Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers 36
chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.
According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.
The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.
Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.
According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.
The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.
Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.
Assuming the consequences of one's decisions (Score:5, Insightful)
You can't raise an army of slaves and then expect them to act as free men.
You have to put autonomous thinkers and obeying sheep on their correct places; and there are plenty of both. If you put a sheep on the wrong post, don't go now crying about a problem that you created yourself*.
*: Or your boss, if you're one of the sheep.
Re:Assuming the consequences of one's decisions (Score:5, Interesting)
Actually in the case of accountants you want pedantic non free thinkers. You basically tell them "These are the procedures to authorize any transaction; follow them or be fired. Even if the CEO turns up in person, get all required sign-offs before authorizing a transaction." There are a huge amount of regulatory issues that need to be considered and the sign offs ensure that these are met and that the information is correct. Even if the CEO comes stomping in, the request to authorize a transaction may be legitimate, yet he may have the wrong account number.
Re: (Score:3, Insightful)
That directly makes me think about that cities IT head, who did just that and refused to tell the password to the cities computers when asked to do so with a group of unknown/unsecure people present.
I do not know if he's still in jail (yes, he was locked up as a result of that by standing orders refusal), but he's certainly without a job and without any prospects to get another.
In a good environment rules
Re: (Score:2)
Right.
Consider Enron. Ken Lay was known for being a charismatic leader and for flying into a rage when his edicts were questioned. And look what happened to them (and him).
Re:Assuming the consequences of one's decisions (Score:4, Informative)
Wait, no... wrong details, and it's not a good parallel to use.
The dude in question was the lead network engineer for the City of San Francisco. Long story short, he had no standing policy to do what he did: he changed the supe passwords on all the city's core routers, locked everyone else out of the the things, then refused to tell anyone what the new password was.
I agree that he shouldn't have gone to jail over it, but TBH it was a dick move on his part.
Re: (Score:2)
You're thinking of Terry Childs. He did not follow city policy or best practices, but changed all the passwords and put them, encrypted, on his personal laptop. This gave the network an unusually small bus factor, in that if either Childs or his laptop were hit by a bus the network would have to be basically rebuilt from scratch. I don't know what city policy would be, but best practice would be to keep all that information in a sealed envelope or some such, so that it would survive Childs.
Childs did
Re: (Score:1)
don't go now crying about a problem that you created yourself*.
*: Or your boss, if you're one of the sheep.
That right there is the one principle that most of the worst and most idiotic managers do to try to" stay on top". create a prob;em, blame it on an employee you don't like, then deny everything and if called directly on it by the employee, fire them then tell everyone they were sexually harassing people, stealing from the company, were always late or smelled bad etc.. just don't let it get back to the employee, because they can sue for slander.
Managing is easy, it is even easier if you happen to be a sociop
This could easily be prevented, (Score:1)
just like the prisoner who sent an email to get out, by using proper open source email clients and GPG digital signatures.
Re:This could easily be prevented, (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
My killbot features Lotus Notes and a machine gun, it is the finest available.
https://www.youtube.com/watch?... [youtube.com]
The next stage (Score:5, Funny)
Re: (Score:2)
So... Basically the plot of the Big Lebowski ?
Re: (Score:1)
To bad I also hear enough stories about companies filled with people at the top that keep each other afloat.
Instead of purely looking at competence and other values that matter, they merely see friends among another and refuse to see any wrong doings unless it is thrown in their face in a way they can not longer avoid because it might hurt the company (to much).
Maybe you happen to cross the right companies or I have been fed shit so far. I'm tempted to think the
Editing (Score:2)
Hi,
I'm a Nigerian Prince^h^h^h^h^h^h^h^h^h^h^h^h your boss ....
Comment removed (Score:3)
Re: (Score:2)
The thing that many people seem not to realize is that, with legitimate and really important requests, you can get all signoffs in quite a short notice. The reason why most things take a while to authorize, is because everybody does it on their time and they have many to check. I already said it in a an other comment, but diverging from procedure is never a good idea, especially when something has to be done quick.
Re: (Score:2)
Even with urgent requests, approvals can come by right quick.
The thing is, if the CEO or whate
LOL ... (Score:2, Funny)
Sorry, but what?
If my manager or my CEO send me an email demanding money they're going to get told to piss off.
Maybe this will work in the accounting department, but on behalf of the rest of us ... fuck you assholes, you have more money than we do.
What's that, my manager needs bail money? Wow, that's a bummer.
Not happy. (Score:1)
Come on, where are the copies of these phishing emails? That's the fun part. I'd love to see what kind of process gets people to wire funds without so much as a phone call for confirmation.
- Unsigned emails,
- From an external domain that kinda looks legit (this won't even work with Exchange and Outlook; they will always know it's from a foreign system and notify the recipient),
- Probably with unspecified urgency, without reference to procedure, and no means of tracking the request
Yeah, if a simple phish b
Re: (Score:1)
I've seen some of these things. (Score:2)
I've investigated a half dozen or so of these. It has been going on for a while; the first one I saw was about a year ago.
Some of the common characteristics:
They know the names, email addresses, and nicknames of the CEO, and the Treasurer and/or Controller.
They address the Controller by name, a little bit of social pleasantries, and often say what account the "expenditure" should be coded to. The first contact is pleasant, but says it's urgent, and needs to be done right away. Subsequent emails get progr
Wait, what? (Score:3)
The fraudsters register "typo squatting" domains that look like the target company's domain,
Since when do you need to effin' typo-squat a domain name to send something that looks like bossman@targetcompany.com to underling_grunt@targetcompany.com?
The FROM: header can be anything. Hell, you can telnet to port 25 and type it in manually. It's been that way since forever-ago, as far as I can tell.
I mean, come on, I've personally sent mail from satan@hell.org.
--
BMO
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's what the Reply To: is for.
It can be different from the From: header.
Most people never check it.
--
BMO
Re: (Score:2)