10
Mar 15

Spoofing the Boss Turns Thieves a Tidy Profit

Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials. The boss, who was traveling abroad at the time, had requested such transfers before — at even higher amounts to manufacturers in China and elsewhere — so the request didn’t seem unusual or suspicious.

athookUntil it did. After Judy sent the wire instructions on to the finance department, something about the email stuck in her head: The message was far more formal-sounding than the tone of voice her boss normally used to express himself via email.

By the time she went back to review the missive and found she’d been scammed by an imposter, it was too late — the employee in charge of initiating wires at her company had already sent it on to the bank. Luckily, the bank hadn’t yet processed the wire, and they were able to claw back the funds.

“Judy” is a pseudonym; she asked to remain anonymous so as not to further embarrass herself or her employer. But for every close call like Judy’s there are many more small businesses each week that fall for these scams and lose millions in the process.

Known variously as “CEO fraud,” and the “business email compromise,” this swindle is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.

In February, con artists made off with a whopping $17.2 million from one of Omaha, Nebraska’s oldest companies —  The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.

The scam email that nearly cost Judy her job appeared to have come from her company’s chief financial officer, who she said is not usually in the office. The message was made to appear as though it was a conversation between the CFO and the CEO, in which the CEO told the CFO that money needed to be wired to China.

“$315,000 is definitely a high amount, but I did a transaction for $1.4 million before, and I wire money to China for goods that we buy from there,” she said. “But truly, the email did bother me. It didn’t feel quite right when it came in, but at no point did I think, ‘this is someone imitating the boss.'”

After sending a co-worker in finance instructions to execute the wire transfer, Judy sent a note to the CFO asking if she should also notify the CEO that the wire had been sent. When the response came back in wording she couldn’t imagine the CFO putting in writing, she studied the forwarded email more closely. Sure enough, Judy discovered the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name.

Working with investigators, the company determined that the fraudsters had registered the phony domain and associated email account with Vistaprint, which offers a free one-month trial for companies looking to quickly set up a Web site.

“Turns out the scammers set up the domain and email address that morning, the same day as wire request,” Judy said. “When that email came through, the difference didn’t jump out at me. In hindsight, it blows my mind that it doesn’t bother me more than it did. But in the hustle and bustle of the day, I was not on guard for something like this. Now, I’m second-guessing everything.

Judy’s employer now has a mandatory policy about wire transfers:

“First of all, anytime there is a large wire or payment to make, we have to speak in person, whether that’s face-to-face, or in person on phone,” she said.

In other words, no more initiating large wire transfers because someone asked you to via email. It’s remarkable how much global trade is done via email, and how often both parties to the transaction are oblivious to or willfully ignorant of the fact that email is inherently insecure. More remarkable still, this form of fraud occurs in a channel where the victim’s bank has virtually no visibility.

The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

Tags: , , , , ,

68 comments

  1. We’ve received a couple of these to our finance department, which happily got noticed by the employee targeted. In one case the instructions said to transfer the money to an account at a UK bank. We called the bank to notify them that the account was being used for fraudulent purposed, but were told that they could not take action as we had not lost any money, so no crime had been committed yet. It took several more calls before we found someone in the bank who was actually interested in preventing crime before it happened.

  2. Another great article Brian!

    Working in the financial industry has its challenges, but one of the biggest things that I have found in my experience is the euphoria that people get in executing these large transactions. “Judy” even stated she did larger transactions and so this smaller one may have been peanuts. That euphoria distracts from the threats and contributes to the “tyranny of the urgent” that can be devastating to an organization.

    I have personally spoken to folks initiating large dollar transactions and they were so excited to be doing business “at that level” until they find out they have gone over the cliff. Behavior is such a stumbling block for those that process these types of transactions.

    As your article states, the behavior at the company has changed to the point of verbally confirming wire transfers. A very sound practice indeed, one that seems to be lost on those destined to be had by the scammers. Communication and good controls are a key to survival.

  3. Another common spear phishing attack , by abusing third party website and using some clever social engineering. More people needed to be educated in this type of thing, otherwise people and or companies will continue to get scammed.

    • This reply is a bit far afield from your comment, but I lately have been receiving emails from Outlook.com or other reputable sites requesting to VERIFY my account with my username AND password.

      Their emails have all the legitimacy to fool anyone but I decided to delete the email and figured any legit outfit would hound me to death to do as instructed or as they threatened me (gasp, shut down my account)!

      Hey, do me a favor….. shut down my account. You’ll be hurting me less than you think.

  4. No reason not to start the ball rolling with an email and confirm by voice, especially if the situation changes in the meantime, let alone fraud.

