Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams ... and they hate him for it. The director of SEC Consult's Singapore office has made a name striking back at so-called "whaling" scammers by sending malicious Word documents that breach their Windows 10 boxes and pass …
Sad but all too true, doesn't matter if it's a private company or a local council, from my experience over the years they're just as bad as each other when it comes to senior management thinking it won't happen to them or wanting a more convenient (lazy) solution for them, but a different more complicated (and secure) one for everyone else.
...organisations need to start using 2-factor authentication for wire transfers. Give each financially authorised company officer an RSA SecurID or similar, and have them authenticate before transactions are approved. Or am I missing something?
What you're missing is that the sort of broken organisations* that fall victim to BEC scams, by definition, don't know that such things are happening or that they're in danger from them. Sure, 2fa could break the kill chain, but so could any number of other, non-technical controls. The problem isn't that there's no way to prevent this happening, it's that the victim orgs don't know or care about them until it's too late.
* "organisation" as a movable feast -- the accounts payable team can be considered "an organisation"
2fa is not difficult! On my personal bank account, if I want to send money to a new payee I haven't paid before, I have to produce an authorisation code from the 2fa gadget.
If I can do this for 10 quid, why can't large organisations do it for 10 million? If the CEO sends an email saying to pay a new account, that should be authorised with a one time code.
2fa will only work if the 2nd authorisation is from the CEO. The person sending the money is already authorised to send it, the issue is they're doing it believing their CEO has requested it.
What is actually required is stronger internal processes that mean even the CEO has to fill in a transfer request form for any money transfers. It's then up to the Financial Controller to have the balls to turn round each time the CEO requests them to send money to someone that they fill in the form first and include that with the email. No form, no transfer. This then prevents 3rd parties from sending transfer requests that look authentic. And if the response to "where's the authorisation form?" is "I don't have it, can you send it to me" your next response is grab it off the server. You make emailing that form a disciplinary action, regardless of who's asking. It's an internal document, you want to make sure NO ONE outside the company can get their hands on it.
And yes, I've worked for a company that got caught out with this scam. The issue being the CEO would send these exact kinds of requests. The scammer got caught out on the 2nd attempt as they used the wrong name for the SEO's wife. They research their victims very extensively.
Another defence is making sure that the account being wired to is preregistered in the system, so that the FC can approve it, and the system pays. That requires a paper trail that goes past more eyeballs. This idea of wiring a random account a large sum of money is really strange, but I guess at CEO level procedures are for the little people
"Another defence is making sure that the account being wired to is preregistered in the system, so that the FC can approve it, and the system pays."
Funnily enough this is exactly how $orkplace operates - along with contact details of appropriate people in the organisation.
Lots of grumbling about how slow this is to setup, but we get a steady stream of whaling emails and (so far) haven't been compromised.
Any attempt to change the account details requires (at least) a phone call to the preregistered contacts and more usually an exchange of emails before it would get approved.
"organisations need to start using 2-factor authentication for wire transfers."
Most already do. And / or multiple approvers.
"Or am I missing something?"
If you think that fixes this problem, then yes. The people making the transfers in each scammed company are those authorised to do so...
You seem to have a Financial Director who has something between his ears. Call me a cynic but I most certainly don't put him in the majority category.
Most would look at the email they receive, and even if they think to make a phone call, would see a phone number in the email, and dial that number (rather then taking the two seconds to actually look up the phone number in the company directory). Then the CEO's "secretary" would confirm that he really does want the wire transfer but I'm afraid he's in a meeting at the moment. That's more then enough to get most things moving in most of these cases.
What I don't understand is why a Financial Controller, upon being told to move lots of company money, is not immediately checking the authenticity of that message? I mean, seeing as it's company money, they should NEVER accept that message at face value and should always verify it?
Surely there should be business processes for moving money and it should always rely on verification of the original message?
And anyone who is authorised to make these sort of decisions (i.e. someone who is allowed to ask for money to be moved) should know this?
It boggles the mind that these companies have such poor checks and balances that millions - MILLIONS! - can be sent out without any decent verification. A phone call to a secretary should not be all it involves. It's just plain incompetence.
And the vey CFOs who should be making sure those systems are in place are he ones being hoist by their own petards. There's a certain delightful irony to it - I wouldn't want to be in their shoes after one of these transfers.
Have you never worked for an organisation where people are expected to do things their seniors ask without questioning them? Having fallen foul of (previous, not current) Managers because they KNEW better than me, I would like to point out you don't always get the luxury of asking questions or suggesting that someone has asked for, or is about to do, something monumentally stupid...
I would like to point out you don't always get the luxury of asking questions or suggesting that someone has asked for, or is about to do, something monumentally stupid...
I got hauled into a "meeting" to discuss the fact that I didn't want to change code in a repository[1] that we'd already shipped. It would have left us with two versions of code in the field with a single revision number. My management couldn't see a problem with this...
Vic.
[1] Yes, SVN does allow this, although it requires some administrative effort.
There isn't any information showing that crims "hate him for it". Do they? How do you know?
