In this blog, I talked about “whaling”—a refined kind of phishing attack in which hackers use spoofed or similar-sounding domain names to make it look like the emails they send are from your CFO or CEO. The idea is to have the target perform an action that they normally wouldn’t do, such as opening an infected attachment, or transferring money to the hacker’s bank account – because the CEO told you to.
Whaling also can describe sending emails to key personnel from companies with which you do business, for example sending an invoice with an account number to use when making an electronic payment. Of course, no one at your company would ever fall for that, right?
This is where our title subject comes into play. Mr. Rimasauskas, a Lithuanian hacker (full disclosure, LaPedis is a Lithuanian name) has been charged with tricking two US technology firms into wiring him $100m through…. You guessed it… a phishing scam.
Two Years in the Making
According to the US Department of Justice, Mr Rimasauskas deceived the firms from at least 2013 up until 2015.
The papers state that he set up a company in Latvia with the same name as an Asian-based computer hardware manufacturer, and opened various accounts in its name at several banks.
He then sent targeted emails to companies which did millions of dollars of business with this company which included invoices and routing information for bank accounts located in Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong. The emails apparently were formatted in such a manner that employees at the two targeted companies didn’t think twice about wiring millions of dollars into the bogus accounts.
As I said before, you know that none of your employees would fall for this, because you are a big multinational with a big IT security budget, and fully-trained employees, right? Well think again, because while the companies were not named, they were described as US-based multinationals, with one operating in social media. OOPS!
Yet Another Learning Experience
My guess is that the employees who made the transfers are not bad people and probably try to do the right thing every day. But perhaps the right controls were not in place to ensure that money is being transferred to the right place for the right reason.
Ask yourself these questions:
- Are you training your employees to check carefully before they make a decision which can affect your bottom line?
- Do you have proper separation of duties policies and procedures in place to ensure that more than one pair of hands needs to perform a critical action?
- Do you back up your procedures which technology which can evaluate user access and point out when they accidentally or intentionally have been violated?
- Are you monitoring the actions of key employees and can you shut down a bad action before it hurts you so that you have time to review what is really going on?
A Message from Our Sponsor
As you might imagine, Micro Focus has some tools which can help lower your risk profile through automation. But automation can only be used to enforce policies and procedures which are already in place. If you do not have appropriate policies and procedures, you may want to start there. Once they are in place, you are ready to continue your risk reduction and compliance program.
If you don’t already have an identity access and management system (IDM), you may want to put one into place. This is one-stop-shopping for all of your identity management needs, and depending on what you choose, it can work only for your IT systems, or it also can manage your cardkey access system and physical assets, like ours can.
Identity Governance (formerly called Access Review) can help you determine if you have separation of duties issues by scanning your systems and using rules to point out where the same person may have access to two functions which could present a risk to your organization.
And Privileged Account Manager (PAM) can be used for much more than just removing the need for admin access to systems, databases, applications, and the cloud. PAM also can monitor and record every session deemed critical to your organization. It also can manually or automatically terminate a rogue session based on your pre-defined level of risk.
Actions You Can Take
In summary, you first need policies and procedures. In this specific instance, when you get an invoice, do you check it for accuracy? Do you verify that the goods were received? How many people need to approve writing a check or transferring funds electronically? Do you verify where the check or funds are to be sent through your existing vendor contacts? Do you have the proper tools in place to enforce your policies and procedures?
And finally, please ensure that your employees are trained to recognize phishing and social engineering attacks and that you have a point of contact to report an attack. If a phishing attack is reported, think about how to prevent others from falling for the attack, such as a notification system or tools which can delete the phishing email from inboxes. If one person makes the catch on a phishing and social engineering attack, you need to let everyone else know about it.
As my colleague Simon Puleo points out ‘It all boils down to the ‘human element’, the insider threat in this case is the unknowing employee coerced into doing the wrong thing through social engineering’