Cyber Criminals Target Wire Transfers
Do you or a client work in an industry where wire transfers are common? Think real estate (commercial or residential), law, finance, architecture, construction, or manufacturing, to name a few. If you do, you need to take care EVERY time you are involved in (either sending or receiving) a money transfer via wire.
Yesterday, an Ashton client almost suffered a $130,000 mistake. They called our help desk in the midst of a 45 minute period, late in the business day, when one of their principals was receiving more than 100 spam emails every ten minutes. Think about that; in the course of 45 minutes, one person received over 600 spam emails, completely clogging their inbox, and making it hard for them to find legitimate emails.
Our natural first course of action was to check the spam filter and trace the emails back to their senders. Unfortunately, all of the emails were coming from legitimate (and unique) Office 365 IP addresses, meaning that our only recourse would’ve been to completely lock the filter, meaning that no emails would get through. By resetting the user’s Outlook password, however, the spam stopped. Temporarily. Seemingly, somebody had gotten access to our end user’s credentials. As multi-factor authentication was in place, there was no concern that the bad actor had taken over control of our user’s email account itself, but a mailbox hijacked for relaying purposes is still an issue.
More digging turned up the fact that our client (we’ll call them ‘Firm A’) was owed $130,000 by one of their clients (‘Firm B’). This spam attack commenced immediately following an email conversation between Firm A and Firm B, regarding payment of the outstanding balance. That led us to the realization that Firm B’s user had also been compromised, most likely by unknowingly providing their email credentials to a scammer. It’s likely that compromise took place days, if not weeks ago.
The scammer had access to Firm B’s mailbox for an extended period of time. After seeing some mention of a balance due, they patiently waited and watched for the wire transfer process to begin. At the same time, they created a spoofed email address, hoping to trick Firm B into believing that the scammer was actually Firm A (Example; Firm A user email is user@firma.com, and scammer created a new address user@firrma.com – notice the additional ‘r’ in the domain). Once the scammer saw an email showing that the wire was imminent, they sent an email from the spoofed email address to Firm B, providing wire transfer details. In the meantime, Firm A user was receiving hundreds of spam emails, in hopes that they would miss any legitimate emails (from Firm B) regarding the wire transfer.
Firm B received the email with wire transfer specifics from a spoofed address, and, not realizing the spoof, began the process of wiring $130,000. Fortunately for both Firm A and Firm B, Firm A was working with the Ashton team to determine the cause of the spam attack. And, as the Ashton team was reviewing the hundreds of emails, we came across the email from the spoofed address. At that point, our client (Firm A) called Firm B to let them know that they were under attack and the wire transfer was stopped just in time.
Takeaways
- Don’t share passwords/log in credentials unless you know exactly with whom you’re sharing them
- If you receive an email asking for login creds to view an attachment or login to a website, confirm with the sender that this is a required step in the process.
- Employ multi-factor authentication for all of your users
- Call to confirm any wire transfer requests (yes, it’s an extra step, but it could save you a lot of money!)
While high quality firewalls, spam filters, and endpoint protection are an absolute necessity, none of those tools could’ve stopped this attack. The only hope is to have an educated and vigilant workforce that is always on the defensive. In this case, the bad actors used a combination of phishing (to snag login creds), spoofing (creating a similar email address), and social engineering (watching emails,waiting for the wire transfer to commence) against two different parties. To be honest, we were quite impressed by the depth and breadth of this attack. The worrisome part is that these are only getting better.