  5. We received a handful of these at the end of last year. Email spoofing the CEO sent to the COO. Anything more than a cursory glance showed that the email just didn’t look or feel right. No signature, no corporate branding and awkward grammar. Luckily no damage done.

  6. Hey ‘spear-phished’, one other secure solution is ‘secure instant messaging’ (encrypted IM) to secure communications over internet (amongst others).

  7. This scam was executed successfully against a company here in Steamboat Springs, Colorado.

  8. This *exact* thing happened to my company last month. Our CEO was traveling, the thief knew exactly who to send the email to in our accounting department, and they had even replicated the email signature of our CEO. They had used the VistaPrint email and domain registration to procure a domain one letter off from ours.

    Our accountant was savvy enough to catch it, but it was certainly a learning experience.

    As part of our due diligence and protocol, we did report it to the police, but obviously with no loss, nothing could be done. Just a monumental waste of everyone’s time.

  9. “First of all, anytime there is a large wire or payment to make, we have to speak in person, whether that’s face-to-face, or in person on phone,” she said.

    Duh….

  10. I have similar stories that I can relate but only anonymously. They involve fraudulent manipulation of invoices.

  11. In addition to manipulating employees to move funds, I have seen these email hacks or spoofs attempt to get employees to open attachments or click on links. Not only are they trying to steal money, they are attempting to gain footholds in corporate networks, large and small. This type of attack seems to be more successful. A lot of employees unconditionally trust the email from the CEO asking them to look at the kitten video by .

  12. It’s a pity that encrypted or cryptographically signed email is not easier to use…

    • Once it’s been set up, sending signed or encrypted email is no harder than clicking “Send” and typing a passphrase to access the crypto keys. The setup’s not hard, either, and only needs to be done once.

      I wrote setup instructions for Thunderbird a couple of years ago: http://bitmonger.blogspot.com/2013/05/its-time-to-encrypt-your-email.html

    • Each technology invented can be circumvented.

      At some point, the “audio call” security mechanism will have to be discounted as “not trustworthy”, I don’t look forward to that day.

      If your CEO/CFO are actually using digital signatures, and everyone validates digital signatures correctly, then the fun attack is taking over the CEO/CFO’s computer (or more fun is their discarded but not cleansed previous computer, or their backups) and then sending a properly signed message impersonating the CEO/CFO.

      Digital signatures are not a panacea.

      And anything that causes you to become less suspicious of inbound messages is not good.

  13. This is just web 101 stuff, though. I mean come on – the domain was different from the expected one! Blaming the ‘hustle and bustle’ of the day seems like a cop out.

    • > come on – the domain was different from the expected one!

      1. When was the last time you examined the domain name of an incoming email? Most email clients just show the name unless you take extraordinary measures to inspect the email address.

      2. It’s just as likely that the bad guys have tapped into an account with administrative access to the Email server. They can just as easily create an email address on the same domain, with just 1 letter variation on the CEO’s name.

      • The company I used to work for instituted a simple yet effective trick that helps to address this: all incoming email from an outside server gets [EXTERNAL] added to the front of the subject. Makes it simple to tell when an email is not really from the CEO.

        • Great, then you hit ‘reply’ and the conversation about ‘what does [external] mean?’ happens again for the umteenth time. But then again security is all about inconvenience, isn’t it?

        • Yeah, I’ve worked for places that do that, it’s a royal pain, it poisons your address book, and it makes you look like an idiot when you send outbound emails.

          It will also void any message signatures from any external parties. Which means you’ll be used to invalid signatures — anytime you get used to seeing an idiot light, you start ignoring it, and when you start ignoring it, it ceases to be useful.

          If you happen to have contractors, you end up whitelisting them, which means that an attacker just needs to read your financials or search the web for indications of who’s contracting for you and hack them (see how Target was attacked via HVAC) and then infiltrate instead. — Sure it might seem harder, but as the Target hackers showed, it’s easy enough since there are more contractors w/ weaker security than the companies to whom they contract.

      • “When was the last time you examined the domain name of an incoming email? Most email clients just show the name unless you take extraordinary measures to inspect the email address.”

        I hope I am not the only one to think that this is a BAD idea. Hiding the email address and showing only the proffered name makes this type of fraud easier.

      • 1) Every single email I’ve ever received? Again, this is web 101 stuff. I’ve been on the web for over 16 years (yes, I’m a young one)
        2) Are you seriously trying to say it’s “just as likely” for them to have infiltrated a privileged account as for them to have no access whatsoever into the system but just a similar domain? Get real.

  14. Here’s one we just received, spoofed from the president to the cfo:

    Hi ,

    Hope you are having a splendid day. I want you to quickly email me the details you will need to help me process an outgoing wire transfer to another bank.

