Wire Transfer Fraud, Up Close and Personal
We recently posted about an uptick in wire transfer fraud through bogus email. Since then we and two of our clients have been the subject of such attacks. All were emails purporting to be from executive leadership (CEOs or Partners) to the people in their organization responsible for finance.
Identifying Wire Transfer Fraud
One used a forged email from the correct domain, although the Reply-To header ensured that any replies went to an address on a Hotmail. Technically this was the most amateurish, but parts of the social engineering were more advanced than the other two. The signature block on the email was spot-on for the purported sender’s iPhone. That wasn’t good enough to fool the recipient (in part because they don’t do wires that way) so we were called in right away.
We and the other client were the subject of a classic spoof. The attackers registered a domain with one letter changed from the victim’s domain. Interestingly enough both attacks used the same registrar (Tucows) and reseller (VistaPrint) to acquire their domains, and the mail was sent using the registrar’s webmail system.
In both cases the spoofed signature blocks were a bit off from the spoofee’s regular signature, which was suspicious looking to the recipients. And in both cases, the normal business process for wire transfers either did not involve email or involved out-of-band verification by phone or text, so no money ever changed hands.
We filed complaints with the registrar and had the domains and webmail accounts taken down. We also filed a complaint with the ISP that owned the sender’s IP address (harvested from the email headers) and also with the U.S. government’s Internet Crime Complaint Center (IC3), although expect they have their hands full with the frauds that succeeded.
Always follow the wire-transfer best practices we cited in the last post. If at all possible, don’t use email for critical business processes that require authentication. If you do, always use out-of-band contact to verify the message.
If you do get phished, call your security department immediately. When passing on suspicious email for investigation use the “Forward as Attachment” option, so that all headers are preserved for analysis.
It amazes me sometimes that people fall for these scams, but they do. Follow best practices to make sure the next victim isn’t your business.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.