Slashdot Mirror

← Back to Stories (view on slashdot.org)

Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers

Posted by Soulskill on from the fear-trumps-common-sense dept.

chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.

According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.

36 comments

  1. Dumb and dumber by Anonymous Coward · · Score: 0

    Nuf said.

  2. Assuming the consequences of one's decisions by Thanshin · · Score: 4, Insightful

    You can't raise an army of slaves and then expect them to act as free men.

    You have to put autonomous thinkers and obeying sheep on their correct places; and there are plenty of both. If you put a sheep on the wrong post, don't go now crying about a problem that you created yourself*.

    *: Or your boss, if you're one of the sheep.

    1. Re:Assuming the consequences of one's decisions by rioki · · Score: 4, Interesting

      Actually in the case of accountants you want pedantic non free thinkers. You basically tell them "These are the procedures to authorize any transaction; follow them or be fired. Even if the CEO turns up in person, get all required sign-offs before authorizing a transaction." There are a huge amount of regulatory issues that need to be considered and the sign offs ensure that these are met and that the information is correct. Even if the CEO comes stomping in, the request to authorize a transaction may be legitimate, yet he may have the wrong account number.

    2. Re:Assuming the consequences of one's decisions by Anonymous Coward · · Score: 1

      don't go now crying about a problem that you created yourself*.

      *: Or your boss, if you're one of the sheep.

      That right there is the one principle that most of the worst and most idiotic managers do to try to" stay on top". create a prob;em, blame it on an employee you don't like, then deny everything and if called directly on it by the employee, fire them then tell everyone they were sexually harassing people, stealing from the company, were always late or smelled bad etc.. just don't let it get back to the employee, because they can sue for slander.

      Managing is easy, it is even easier if you happen to be a sociopath or just a garden variety narcissistic asshole who can do no wrong.

    3. Re:Assuming the consequences of one's decisions by Anonymous Coward · · Score: 3, Insightful

      You basically tell them "These are the procedures to authorize any transaction; follow them or be fired.

      That directly makes me think about that cities IT head, who did just that and refused to tell the password to the cities computers when asked to do so with a group of unknown/unsecure people present.

      I do not know if he's still in jail (yes, he was locked up as a result of that by standing orders refusal), but he's certainly without a job and without any prospects to get another.

      In a good environment rules and regulations are there for everyone. In the run of the mill environments rules and regulations are only there to pester underlings with (very handly when fingers need to be pointed), and to be violated with impunity by bosses. 'Cause their work is ofcourse "too important" to be cramped by them.

      And there you are : underlings who get wise to how the shit flows (and how they, if they consider to become "whistleblowers" and decide to contact the bosses boss, become outcasts or simply jobless), and as a result do not hold themselves responsible for anything a boss asks.

      As someone else here already said, if you're out to breed sheep than do not expect them to try to protect you when you get attacked by a wolf.

    4. Re:Assuming the consequences of one's decisions by PPH · · Score: 1

      Right.

      Consider Enron. Ken Lay was known for being a charismatic leader and for flying into a rage when his edicts were questioned. And look what happened to them (and him).

      --
      Have gnu, will travel.
    5. Re:Assuming the consequences of one's decisions by Penguinisto · · Score: 3, Informative

      Wait, no... wrong details, and it's not a good parallel to use.

      The dude in question was the lead network engineer for the City of San Francisco. Long story short, he had no standing policy to do what he did: he changed the supe passwords on all the city's core routers, locked everyone else out of the the things, then refused to tell anyone what the new password was.

      I agree that he shouldn't have gone to jail over it, but TBH it was a dick move on his part.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    6. Re:Assuming the consequences of one's decisions by Anonymous Coward · · Score: 0

      Long story short, he had no standing policy to do what he did: he changed the supe passwords on all the city's core routers, locked everyone else out of the the things,

      Which was his job: Making sure everything was running and would keep running. In other words: securing the system against any kind of intrusion.

      To him that included letting as few people as possible know the password(s) to the system. And pardon me, but I see quite a bit of sense in that.

      And as a remineder: Apart from "everyone" being locked out, the whole system ran as it should. Even when the guy was put into jail everything kept running as it was intended.

      then refused to tell anyone what the new password was.

      Wrong. He refused to "just give it" to anyone who claimed he had the right to know it.

      In his eyes divulging the password to such persons (a group of them no less) was alike putting a loaded gun into a toddlers hand.

      I also suspect that if his bosses had asked him to plan for contingency as something like him being ran over and killed by a bus he would probably have come up with a few ideas (if he hadn't already considered and planned for it that is).

      Bottom line: The guy tried to do his f*cking job as good as he thought he had to, and his bosses didn't like it at all he tried to play by the rules they had layed out for him.

    7. Re:Assuming the consequences of one's decisions by david_thornley · · Score: 1

      You're thinking of Terry Childs. He did not follow city policy or best practices, but changed all the passwords and put them, encrypted, on his personal laptop. This gave the network an unusually small bus factor, in that if either Childs or his laptop were hit by a bus the network would have to be basically rebuilt from scratch. I don't know what city policy would be, but best practice would be to keep all that information in a sealed envelope or some such, so that it would survive Childs.

