Slashdot Mirror
Tech Firm Ubiquiti Suffers $46M Cyberheist
An anonymous reader writes: Brian Krebs reports that Ubiquiti Networks, known for their wireless networking hardware, has lost $46.7 million to a scam in which thieves were able to impersonate employees and initiate fraudulent wire transfers. Ubiquiti was able to recover only $8.1 million of the amounts transferred, and an additional $6.8 million is subject to legal injunction. Krebs explains, "Known variously as 'CEO fraud,' and the 'business email compromise,' the swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. ... CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name." The theft was disclosed in Ubiquiti's quarterly financial report.
And they're pretending hackers did it. Tale as old as time...
I understand why you want your customers clicking links from email because you can drive sales campaigns that way and get them coming back to your website. Besides, you can't really orchestrate a campaign to the public not to click on links from email. But I think internally companies can demand their employees to not click on links from email.
Who would buy anything from these fools?
Or, companies should institute a policy of calling the business with whom they're conducting business through a known-reliable means (like a telephone call) to speak with company officials that they're actually acquainted with, and to contact the financial institutions with whom they're coordinating such funds transfers, to confirm that all of the Is are dotted and Ts are crossed...
There's a reason why they say that if you need to contact your bank, you should call the telephone number on the back of card, and reject any attempts by an entity claiming to be your bank that contacts you out of the blue, unless that caller literally asks you to contact the bank via the contact information that you already have on-file.
Scams like this require the mark to be complacent. With this level of finances that's completely inexcusable.
Do not look into laser with remaining eye.
Their products are actually very good. This seems to be a case of social engineering, not a technical security breach. Social Enginering is very hard to defend against, since humans are involved. Both high ranking and minimum wage types can be too trusting and / or gullible.
Here's the SEC Filing that got the ball rolling on this unfortunate situation.
... unknown how those relate to what happened.
There's also some info in the WSJ writeup.
Their CFO had left in April and their Chief Accounting Officer just resigned
Bummer to see this happen to Ubiquiti as they seem like a good company.
Hulk SMASH Celiac Disease
And who will enforce that demand? The idiot CEO who's falling for the scam in the first place?
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
If employees are initiating wire transfers on the basis of simple emails - the problem is less one of them being scammed than it is lack of basic accounting controls. It's a large scale version of the "toner cartridge" scam, and works on the same principle.
"Trust, but verify [the paperwork]" should be the order of the day. Preventing (or at least raising the difficulty of) this kind of scam is why purchase orders, invoices, etc... were invented in the first place.
With this level of finances that's completely inexcusable.
With this level of finances the temptations are overwhelming. Any mark that doesn't demand a cut is an idiot.
“He’s not deformed, he’s just drunk!”
I wish I was wealthy enough to be defrauded of 46 million dollars...
Just cruising through this digital world at 33 1/3 rpm...
But I think internally companies can demand their employees to not click on links from email.
They can demand anything they want, but will the employees listen? Noooooooooooooo.
Just cruising through this digital world at 33 1/3 rpm...
You don't have to hide behind the AC moniker. Here you can speak freely, Mr. Madoff...
“He’s not deformed, he’s just drunk!”
Look no further than the sorry state of email today. This problem was fixed 25 years ago:
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Digital_signatures
One is almost tempted to think that someone is trying to keep private communications open and accessible...
These attacks would be stopped by a combination of strong endpoint security, a guard protecting transfers, and mail guard + secure comms scheme so people know who's talking to who. These are all fielded as early as the 80's for military and some commercial use. Nexor is an example of a company selling the communications part. Argus, Tresys, Sirrix, LynxSecure, Dell Secure Consolidated Client, QubesOS... all examples of separating internal from risky stuff. Physical air gaps, KVM switches, separate networks, and guards (eg XTS-400, Genua's OpenBSD stuff) acting as gatekeepers are the strongest method. The important point is that anything mission critical happens in a way where external attackers can't see it or screw with it. Plus, validation of data flowing into network, diverse types of applications (eg non-standard PDF readers), secure messaging to spot forgery, and automated controls on transfers to detect unusual accounts or amounts.
