Dissection of a Phishing Attack, Part 3
by Scott M. Lewis
You are doing all the right things, you have updated your systems, implemented new firewalls and advanced threat detection. You have anti-virus loaded. You have good patch management in place. Then you find out you were still a victim of a phishing scam. How can that happen?
In most cases, you may never know who did it and in some cases how the breach occurred. Let’s walk through an actual incident that Winning Technologies got involved with to find out how it was done, then worked to examine prevention improvement steps. I’ll try and walk you through how all the things we have discussed so far came together to create more than a $250,000-dollar loss for this company. However, it could have been worse; the scammer’s initial request was for over a million dollars.
In this case Company A, was financing a project with a financial institution and a third-party investor. The project had reached a point that some of the financing for the project was scheduled for payment to keep the project moving along. Company A emailed the investor to request the monthly requisition payment voucher so that a portion of the financing could be paid out and distributed to vendors and suppliers. There was no real descriptive information in the initial email’s necessary discussions around timing and process for the release of financing. At some point, the emails were intercepted, and a content injection phishing scam started to take place. The interception was so clean that Company A had no way to believe that the message was intercepted. It only looked like the investor had gotten busy, distracted, or was preparing additional information for the release of funds.
From the investor’s perspective, they were now exchanging emails with the partner. However, based on the human conditioning factor, the investor never recognized the discreet signs that the parties had changed and that they were no longer communicating with Company A. However, from a first-glance forensic perspective, it looked like a common spoofing of an email account. However, a closer look at the email headers will easily reveal when and where the content injection happened.
What do we know so far?
Two companies that know each other with common interests are exchanging normal email traffic.
- Two users within those companies that know each other have communicated with each other in the past with this type of communication and requests.
- Standard email communications. Both companies using Office 365.
- No confidential or descriptive information in the emails.
- Looks like regular spoofing email, similar to when you get an email from yourself, but upon close examination, there was evidence things changed. However, the human condition prevented the realization that things had changed.
How was the email intercepted? It is just not that hard to detect and trap email traffic across the Internet. You should have a higher sense of awareness if you are a high-profile organization or a high-value target such as a finance company, bank, a credit card processing company, or government agency. It is harder to do nowadays than it has ever been, but again anything that travels over the internet is a potential target. Upon reviewing the header information of the emails, it was not too difficult to determine what had happened. Once the email from Company A was intercepted, the scammer changed two letters in the domain name, set up fake email accounts using Gmail, and a phony domain. They even changed the email addresses of the individuals who were in the CC line of the email to further exploit the human conditioning factor of normalcy, then started the communication with the third-party investor.
What can we add to the list of what do we know now?
- Scammer setup fake domain name, and changed two letters in the actual domain name.
- The scammer set up a free Gmail account to set up the scam.
- Scammer setup email accounts for the targeted individual at the third-party investor.
- The scammer also set up email accounts for the people in the CC line of the email.
- Scammer maintains the appearance of normalcy, giving the reader what they expected.
At this point, what were some of the red flags? The changes in the emails could have been identified which would have pointed to a phishing attack. The big one is the misspelling of the name of Company A in the domain name part of the email address. The misspelling of the domain name is a very subtle change. In most cases, due to the human conditioning factor, this is overlooked by the vast majority of people if they are not regularly trained to examine the email addresses that they are sending to or getting emails from.
Following a few emails between the scammer and the third-party investor, it was agreed upon that the investor would contact the bank and make an initial transfer of funds of more than 250,000 dollars. There where red flags that should have been going off. In one of the emails leading up to the transfer, the scammer made the statement that the bank was having issues with electronic funds transfers and the funds should be transferred to their branch in Mexico. The fact the scammers wanted the money sent to a Mexican office should have been a show stopper right there. When the bank suspected something was not reasonable, they should have called the third-party investor to express their concerns. The bank ended up talking to an employee that was not fully aware of the situation and didn’t confirm the transaction with superiors, but moved ahead and approved the transfer of funds.
What do we know now?
- Financial request by the scammer is included in the email.
- The scammer said bank could not accept electronic funds transfers.
- Scammer requested funds sent to out of country account.
- Bank thought the transfer request was questionable.
- Bank called third-party investor.
- An employee at third-party investor didn’t correctly question, escalate or clear the application, or discuss the change of existing US bank to a new Mexican bank, internally or with Company A verbally.
To be continued next month……
Scott Lewis is the President and CEO of Winning Technologies Group of Companies which includes Liberty One Software. Scott has more than 35 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.