There is a proper place for puffery posing as journalism and it's in those horrible spamfomercials that go to my work email address pretty regularly. Don't just recycle a report about this security conflab and pass it off as news.
I'd be interested in a properly researched piece with multiple unrelated examples of how this kind of defence is denting global crime. Is opening bank accounts really that hard? Where is the evidence.
Go and get some stats from Europol, Interpol, FBI, whoever, and work it out.
I think hate is a reasonable inference from interfering with a criminal's business. Think "Valentine's Day Massacre". These are not forgiving people.
However, hacking a criminal's Microsoft account name (or even their postal address) and sending it to police may not count as "evidence" that can be used.
Dear Friend in Christ,
I am Inspector Daniel Matombe of the Nigerian State Police. I have recently locked a number of bank accounts containing a total of $47,000,000 (FORTY SEVEN MILLION DOLLARS) that has been stolen from major companies including your own.Please send me details of your losses, including your bank account details, together with a Western Union transfer for $10,000 to cover administration fees, and we will refund your stolen money at once.
Really cool what this guy did, but this is crazy:
>Scammed funds are often wired between banks on its way to the Chinese port city of Wenzhou, a hub of cybercrime on the East China Sea, where money trails run cold.
Wnzhou should lose its banking rights NOW, problem solved. Any other bank/city/country/whoCaresWhat where money trails go cold, same thing ... in the space of three days, no problem ... you've solved the problem ... a single money trail that goes cold, the bank on the receiving end loses banking rights. While you are at it, make moneygram & co legally responsible for the funds they transfer.
That, sir, is dead easy common sense - of course, our politician's don't want that because they use these "banking services", too.
The government of China are unlikely to take kindly to unilateral breaking of banking treaties they've signed up to. Neither will the legitimate businesses in that city. And don't you think the attackers will just move 30 miles south and start again in the next city? Seems unlikely that the AML / KYC / ATF compliance people in the banks in that one city are uniquely corruptible...
I can't help wondering if this is what is really behind Prime Minister May's "security" concerns about the Hinckley Point nuclear agreement. If it turns out the Chinese investment banks have even a taint of suspicion about laundering SCAM$ possibly looted from US corporations, well, it could be jolly embarrassing to explain to President Trump at the G8 dontchaknow!
"I can't help wondering if this is what is really behind Prime Minister May's "security" concerns about the Hinckley Point nuclear agreement."
Quite possibly.
The Chinese interest in Hinkley (and other nuke plants) being built (quickly and safely) is extreme self interest.
If you look at a topographical map of China you'll understand why. Even a sea level rise of 2-3 metres will result in more than half of lowland China (home to 70% of the population) becoming tidal lagoons, marshes and mangrove swamps. They have a vested interest in cutting carbon emissions NOW and nuclear is the only long-term solution - current tech now, but LFTR or other safer tech as soon as it's viable (the biggest problem with current tech is the fact that it uses water in the radioactives loop, which is an inherently bad idea)
(I could rant on with stats, but the short version is that with the best will in the world, no matter how much buildout of renewables there is, it'll only equal current electricity generation and that only accounts for 40% of carbon emissions at best. To replace heating/transport/etc you'll need to increase capacity by a factor of at least 6, probably 8 over current total levels and there's just not enough space for that many windmills/solar panels close enough to points of consumption to be able to economically send it over wires - sea crossings are notoriously low capacity+expensive+lossy and long lines are extremely expensive/lossy/visually intrusive due to tower height)
The real solution is to have proper checks and balances, and a CRM solution that is up to date.
If these spammers can send you mail that looks like your Financial Officer in <other country> needs money, then they can probably send you one that looks like the Secure Mail conditions are correct, even if the normal flags are red.
Managers are not technical people. However, sending money should be an easy affair of telling the local accountant : send this amount to our <country> branch, and ask a report as to why they need the money. The accountant then fires up his accounting package that has the IBAN account number and does the transfer.
Of course, the real CEO of <country> branch then calls to find out what the hell is going on. the situation is resolved without trouble.
The issue is only that people get mails telling them to wire money to an account in the email. Sorry, that should just never work. You tell me to send funds to one of my suppliers, I don't need your mail to know what account to send the money to. I will also check whether or not I have any pending invoices with that customer before sending anything.
Organization, people. It is just inconceivable that major organizations depend on IBAN account numbers sent in emails to do their work. If they are so big as companies go, then they have all the details in their accounting packages, so why is this a problem ?
"It is just inconceivable that major organizations depend on IBAN account numbers sent in emails to do their work. "
The whaling scams I've seen purport to be from XYZ large supplier requesting a change of account details.
The amazing part is that I've had people complain that the system won't just let them enter the details that have come in via email and as others have mentioned, will make the confirmation call to the phone number in the email, not the one already in the system. (Which is why the system won't just let them bang in changes. There's a procedure to follow for a reason and I don't give a monkeys if you're the CEO, I'm not deviating from it unless you give me an order in writing, indemnifying me from any consequential liabilities)
Surely the solution for this kind of problem is a secure ID so that you know the sender is who they say they are?
Digital signatures have been possible for years.