Companies aren't going to do this, though. They'll keep using the other model: trying to do trusted computation on untrustworthy computers, using the networks the enemies can control, talking with untrustworthy protocols, secured by complex standards, and using centralized Internet ID systems possibly controlled by the enemy. Good luck. I'd do a consultation and help Ubiquiti deploy strong stuff but they'd never see people who can in Internet's noise. Too few left outside defense sector. Probably just got a traditional INFOSEC assessment, fixed a few things, made a checklist, and are hoping for the best. They'll get hit again if they don't fix the fundamental lack of trustworthiness in their infrastructure. True for 99% of companies.
It really makes you wonder how anyone this dumb gets to become CEO of anything that important.
Even so, rule number one of finances: The CEO doesn't handle them.
I get that they'd just lost their financial officers; in that case, you find temporary ones, from within the company if necessary, who nonetheless are not the CEO.
(If you've got a small business, let's face it, you don't have a CEO. You don't have that much hierarchy. So for very small businesses where one person wears many hats, OK. But usually that person is an owner, if not the owner, and they are highly motivated to be cautious.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I've had someone once call claiming they were my bank and wanted to verify personal information and my CC on file; they sounded very professional about it. It was a scam as no bank that I know of would do that. I told them that I couldn't talk to you, and that I would call the bank back. And I did with a legitimate phone number readily available.
Life is not for the lazy.
You're confused. Just because someone in IT journalism calls it the "CEO scam" doesn't mean it's the CEO who falls for the phishing scheme that compromises their email account. It could be someone in the A/P side of procurement, it could be someone in the CTO's office, or the company's comptroller. If you think those people aren't all highly motivated to be cautious, you've never worked with any of them. Especially not those who work for publicly traded (and highly scrutinized) companies. You're pointing out that the CEO doesn't handle financial transactions and then wondering how someone "that dumb" gets the job. Well which is it?
Don't disappoint your bird dog. Go to the range.
You're confused. Just because someone in IT journalism calls it the "CEO scam" doesn't mean it's the CEO who falls for the phishing scheme that compromises their email account. It could be someone in the A/P side of procurement, it could be someone in the CTO's office, or the company's comptroller.
Right. None of those people should have access to make any major transfers of funds. Anything more than a million or so should have to go through the CTO. If you're doing many billions of dollars in business, maybe more than a few million.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
We have security policies and procedures that are strictly adhered to 95% of the time. The other 5% consists of someone on the C level saying "this is an exception and must be done asap without following the established procedure." It's bit us in the ass several times already.
That was a good start. Colin Robbins and some others had nice write-ups about why it wasn't enough. NSA, etc had nothing to do with it far as I can tell. Essentially, it was a combination of usability, compatibility with commercial clients, and the fact that you run into infrastructure issues the second you operate outside a small, closed group. Plus, you need protection against incoming emails and attachments. So, their solution which is worth FOSS knocking off was (a) a proxy on client that seemlessly does crypto, (b) plugin on email client that makes it easy to use, (c) input validation on risky data types with preferable conversion to safer ones, and (d) a guard to enforce strong controls/checking on all email traffic. For extra assurance, add strong endpoint security, mandatory access controls for app containment, and tools such as Softbound + CETS to make the app itself safer. And definitely don't use Windows. :)
This makes things difficult for attackers trying to read or forge communications. Among other things. PGP by itself was never sufficient, though, due to issues outside its control. The GPG code can support these efforts, though.
AC for obvious reasons. I run IT for a company of similar size and market to Ubiquiti. We actually use some of their gear.
