The anatomy of a spearphishing scam, or how to steal $100M with a fake email
The email address used by the assailant was a dead giveaway that something was wrong.
A lawsuit filed on April 14 by U.S. Attorney for the Southern District of New York Preet Bharra gives an insider's view on how frighteningly easy it is for a company to be duped out of a huge sum of money. In this case almost $100 million.
The civil forfeiture lawsuit was filed in federal court in New York City and is being brought on behalf of an unidentified American company that was suckered out of $98.9 million over a four-week period late last summer. Luckily, the majority of the money has already been recovered and this suit is specifically going after the remaining $25 million that is being held in at least 20 overseas banks, according to court documents.
“This is more than twice as large as any reported loss that we have seen,” Ryan Kalember, Proofpoint's vice president of Cybersecurity Strategy, told SCMagazine.com in an email Friday.
What this case perfectly illustrates is the step-by-step process a criminal can take implementing such a scam and all of the warnings that were ignored by the victim.
Considering the massive pile of money involved, the scheme itself was extremely simple and used by cybercriminals every day, albeit to normally steal smaller amounts of plain old data. It was a classic spearphishing attack.
According to Bharra's suit, the scam was initiated around Aug. 10, 2015, when the victimized company received an email purportedly from an Asian-based vendor with which it has frequently done business in the past. The email in question contained the name D Talan, AR and was not picked up not by the victim company itself. Instead it came to an email address set up and monitored by an outside firm hired by the victim to deal with its vendors and other payees.
The initial email from Talan simply asked for some background information regarding its billing history with the victim. This information was supplied on August 11 and then that same day a follow up email was received by the vendor's partner from Talan informing the company that the “vendor's” banking information would be changing and they wished to know who to contact at the victim company to make the change so any payments would go to the correct account. On August 17 Talan gave the victim's payment partner the new account information and it was placed into the victim's system.
Starting around August 21 the payment partner began sending a series of 16 payments to the new, fraudulent account, as part of its usual business. All appeared to be going well when on September 14 both the victim and its payment company received word from the real vendor that it had not received any payments starting August 22, or the day after Talan's account information was input into the system.
A quick investigation ensued and when Talan's email was studied it was quickly discovered to have several irregularities, including a @mail.md domain instead of the vendor's corporate domain name. In addition, it indicated that the domain was hosted in Moldova, far from the vendor's true location in Asia.
The final indicator that something was amiss was that the funds were deposited into a Eurobank facility in Cyprus, and not at a bank in the vendor's home nation.
If any of these indicators had been flagged from the start the entire scam would have been stopped in its tracks.
“Employees should be suspicious if they receive a request for unusual information or a wire transfer via email, even if it appears to come from a high-level executive. Check the reply-to email address and always call to confirm. If a vendor changes their wiring instructions over email, call them to confirm. If the CEO requests a significant transfer that is unusual, call him or her to confirm it. If the email header has a warning from your email security system, such as a subject like [BULK] or [SUSPICIOUS], then contact the vendor directly on the phone, do not enter the invoice for payment,” Kalember said.
A U.S. magistrate working with Eurobank quickly froze the Cypriot account stopping about $74 million of the stolen money from moving out.
This was an extremely lucky and somewhat rare occurrence as most wire transfers one completed are tough to reverse.
“Recovering money can be difficult if sent by wire. As the transaction may be irreversible within a short time window. There have been many variations of these scams in the past and they have been going on for some time. Luckily, international law enforcement has been taking note of these scams to better monitor, mitigate the financial losses and arrest the criminals responsible,” Terrence Gareau, chief scientist of Nexusguard, told SCMagazine.com in an email.
The victim was not so lucky with its remaining funds because the bad guys had almost immediately moved them from Eurobank and spread them around to 19 other banks to help duck authorities.
The court document did indicate that U.S. authorities know where those accounts are located with one being in Estonia.