Now try to get that implemented in any commercial organisation. It's always "too hard"[1], and we need to understand that "loss of productivity costs real money"[2].
Vic.
[1] It isn't. It's actually rather easy,.
[2] There's a tiny amount of training required to teach people how to sign emails. But apparently, that costs too much, whereas the sort of losses we see from this article are acceptable costs of doing business.
Anyone else notice the ONLY tech-savvy company, or so purported to be, is Accenture ?
I have talked to several of these guyz, show them CMD.EXE or PowerShell.exe and they wet their pants ... I am talking "consultants" here. No surprise to me that they are in that list, they would, generally, not know what 0wned means even if you hacked their website and put it on there.
Now to the scary thing, a lot of you hire these IDIOTs in, to "solve" your IT problems ... and their standard line is: "You should scrap all those vendors and go Microsoft only, because, well, one vendor is better." I read that line all too often on here.
To those that have fallen to this line, you probably don't know that the Redmond-based security-sieve purveyor and data-harvesting corp is their greatest investor. D'oh, I know.
Not only are they telling you, the car mechanic, that a Swiss army knife is better, because, well, it has a spoon as well as the Philips screw-driver, along with sizes 1/8, 1/4, 3/8, 2/4 spanners ... yes, you can repair a car with it AND got to lunch, who would need more than that, hey ? They are doing so to please their investors.
You will have guessed, Accenture consultants? I laugh them out of the building, only to return when my job's done at the clients ... I have the decency NOT to ridicule them in front of the client, but that might change soon!
It's nice to see a positive story about hackers. MOST hackers aren't law breakers [they typically do engineering work, solving complex problems with rapidly adapting and often non-traditional techniques] and so are of the 'white-hat' variety. Some are black-hats, and these guys were arrested in THIS story. But you have to appreciate the 'grey-hat' hackers as well, like the "protagonist" of this story, sending the carefully crafted documents to the bad guys to reveal their identity.
It amazes me in this day and age of technology that any company with large amounts of money don't use accounting software. I used to work for a billionaire real estate developer and I setup multiple controls and procedures for processing payments. First off the CEO never allowed wire transfers for anything, ever. If you wanted money out of this company the only way is for this procedure to happen in this order:
New Vendors are verified by Accounts Payable over the phone and are required to supply tax id info and liability insurance.
1. An invoice for payment is received by Accounts Payable in email or paper copy.
2. Invoices are entered into the accounting software.
3. Invoices and then approved/denied by the person who ordered the items on the invoice.
4. Checks are then approved for printing by the Accounting Director.
5. Accounts Payable then prints the checks, checks under $10,000 are printed with signature.
6. Accounts Payable downloads a Positive Pay file from accounting software.
7. Positive Pay file is sent to the CFO who then logs on the the bank with Two Factor Authentication (RSA SecurID) and then uploads the file, which then instructs the bank to allow the checks to be paid. Checks presented for payment that are not pre-approved in this matter are not paid.
8. Printed checks are then presented to CEO for visual approval and a signature if over $10,000.
9. Accounts Payable stuffs the checks in envelopes and is mailed or picked up by a vendor.
You would think that if there is so much money involved that these companies and banks wouldn't accept just a forged email to send out a wire transfer. If they allow such stupidity maybe they should be fired or loose the money that was stolen.
"5. Accounts Payable then prints the checks, checks under $10,000 are printed with signature."
Well, maybe for high value items (e.g. 10K+), but everything else is done by bank transfer.
There's no reason why similar checks and balances to the ones you describe can't be incorporated into that of course.
Send one of these scam emails to a government (after all they print the money) and have them drop off a load of cash.
I'd probably end up in the hoosegow, but I'd live large for a couple of days. Then again with government efficiencies it might take a while. I get all these offers of IRS forgiveness all the time, so they must have some spare change floating around to line my pockets. I might even retire.
Message to IRS: I am due a refund of (large) amount. Send it to me. Cash is OK.
Wait... so these "hackers" are using Windows 10 machines and Outlook? I guess when you are just throwing emails over the fence at controllers, you don't need stealth mode equipment. Kind of funny that Windows lack luster security worked to their advantage and then to their disadvantage. Maybe that is MSFT new security strategy... if anyone hacks you, you can hack them right back.
Great that they're hurting the hurters to some degree, and recouping some of the losses of these big organisations (while the smaller ones who actually feel it may not get the same help but anyway...)
But FFS, it's 2016! And you can still have your personal information lost or your computer harmed by opening a document on Windows!
Come on MS, this sort of crap should've been ended 20 years ago. You claim to be an innovative company who produces secure software, so get with it!
Answers in the mail please.
Our CEO suddenly announced the acquisition of a business partner that we had had a long (i.e. a year) relationship with.
They do not make any money. A year later and our CEO had to admit to the board of directors that his move was a bad one. Now we either have to think of something outlandishly smart, or offload the problem to somebody else.
You can add as many two-step authentications as you wish, but the underlying problem is the same: Most smart people want to work with technology, not manage others. So the ones left applying for the top brass jobs are usually quite a bit short on the intelligence front. The light is on, but nobody is at home.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
