Slashdot Mirror

← Back to Stories (view on slashdot.org)

Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers

Posted by Soulskill on from the fear-trumps-common-sense dept.

chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.

According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.

6 of 36 comments (clear)

  1. Assuming the consequences of one's decisions by Thanshin · · Score: 4, Insightful

    You can't raise an army of slaves and then expect them to act as free men.

    You have to put autonomous thinkers and obeying sheep on their correct places; and there are plenty of both. If you put a sheep on the wrong post, don't go now crying about a problem that you created yourself*.

    *: Or your boss, if you're one of the sheep.

    1. Re:Assuming the consequences of one's decisions by rioki · · Score: 4, Interesting

      Actually in the case of accountants you want pedantic non free thinkers. You basically tell them "These are the procedures to authorize any transaction; follow them or be fired. Even if the CEO turns up in person, get all required sign-offs before authorizing a transaction." There are a huge amount of regulatory issues that need to be considered and the sign offs ensure that these are met and that the information is correct. Even if the CEO comes stomping in, the request to authorize a transaction may be legitimate, yet he may have the wrong account number.

    2. Re:Assuming the consequences of one's decisions by Anonymous Coward · · Score: 3, Insightful

      You basically tell them "These are the procedures to authorize any transaction; follow them or be fired.

      That directly makes me think about that cities IT head, who did just that and refused to tell the password to the cities computers when asked to do so with a group of unknown/unsecure people present.

      I do not know if he's still in jail (yes, he was locked up as a result of that by standing orders refusal), but he's certainly without a job and without any prospects to get another.

      In a good environment rules and regulations are there for everyone. In the run of the mill environments rules and regulations are only there to pester underlings with (very handly when fingers need to be pointed), and to be violated with impunity by bosses. 'Cause their work is ofcourse "too important" to be cramped by them.

      And there you are : underlings who get wise to how the shit flows (and how they, if they consider to become "whistleblowers" and decide to contact the bosses boss, become outcasts or simply jobless), and as a result do not hold themselves responsible for anything a boss asks.

      As someone else here already said, if you're out to breed sheep than do not expect them to try to protect you when you get attacked by a wolf.

    3. Re:Assuming the consequences of one's decisions by Penguinisto · · Score: 3, Informative

      Wait, no... wrong details, and it's not a good parallel to use.

      The dude in question was the lead network engineer for the City of San Francisco. Long story short, he had no standing policy to do what he did: he changed the supe passwords on all the city's core routers, locked everyone else out of the the things, then refused to tell anyone what the new password was.

      I agree that he shouldn't have gone to jail over it, but TBH it was a dick move on his part.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  2. Re:This could easily be prevented, by hcs_$reboot · · Score: 5, Funny

    or use Lotus Notes. Even the Chinese cannot understand how it works.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  3. The next stage by chrysosphinx · · Score: 4, Funny

    will be CEO of a company forcing or tricking employees to make a fraudulent wire transfer which mimics a phishing scam.