    I will appreciate a swift email response.

    Thanks.

  15. What I do not understand is whay the thieves are using similarly looking email domains (one letter changed) instead of manipulating the email headers to look as it was sent from exactly the victim domain.
    It was a very simple hack, pranking friends 20 years ago with email apparently sent from celebrities. Is this not possible anymore with modern email clients ?

    • Since the email address is real, they will receive a reply in case the target comes back with questions.

  16. Zelig Lindemann

    We are an IT company in NW Ohio. One of our clients recently (03/06/15) had this same thing with a VistaPrint domain being registered to spoof the genuine domain. The domain was .co rather than .com

    Interesting thing 1:
    The email was received within five minutes of the domain being created, and there is a one to two minute delay going through the mail filtering system.

    Interesting thing 2:
    The wire instructions were in a PDF, the author is AKPO ESAJERE. Googling the name reveals it may be Nigerian. It could also be a red herring, but to my thinking if they were going to bother changing the author they would have made it the same name as the CEO who supposedly sent it. Putting a Nigerian name in wire instructions really doesn’t sound like best practice if you are trying to defraud someone.

    Interesting thing 3:
    They knew the name of the CEO (not difficult) and the Controller (not so easy).
    The wording of the email was convincing.

    The fraud was spotted before any money was transferred.
    We contacted the FBI on the clients behalf and the Agent I spoke with said they have seen *a few* of these where a domain has been registered.

  17. I can’t imagine why the email application vendors and writers have not implemented a safe-senders list. We have green notifications for secure web pages, how easy would it be to highlight the sender of any mail with green for your own domain, blue for trusted domains and red for everything else? A simple lookup file for anything considered trustworthy would be trivial to implement. The biggest problem I can think of is the time to render 5000 e-mails in your inbox with the correct colors.

    I suggested that to several vendors 10 years ago and here we are (still).

    Many more mail apps need to implement DMARC as well as the simple solution.

    • There is a way to achieve what I mentioned earlier, at least in Outlook and OWA.

      If you create a rule to look at specific words in the sender’s address you can assign a category with an appropriate color.

      Create one rule for your own domain, and a different rule for customer and other trusted domains.

      • Better yet, use Outlook’s Safe Senders list (Outlook >2007 or maybe >2003). Setup Safe Sender, Safe Recipient, and/or Blocked Senders lists. This can include domains, such as “blockme.com”. While you’re at it, throw in bad top level domains in the International settings, if you do business only in one country, for example. Then bump up the restriction level to “Safe Lists Only”. Only approved senders and domains will go to your Inbox. The rest will go to the Junk E-Mail folder. Lookup “Safe Senders” in Outlook Help to get instructions.

  18. The story about a “scam email that nearly cost Judy her job” is most distressing. Had the wire transfer taken place, it is the CFO’s job, not Judy’s job, that should have been at risk. I have seen far too many cases where a manager made a mistake and passed on the blame.

    • While I agree with the sentiment in your comment, in this case the CFO wasn’t even involved.

      • I would sincerely hope that had Judy not caught the scam, she wouldn’t have actually been at risk of being fired over it. Unless an employee is trained in specific protocol to safeguard against such a spoof, it seems unethical to hold them responsible.

        Nonetheless, it seems it would be a good practice for companies whose employees are involved with moving money electronically to offer such training, and institute protocols as has been the case at Judy’s company. She should be commended, actually, for her part in averting that loss.

        Thanks for the post. I find them to be informative and great reminders to “play it safe” online.

      • @Brian: I disagree. My point was that the policy to verify in person or by phone all wire transfers should have been put in place before the exploit, not after. The policy failure wasn’t Judy’s fault.

  19. Bait and Switch

    From a friend of mine, a company well known to me recently got taken for just under $1.0MM wire fraud. Client received a spear-phish email, which loaded a zero day key stroke logger on to the computer. When the person logged on to Bank’s website, with username, pin and rsa token, they had put a pop up message saying her login failed and to call a number. Number was to hacker that then had to get the person and the person’s manager to login with credentials and rsa token, took 2 or 3 attempts, but they were able to originate the wire and send to Hong Kong. Immediately after the wire was done, they then orchestrated a DDOS attack on the ISP within a few minutes, effectively shutting them down from being able to stop the wire or even see it. Was told the wire orginated out of Canada. Company scans every day, but did not pick it up the day it happened, but finally did 2 days later. Companies and Banks need to do a better job training their people.

  20. Solutionary Incident Response has seen many similar cases, as well. A related write-up was released in the Q3’2014 Threat Intelligence Report. http://www.solutionary.com/threat-intelligence/threat-reports/quarterly-threat-reports/sert-threat-intelligence-q3-2014/

    It is unfortunate that the end user is the weakest link, but that is unlikely to change. Fortunately, there are still some technical mitigations for this type of attack, such as configuring the Phishing Confidence Level in an Exchange environment and/or implementing dual controls on all wire transfers.

