TrustedSec has been following an organized crime group for over a month and releasing our initial findings today to notify companies of the sophistication and methods (more to come). Today – a number of US companies have been impacted, and unfortunately, a number of companies that are still unaware they were victim of this attack.
A major offensive is currently happening on a number of United States based companies, mostly involving those that have international components. TrustedSec notified law enforcement that multiple companies are affected, and these attacks are aimed at extracting money from the companies. An ongoing and active case is in progress working with the companies affected and investigating the incidents.
What is especially interesting about these types of attacks is the high success rate. They appear to have different escalation models and ways to force organizations to perform the transfer without triggering suspicion. They use a combination of social-engineering (both email and phone), compromising trusted partners/third parties, and spoofing email addresses in order to accomplish their goals.
Here’s how it works:
1. Attackers compromise a third party vendor’s or partner’s email account in the accounts payable or invoicing department. Note that this isn’t always the case – if they can find information through open source intelligence, they will register a domain name thats similar and not compromise the email address.
2. A domain name is registered that is similar to the vendor/partner.
3. Communications may come directly from the third party initially then are switched over to the other similar domain to not introduce suspicion on the third party. They are on company letterheads of the third party and contain legitimate signatures most of the time.
4. Requests for refunds, change orders, or lines of credit from the direct company that is being attacked.
5. If this doesn’t work, spoofing of emails authorizing it from inside the company being attacked or phone social-engineering occurs. The phone social-engineering is very articulate, appear to have little to no accent and confident in what they are doing.
6. Money is wired out and you are out a significant amount of money. We have seen a few different banks where it is wired to, a large portion appear to be originating in China.
Note that the attackers are persistent; they use emotional triggers in order to entice the affected company to expedite the fraudulent requests. They will become agitated, demand that it be expedited and even spoof emails coming from internal employees to coax the company to hurrying the process. They will also target your company again if successful in order to try to extract more money from the organization.
We have seen numbers ranging from $50,000 all the way upwards to $1,000,000 dollars in wire fraud occurring. This attack is highly effective and we have seen a massive uptick in attacks occurring within the past month. The group appears to be highly organized, sophisticated, technical, and targeting US based companies with an international presence.
What you can do:
1. Notify your financial and accounts payable departments of these attacks and the techniques.
2. Verify all transactions with your third party partners and vendors, especially when refunding money (phone calls directly to a known phone number).
3. Provide enhanced education and awareness of these types of attacks.
4. If you have fallen victim to this attack, notify your local FBI office immediately.
We want to emphasize that this is happening right now and appears to be targeting a significant number of companies across the United States. It has been highly effective and successful. The group appears to have different levels of sophistication and seems to be a heavily organized group and use different sophistication levels in order to have a high success rate with companies.
Measures should be taken right now in order to educate your finance and accounts payable departments as well as an emphasize in controls in place for your third party partners and vendors.