By Charles Parker, II; Cybersecurity Lab Engineer

Attackers have been motivated by money. The focus has been the cash flow for the nefarious operation. One area that receives significant attention as an attack method is social engineering or phishing. With either active or passive attacks, the effects can be substantially expensive and costly in terms of expense and hours spent fixing this issue. A sub-attack along this same idea is spear phishing or a targeted phishing attack. A very profitable version of this involves targeting the finance or accounting office staff members, as this area controls the cash and vendor payments.

In order to initiate the fraud and attack, the attackers have to make contact with the staff members. This contact is generally an email from someone in a senior position (e.g. the CEO or CFO) directs the accounting or finance staff member to wire a specific amount of funds to a bank, which happens to be in a different country and to a different bank and account number. As an alternative, the attackers could fraudulently claim to be a vendor. These attacks have been names the executive wire scam (EWS) and business email compromise (BEC).

Recent Successful Attack
The prior recent attacks have grossed the attacker anywhere from a few hundred dollars to tens of thousands of dollars. An exemplary incident occurred on April 2017 with a significant payday for the attackers. Southern Oregon University published it had been a victim of this attack. The attackers perpetrated a massive attack and fraud against the educational entity. The attackers, pretending to be Andersen Construction, sent an invoice from an email account that appeared correct, wired to an account.

This account was not Andersen Construction’s account. The attackers completed their reconnaissance of the current situation for the University, noting that Andersen Construction had been contracted to construct the University’s McNeal Pavilion and Student Resource Center. Fortunately for the University, a portion of the funds may be recovered.

Training, Training, Training
Although this is not the optimal situation for the University, this does provide a great opportunity for training. This teachable moment is for any business. When the staff receives one of these requests, the staff member should verify the direct request from the C-level or manager. This attack only requires is a simple call or email. The email, however, would need to be a newly created email, and not a reply. Also, if there were to be significant or odd changes, such as a newly created email, and not a reply to the initial email. Also, if there were to be significant or odd changes, such as a new bank, bank account number, or if the new bank is in a different country, the transaction should be verified with the appropriate parties.

The email itself should be reviewed. When there are grammar errors and/or spelling errors, there generally is a problem.

Common-sense should be applied to these circumstances. This and other successful attacks may all be used for training and to improve the business security stance.

Resources
Arsene, L. (2017, June 12). Southern Oregon university victim of $1.9 million email fraud. Retrieved from https://hotforsecurity.bitdefender.com/blog/southern-oregon0university-victim-of-1-9-million-email-fraud-18197.html
Cluley, G. (2017, June 13). How a single email stole $1.9 million from Southern Oregon University. Retrieved from https://www.tripwire.com/state-of-security/security-data-protection/single-email-stole-1-9-million-southern-oregon-university/#new_tab
Dellinger, A.J. (2017, June 13). Fraudulent email: Business email compromise attack costs southern Oregon university $2M. Retrieved from http://www.ibtimes.com/fraudulent-emial-business-email-compromise-attack-costs-southern-oregon-university-2m-2551724

About the Author
Charles Parker, II began coding in the 1980s. Presently CP is a Cybersecurity Lab Engineer at a Tier One supplier to the automobile industry.
CP is presently completing the Ph.D. (Information Assurance and Security) with completing the dissertation. CP’s interests include cryptography, SCADA, and securing communication channels.
He has presented at regional InfoSec conferences. Charles Parker, II can be reached online at charlesparkerii@gmail.com and InfoSecPirate (Twitter).