Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Crime

Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers 36

chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.

According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.
This discussion has been archived. No new comments can be posted.

Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers

Comments Filter:
  • by Thanshin ( 1188877 ) on Wednesday April 01, 2015 @02:44AM (#49384341)

    You can't raise an army of slaves and then expect them to act as free men.

    You have to put autonomous thinkers and obeying sheep on their correct places; and there are plenty of both. If you put a sheep on the wrong post, don't go now crying about a problem that you created yourself*.

    *: Or your boss, if you're one of the sheep.

    • by rioki ( 1328185 ) on Wednesday April 01, 2015 @04:38AM (#49384631) Homepage

      Actually in the case of accountants you want pedantic non free thinkers. You basically tell them "These are the procedures to authorize any transaction; follow them or be fired. Even if the CEO turns up in person, get all required sign-offs before authorizing a transaction." There are a huge amount of regulatory issues that need to be considered and the sign offs ensure that these are met and that the information is correct. Even if the CEO comes stomping in, the request to authorize a transaction may be legitimate, yet he may have the wrong account number.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        You basically tell them "These are the procedures to authorize any transaction; follow them or be fired.

        That directly makes me think about that cities IT head, who did just that and refused to tell the password to the cities computers when asked to do so with a group of unknown/unsecure people present.

        I do not know if he's still in jail (yes, he was locked up as a result of that by standing orders refusal), but he's certainly without a job and without any prospects to get another.

        In a good environment rules

        • by PPH ( 736903 )

          Right.

          Consider Enron. Ken Lay was known for being a charismatic leader and for flying into a rage when his edicts were questioned. And look what happened to them (and him).

        • by Penguinisto ( 415985 ) on Wednesday April 01, 2015 @10:45AM (#49386657) Journal

          Wait, no... wrong details, and it's not a good parallel to use.

          The dude in question was the lead network engineer for the City of San Francisco. Long story short, he had no standing policy to do what he did: he changed the supe passwords on all the city's core routers, locked everyone else out of the the things, then refused to tell anyone what the new password was.

          I agree that he shouldn't have gone to jail over it, but TBH it was a dick move on his part.

        • You're thinking of Terry Childs. He did not follow city policy or best practices, but changed all the passwords and put them, encrypted, on his personal laptop. This gave the network an unusually small bus factor, in that if either Childs or his laptop were hit by a bus the network would have to be basically rebuilt from scratch. I don't know what city policy would be, but best practice would be to keep all that information in a sealed envelope or some such, so that it would survive Childs.

          Childs did

    • by Anonymous Coward

      don't go now crying about a problem that you created yourself*.

      *: Or your boss, if you're one of the sheep.

      That right there is the one principle that most of the worst and most idiotic managers do to try to" stay on top". create a prob;em, blame it on an employee you don't like, then deny everything and if called directly on it by the employee, fire them then tell everyone they were sexually harassing people, stealing from the company, were always late or smelled bad etc.. just don't let it get back to the employee, because they can sue for slander.

      Managing is easy, it is even easier if you happen to be a sociop

  • just like the prisoner who sent an email to get out, by using proper open source email clients and GPG digital signatures.

  • by Petr Kočmíd ( 3424257 ) on Wednesday April 01, 2015 @03:59AM (#49384529)
    will be CEO of a company forcing or tricking employees to make a fraudulent wire transfer which mimics a phishing scam.
  • Hi,

    I'm a Nigerian Prince^h^h^h^h^h^h^h^h^h^h^h^h your boss ....

  • by account_deleted ( 4530225 ) on Wednesday April 01, 2015 @05:56AM (#49384859)
    Comment removed based on user account deletion
    • by rioki ( 1328185 )

      The thing that many people seem not to realize is that, with legitimate and really important requests, you can get all signoffs in quite a short notice. The reason why most things take a while to authorize, is because everybody does it on their time and they have many to check. I already said it in a an other comment, but diverging from procedure is never a good idea, especially when something has to be done quick.

      • by tlhIngan ( 30335 )

        The thing that many people seem not to realize is that, with legitimate and really important requests, you can get all signoffs in quite a short notice. The reason why most things take a while to authorize, is because everybody does it on their time and they have many to check. I already said it in a an other comment, but diverging from procedure is never a good idea, especially when something has to be done quick.

        Even with urgent requests, approvals can come by right quick.

        The thing is, if the CEO or whate

  • LOL ... (Score:2, Funny)

    by gstoddart ( 321705 )

    Sorry, but what?

    If my manager or my CEO send me an email demanding money they're going to get told to piss off.

    Maybe this will work in the accounting department, but on behalf of the rest of us ... fuck you assholes, you have more money than we do.

    What's that, my manager needs bail money? Wow, that's a bummer.

  • Come on, where are the copies of these phishing emails? That's the fun part. I'd love to see what kind of process gets people to wire funds without so much as a phone call for confirmation.

    - Unsigned emails,
    - From an external domain that kinda looks legit (this won't even work with Exchange and Outlook; they will always know it's from a foreign system and notify the recipient),
    - Probably with unspecified urgency, without reference to procedure, and no means of tracking the request

    Yeah, if a simple phish b

    • OK, my bad. I see one of the links has an (unsatisfying) example that didn't load the first time I clicked on it.
  • I've investigated a half dozen or so of these. It has been going on for a while; the first one I saw was about a year ago.

    Some of the common characteristics:

    They know the names, email addresses, and nicknames of the CEO, and the Treasurer and/or Controller.

    They address the Controller by name, a little bit of social pleasantries, and often say what account the "expenditure" should be coded to. The first contact is pleasant, but says it's urgent, and needs to be done right away. Subsequent emails get progr

  • by bmo ( 77928 ) on Wednesday April 01, 2015 @02:41PM (#49388027)

    The fraudsters register "typo squatting" domains that look like the target company's domain,

    Since when do you need to effin' typo-squat a domain name to send something that looks like bossman@targetcompany.com to underling_grunt@targetcompany.com?

    The FROM: header can be anything. Hell, you can telnet to port 25 and type it in manually. It's been that way since forever-ago, as far as I can tell.

    I mean, come on, I've personally sent mail from satan@hell.org.

    --
    BMO

    • And I've sent email From: Hillary <root@whitehouse.gov>. Yes, by telnetting to port 25. What the crooks get with typosquatting is that the actual To address of the reply looks very much like the To address they expect -- they don't notice that CEO@cornpany.com isn't the CEO@company.com they expect, where they might twig to the scam if it was CEO239874@hotmail.com.
      • (Note ... this scam depends on two-way communication. When I did that telnet to prove to a friend that email was unauthenticated, if he'd replied, it would not have come to me.)
        • by bmo ( 77928 )

          That's what the Reply To: is for.

          It can be different from the From: header.

          Most people never check it.

          --
          BMO

          • Most don't... but that's one more thing that might cause the mark to notice that something isn't right. These aren't blasted-by-the-billions spams. These are carefully researched hand-crafted, targeted attacks. As much time as they're putting into it otherwise, a freebee domain at VistaPrint or something is a trivial bit of insurance.

Keep up the good work! But please don't ask me to help.

Working...