The centre warns people to

  • Beware of unsolicited emails from individuals or financial institutions presenting an urgent situation requiring immediate attention;
  • Prior to sending any funds or product, make contact with existing clients in person or by telephone to confirm that the request is legitimate;
  • Watch for spelling and formatting errors and be wary of clicking on any attachments, they can contain viruses and spyware.

Duncan says that according to the FBI, between October 2013 and August 2015 thieves stole nearly US$750 million from more than 7,000 companies in the U.S. using such scams.

By the way, there’s another kind of fraud going around involving product warranties that infosec teams need to remind call centre staff about. According to security writer Brian Krebbs criminals are getting hold of names and addresses of customers who have bought certain products, then contacting vendors demanding refunds or replacements for gear that allegedly doesn’t work.

As Krebs notes fitness tracking device maker Fitbit is the latest victim. It surfaced when the company noticed large caches of data from customer accounts being posted to Pastebin, perhaps from customer computers that have been compromised by password-stealing malware or from customers who re-use the same credentials across many sites.

The company told Krebbs the fraudsters log in to the customer’s account and change the email address, then call Fitbit’s customer service and claim that their device has stopped working. The company has responded by educating their customer service staff and assigning risk scores to all warranty replacement requests.