    • Bait and Switch

      Dual factor was in play, they had some how duped an approver into inputting their credentials into “unlocking” the general user, so they got both user id’s, pin’s and rsa tokens within 60 seconds to initiate and approve the wire. In our company, we have IP restrictions set up on our Virtual Terminal for card processing. The IP address where the wire originated from was in Canada, client is in the US, not sure why the Bank would not have questioned that. If the Bank has an IP restriction function, I would imagine that might have stopped/slowed down this attack or if cloning the ip address is that easy.

  21. I have seen this same attack attempted on several businesses in NE Ohio. Chad is correct the reason this works is because the end user is the weakest link, and susceptible to social engineering. Solid policies around financial transactions followed up with employee training is the best countermeasure.

  22. Wells Fargo Bank has published many useful resources on this subject which you can find here:

    https://treasuryinsights.wellsfargotreasury.com/

    The materials are under the “Fraud Protection” tab.

  23. Two suggestions:

    1. GPG, or some other means of cryptographically signing email.

    2. Mail clients should develop features to warn users that a message is suspicious if it comes from an address that is very similar to, but not exactly equal to, one that the user previously sent to or received from. So if you correspond with foo@example.com, a message subsequently arriving with a “from” or “reply-to” of foo@exarnple.com will be flagged as suspicious in the client UI. Thunderbird already has some criteria for sometimes marking a message with “appears to be a scam”, separate from its spam-filtering, but sadly prone to false positives and using I-don’t-know-what-criteria. But the appearance of that warning in the UI should probably be copied by all mail clients for this proposed feature.

  24. Richard Steven Hack

    I wonder if anyone still uses the term “trusted email” or “email from a trusted party”. I used to see that all the time.

    In reality, ALL email is by definition “untrusted” and should be treated as such. It doesn’t matter WHO it comes from because you can’t possible PROVE it came from any specific person from examining the email alone. Every element of an email can be spoofed.

    So procedures should be in place to verify the source of emails, especially those that are used to initiate financial transactions or transfers of what should be confidential information. Generally speaking, this means a PKI setup. Any company not encrypting their email between employees is just asking to be phished.

  25. People are far too trusting. It’s part of the naive virtual world we’ve created. So trusting infact, we don’t even think about it anymore. We are so much more likely to trust an email (which could so easily be faked) than the person we married.

  26. Excuse me, but I can’t ever get over how easy it is for thousands of bucks to go to the wrong party. Did I spend years trying to make an honest living for nothing? Apparently so!

  27. 1) Certified email offers a relatively inexpensive method of verifying when and to where an email was sent; when and by whom an email was opened. It will also show the path the email followed to get to its destination. One can register more than one email address on the account. Thereafter, appending the text they give to each outbound email offers the receiver some assurance that the mail they sent was read by the intended recipient.
    2) 2nd option is to purchase and park common misspellings and variations of one’s domain name and do not activate any email accounts on those domains. Relatively small expense.

    • Very intelligent options and I agree and not wanting to sound impudent but isn’t the best and safest option to pick up a phone and simply call the employee?

  28. I’m sorry to be asking an unrelated question. Let me know if I should ask this somewhere else on this site.

    I downloaded the new version of Foxit Reader this evening. I tried not to add on extra stuff with it, but it is still 117 MB. Foxit used to be very small. I read this evening that Foxit is including a lot of other stuff with its download and you must be very careful. I thought I was, but I must have downloaded other stuff with it.

    Are people moving away from Foxit Reader because of this?
    What’s a good alternative?

    • I know you intended your comment for someone more attuned to your dilemma, but from my naive 20 year experience I would suggest doing what my grandad suggested:

      “When in doubt, do without”.

      Sage advice, I would do the same in your situation.

      Kirk out.

  29. It boggles my mind that the phished employee actually wiring the funds is the “crime,” not the phisher sending the fraudulent request. Why is this different than agreeing to buy drugs or soliciting a prostitute or conspiracy to commit violence?

    Oh well, it’s not like the criminals are often caught with the successful phishing attempts either.

  30. A few years ago I was asked to look at a case where a model agency had been targeted using an email account that was .co.uk instead of .com of a (fake) high profile English model asking for her credit card statements that the agency managed as well as her billing and other confidential records over a period of a week, it proved to be someone working for a reporter. Poor receptionist who handed over the details took a lot of heat over that, but it’s an understandable mistake, models are notoriously impatient. A cease and desist negated most of the damage.