      Childs did not have authority to create policy. The network belonged to the City of San Francisco, not Childs. He wasn't sticking to standing orders, but rather his own policy.

      After Childs was (apparently unfairly) dismissed, he refused to hand over passwords to authorized people, and made preparations to leave town, not providing the passwords. That's why he was arrested. As far as getting another job goes, I sure wouldn't want to hire an admin who would treat the network as his own to the extent of not providing a sealed copy of the passwords.

      Don't believe everything you read about

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  3. This could easily be prevented, by flightmaker · · Score: 1

    just like the prisoner who sent an email to get out, by using proper open source email clients and GPG digital signatures.

    1. Re:This could easily be prevented, by hcs_$reboot · · Score: 5, Funny

      or use Lotus Notes. Even the Chinese cannot understand how it works.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:This could easily be prevented, by ruir · · Score: 1

      Excellent sir, excellent. Having had to use it in a corporate setting in the past, I feel for anyone that has to endure the pain of using Lotus Notes.

    3. Re:This could easily be prevented, by CronoCloud · · Score: 1

      My killbot features Lotus Notes and a machine gun, it is the finest available.

      https://www.youtube.com/watch?...

    4. Re: This could easily be prevented, by Anonymous Coward · · Score: 0

      I've used Lotus Notes (end user) everyday for over 20 years now. Rock solid stable; integrated email, calendar, instant messaging, etc -- it is really great.

      Why the hate?

      Like grandparent said...it's impossible to actually use. Basic list selection behaviors -- things that Windows (and Mac OS, and hell, OS/2) had settled 25 years ago -- are a bizarre mess of columns with checkboxes in NOtes.,

      https://lotusnotessucks.wordpress.com/

      (What the fucking fuck are the hieroglyphics in that password dialog, supposed to mean, anyway?!)

  4. The next stage by chrysosphinx · · Score: 4, Funny

    will be CEO of a company forcing or tricking employees to make a fraudulent wire transfer which mimics a phishing scam.

    1. Re:The next stage by vux984 · · Score: 1

      So... Basically the plot of the Big Lebowski ?

  5. CYA by Anonymous Coward · · Score: 0

    I have never in my 27 years in IT, run across any Executive who would fault me for verifying and asking questions to avoid costly mistakes. I have had managers who are that utterly stupid, but they never rise above middle level manager and if they do, they usually piss so many people off with their nonsensical use of bullying that they are promoted out of a job (it happens.)

    If I were ever faulted for not verifying that a request to wire money was legitimate, I would quit because if a boss faults you for doing the right thing, he/she/it are an idiot and I don't work for idiots, simple really.

    1. Re:CYA by neo256 · · Score: 1

      Sounds like a nice place you have their.
      To bad I also hear enough stories about companies filled with people at the top that keep each other afloat.

      Instead of purely looking at competence and other values that matter, they merely see friends among another and refuse to see any wrong doings unless it is thrown in their face in a way they can not longer avoid because it might hurt the company (to much).

      Maybe you happen to cross the right companies or I have been fed shit so far. I'm tempted to think the former.

  6. Editing by nospam007 · · Score: 1

    Hi,

    I'm a Nigerian Prince^h^h^h^h^h^h^h^h^h^h^h^h your boss ....

  7. That is why there are procedures by houghi · · Score: 2

    If you have procedures, you need to stick to it. But perhaps I an the exception who is not afraid to say no to my boss.

    And yes, I have been in situations where I did not do as my CxO requested.He mailed me a request and I told him I would not do it, because that was not accoring to procedure. He treatend me and I still did not do it.

    Obviously I placed all that I needed to cover my ass in the reply and added the reason as to why I would not do as requested.

    In the end it probably save them several million in legal fees and fines. It was fun to see how things escalated after my denial.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:That is why there are procedures by rioki · · Score: 1

      The thing that many people seem not to realize is that, with legitimate and really important requests, you can get all signoffs in quite a short notice. The reason why most things take a while to authorize, is because everybody does it on their time and they have many to check. I already said it in a an other comment, but diverging from procedure is never a good idea, especially when something has to be done quick.

    2. Re:That is why there are procedures by tlhIngan · · Score: 1

      The thing that many people seem not to realize is that, with legitimate and really important requests, you can get all signoffs in quite a short notice. The reason why most things take a while to authorize, is because everybody does it on their time and they have many to check. I already said it in a an other comment, but diverging from procedure is never a good idea, especially when something has to be done quick.

      Even with urgent requests, approvals can come by right quick.

      The thing is, if the CEO or whatever needs something urgently, they know the process and they can make sure to pressure everyone else involved in the approval process to actually process that one approval ASAP.

      I've seen it done in well under an hour from request to final submission - the CEO just makes sure everyone is lined up to approve it. And this is in a serial approval process - you have something that needs approvals, and it goes up the chain - no one can sign out of turn.

