Anatomy of a social engineering scam
- 19 October, 2015 10:39
A convincing social engineering scam which targeted Centrify employees in 2014 and 2015 can be avoided if companies take steps to carefully check emails which ask for money transfers, says CEO Tom Kemp.
Kemp has detailed in a blog how his company was targeted by the email scam.
“A controller or finance type is told via email by the CFO or CEO to wire money to such and such account for what appears to be valid business reasons,” he wrote.
“Being good employees and not wanting to disregard the CEO or CFO, they follow directions to do so — all the while thinking that the CEO is asking them to do it, and not realising that they are sending money to crooks.”
The first attempt began on February 12, 2014. Centrify’s vice president of finance received an email from the company’s CFO `Tim’ requesting a wire transfer of $357,493.41. The email looked like it had been forwarded by Kemp.
The attachment was a PDF of wire instructions for a company called Indeva Corporation that had a US CitiBank account.
The vice president of finance replied back to `Tim’ saying she needed to work with Centrify’s accounting manager to make the wire transfer happen.
Thankfully after the vice president of finance spoke to the real CFO, they realised that the email was a hoax.
“We immediately deduced that the email was sent from a look-alike domain called “centrilfy.com” which looks a lot like “centrify.com.” The crooks had also made a mistake in guessing at our email convention for first name.last name,” wrote Kemp.
He said the cyber criminals had taken the time to research via its website ,and possibly LinkedIn, the company’s CEO, CFO and staff member who processes wire transfers before setting up a look-alike domain name and email accounts of its CFO and CEO.
While Centrify got the domain name shut down, other attempts to de-fraud the company via wire transfer requests followed in 2015 from different domain names.
“We are now getting one of these scam emails per week,” wrote Kemp.
He provided some tips for companies who may receive wire transfer requests:
Immediately walk over to your CFO and make sure that proper documentation and approvals are required for all wire transfers.
Make sure that any wire transfer is associated and maps with an actual purchase inside the accounting system.
Add multi-factor authentication to all key apps including financial systems so users can confirm they really are who they claim to be. Also layer on other identity controls such as privileged session monitoring for sensitive systems – this is in case the crooks have compromised the credentials of key employees in finance.
Have your marketing department or IT group start buying up domain names that are variations of your company name.
Inoculation the best remedy against social engineering
Former US black hat hacker Kevin Mitnick used social engineering to infiltrate companies during the 1990s. These days, he now uses his skills to help organisations understand how they can protect themselves.
Speaking at the CeBIT conference in Sydney during May this year, the CEO of Mitnick Security Consulting said that a lot of attacks involve the exploitation of insecure Web applications — and the exploitation of humans, through social engineering.
“With a lot of attacks, the foot in the door is through social engineering and then you can use technical exploits to gain access to targeted systems. That’s how the White House was hacked [in 2014]. The attackers got into the State Department using a phishing email,” Mitnick said.
He said that inoculation is the best remedy.
“Inform your employees that you do testing from time to time and have internal or external security people trying to con them,” he said.