Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers

chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.

According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.

Assuming the consequences of one's decisions

[Thanshin]

You can't raise an army of slaves and then expect them to act as free men.

You have to put autonomous thinkers and obeying sheep on their correct places; and there are plenty of both. If you put a sheep on the wrong post, don't go now crying about a problem that you created yourself*.

*: Or your boss, if you're one of the sheep.

Re:Assuming the consequences of one's decisions

[rioki]

Actually in the case of accountants you want pedantic non free thinkers. You basically tell them "These are the procedures to authorize any transaction; follow them or be fired. Even if the CEO turns up in person, get all required sign-offs before authorizing a transaction." There are a huge amount of regulatory issues that need to be considered and the sign offs ensure that these are met and that the information is correct. Even if the CEO comes stomping in, the request to authorize a transaction may be legitimate, yet he may have the wrong account number.

Re:Assuming the consequences of one's decisions

You basically tell them "These are the procedures to authorize any transaction; follow them or be fired.

That directly makes me think about that cities IT head, who did just that and refused to tell the password to the cities computers when asked to do so with a group of unknown/unsecure people present.

I do not know if he's still in jail (yes, he was locked up as a result of that by standing orders refusal), but he's certainly without a job and without any prospects to get another.

In a good environment rules and regulations are there for everyone. In the run of the mill environments rules and regulations are only there to pester underlings with (very handly when fingers need to be pointed), and to be violated with impunity by bosses. 'Cause their work is ofcourse "too important" to be cramped by them.

And there you are : underlings who get wise to how the shit flows (and how they, if they consider to become "whistleblowers" and decide to contact the bosses boss, become outcasts or simply jobless), and as a result do not hold themselves responsible for anything a boss asks.

As someone else here already said, if you're out to breed sheep than do not expect them to try to protect you when you get attacked by a wolf.

Re:Assuming the consequences of one's decisions

[Penguinisto]

Wait, no... wrong details, and it's not a good parallel to use.

The dude in question was the lead network engineer for the City of San Francisco. Long story short, he had no standing policy to do what he did: he changed the supe passwords on all the city's core routers, locked everyone else out of the the things, then refused to tell anyone what the new password was.

I agree that he shouldn't have gone to jail over it, but TBH it was a dick move on his part.

Re:This could easily be prevented,

[hcs_$reboot]

or use Lotus Notes. Even the Chinese cannot understand how it works.

The next stage

[chrysosphinx]

will be CEO of a company forcing or tricking employees to make a fraudulent wire transfer which mimics a phishing scam.

That is why there are procedures

[houghi]

If you have procedures, you need to stick to it. But perhaps I an the exception who is not afraid to say no to my boss.

And yes, I have been in situations where I did not do as my CxO requested.He mailed me a request and I told him I would not do it, because that was not accoring to procedure. He treatend me and I still did not do it.

Obviously I placed all that I needed to cover my ass in the reply and added the reason as to why I would not do as requested.

In the end it probably save them several million in legal fees and fines. It was fun to see how things escalated after my denial.

Wait, what?

[bmo]

The fraudsters register "typo squatting" domains that look like the target company's domain,

Since when do you need to effin' typo-squat a domain name to send something that looks like bossman@targetcompany.com to underling_grunt@targetcompany.com?

The FROM: header can be anything. Hell, you can telnet to port 25 and type it in manually. It's been that way since forever-ago, as far as I can tell.

I mean, come on, I've personally sent mail from satan@hell.org.

--
BMO