      Normal approvals generally take a week or so, because everyone does it at their leisure. But in emergency situations, you can be sped up significantly.

  8. How Fucking stupid? by Anonymous Coward · · Score: 0

    Just how fucking stupid are people anyway?

  9. LOL ... by gstoddart · · Score: 1, Funny

    Sorry, but what?

    If my manager or my CEO send me an email demanding money they're going to get told to piss off.

    Maybe this will work in the accounting department, but on behalf of the rest of us ... fuck you assholes, you have more money than we do.

    What's that, my manager needs bail money? Wow, that's a bummer.

    --
    Lost at C:>. Found at C.
    1. Re: LOL ... by Anonymous Coward · · Score: 0

      It's not your money, it is the companies.

      The demands for your money are usually in the form of charitable contributions.

  10. Our company (nearly) had this happen by Anonymous Coward · · Score: 0

    The emails look pretty good -- they're even from an executive@company.com address that the spam filters see as a legit server! No, wait.. that's a "company.co" (no m) address -- which is surprisingly easy to pass up, especially when the signature line includes a link to "executive@company.com" with the 'm' not being part of the link, of course -- the visual difference between blue and black is very minor.

    Fortunately, the wording is a little weird (especially if you're from a region with distinctive patterns), and our CEO is a pretty nice guy so this threw our CFO for a loop. He just happened to pass'em in the hall shortly after the email and asked what it was all about -- surprise.

  11. I read that as Wife Transfers by Anonymous Coward · · Score: 0

    and Phraudulent

  12. Not happy. by operagost · · Score: 1

    Come on, where are the copies of these phishing emails? That's the fun part. I'd love to see what kind of process gets people to wire funds without so much as a phone call for confirmation.

    - Unsigned emails,
    - From an external domain that kinda looks legit (this won't even work with Exchange and Outlook; they will always know it's from a foreign system and notify the recipient),
    - Probably with unspecified urgency, without reference to procedure, and no means of tracking the request

    Yeah, if a simple phish beat your process, you should find a new career.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
    1. Re:Not happy. by operagost · · Score: 1

      OK, my bad. I see one of the links has an (unsatisfying) example that didn't load the first time I clicked on it.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  13. I've seen some of these things. by Mike+Van+Pelt · · Score: 1

    I've investigated a half dozen or so of these. It has been going on for a while; the first one I saw was about a year ago.

    Some of the common characteristics:

    They know the names, email addresses, and nicknames of the CEO, and the Treasurer and/or Controller.

    They address the Controller by name, a little bit of social pleasantries, and often say what account the "expenditure" should be coded to. The first contact is pleasant, but says it's urgent, and needs to be done right away. Subsequent emails get progresively more demanding.

    Early ones asked for the wire transfer to go to a bank in Shanghai, Singapore, or something. More recent ones are transfers to an indivdual's account in a U.S. bank. (Doubtless belonging to some poor gullible person who answered one of those "Well Paid Part Time Job Working From Home as a Financial Agent" spams.)

    Registering a .co domain to spoof a .com is popular, as are various other typosquatting tricks. Some cheapskate crooks just use a hotmail-type Reply-To, though.

    If the victim sends the money, another request will follow. Then another, and another, as long as they'll keep doing it.

    From last September: http://blog.barracuda.com/2014...

  14. Wait, what? by bmo · · Score: 2

    The fraudsters register "typo squatting" domains that look like the target company's domain,

    Since when do you need to effin' typo-squat a domain name to send something that looks like bossman@targetcompany.com to underling_grunt@targetcompany.com?

    The FROM: header can be anything. Hell, you can telnet to port 25 and type it in manually. It's been that way since forever-ago, as far as I can tell.

    I mean, come on, I've personally sent mail from satan@hell.org.

    --
    BMO

    1. Re:Wait, what? by Mike+Van+Pelt · · Score: 1

      And I've sent email From: Hillary . Yes, by telnetting to port 25. What the crooks get with typosquatting is that the actual To address of the reply looks very much like the To address they expect -- they don't notice that CEO@cornpany.com isn't the CEO@company.com they expect, where they might twig to the scam if it was CEO239874@hotmail.com.

    2. Re:Wait, what? by Mike+Van+Pelt · · Score: 1

      (Note ... this scam depends on two-way communication. When I did that telnet to prove to a friend that email was unauthenticated, if he'd replied, it would not have come to me.)

    3. Re:Wait, what? by bmo · · Score: 1

      That's what the Reply To: is for.

      It can be different from the From: header.

      Most people never check it.

      --
      BMO

    4. Re:Wait, what? by Mike+Van+Pelt · · Score: 1

      Most don't... but that's one more thing that might cause the mark to notice that something isn't right. These aren't blasted-by-the-billions spams. These are carefully researched hand-crafted, targeted attacks. As much time as they're putting into it otherwise, a freebee domain at VistaPrint or something is a trivial bit of insurance.