DKIM for all internal emails. 2 man rule for all outgoing wire transfers, with separate requestor and approver roles. 2 factor auth for all of the finance folks going in and either requesting or approving wires. Finally, we have an internal process off email to request these. In the rare case a request needs to come over email it must include a personal detail known only to the 2 parties involved, something like "thanks for lunch last week", or "hope your son is feeling better!". Even with this, it still must be confirmed by phone. All of this was instituted after we got hit with a series of CEO to CFO and CFO to Accountant spear-phish emails, with good terminology and a really good clone of our fancy email signatures. Throw all the technology you want in this, but before we had all of this in place the only thing that saved us was common sense.
Automatically detecting URLs and email addresses which
appear similar to others which have been used before on a system, should be fairly easy. An alert email could be sent
before any suspicious one to warn the intended recipient
and perhaps company officials.
The detection algorithm would need to regard "darn" and
"dam" as similar, due to "rn" looking much like the letter
"m", for example. Also, of course, the digit "1" looks like
the letter "l", and so on...
Why would you bother phoning the bank after the call, other than to warn them that someone is trying to defraud you?
Sleep your way to a whiter smile...date a dentist!
You're confused. Just because someone in IT journalism calls it the "CEO scam" doesn't mean it's the CEO who falls for the phishing scheme that compromises their email account. It could be someone in the A/P side of procurement, it could be someone in the CTO's office, or the company's comptroller.
Right. None of those people should have access to make any major transfers of funds. Anything more than a million or so should have to go through the CTO. If you're doing many billions of dollars in business, maybe more than a few million.
I think you mean all financial transactions above a threshold should be approved by the CFO or his delegated staff.
CAPTCHA: kiting
And who will enforce that demand? The idiot CEO who's falling for the scam in the first place?
There are email scrubbers that run at the mail server level so removing embedded links is feasible before the recipient sees the email. Inbound emails could be striped of links while internal emails have them left in place. Alternatively disable formatted email and enforce a text-only policy.
Nobody in AP should be making any payment unless there's an invoice to pay it against. There shouldn't be an invoice unless there's a supplier/vendor master record. There should be a PO too.
You don't normally allow anyone to create more than one item in the chain. Certainly not all of them.
Of course, if some C level twerp has a habit of pulling rank to do an end-run around established best practices because agile or something then all bets are off.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Something I always wonder when fraud occurs involving bank transfers - why can't the money be traced? The whole system works on computers, which are inherently good at keeping records. Even if multiple hops are involved, I see only one reason why law enforcement agencies should not be able to trace funds to their destination - the unwillingness of banks to cooperate.
There needs to be an international banking agreement that facilitates tracking. If some shady offshore bank refuses to sign on with the agreement, participating banks should refuse to transfer money to them.
The fact that such an agreement is not already in place points to the corruptness of our finanacial institutions. There is simply no motivation to impede movement of funds by criminals.
Actually, I did just that. I asked them if there was any other activity on my account within the last hour
Life is not for the lazy.
There's a reason why they say that if you need to contact your bank, you should call the telephone number on the back of card, and reject any attempts by an entity claiming to be your bank that contacts you out of the blue, unless that caller literally asks you to contact the bank via the contact information that you already have on-file.
I've had many messages on my answering machines over the years that say things like, "This is [so-and-so] from [bank]. There is a problem with your account. Please call us at [phone number] right away." And that phone number is NOT the one on the back of my card, or on my monthly statement.
So I always called the number on the card and eventually got transferred to someone who said, yes, there is a problem with your account, that was us calling you.
Facepalm!
Are there GUI e-mail clients out there that can be configured and/or modified by policy to no-op all links/anchors? Because that seems like it's be really useful.
Once you've got key email accounts compromised, that can mean access to the ERP. Prepping the procurement chain, or faking up a contract reference becomes fairly straightforward at that point.
Don't disappoint your bird dog. Go to the range.
The problem is that the workflow, once you've got access to high enough level mailboxes, can be corrupted. Payment approval might be done via a two-part process in the ERP and an accompanying email, for example. Good enough social hacking, and that's that.
Don't disappoint your bird dog. Go to the range.
I think you mean all financial transactions above a threshold should be approved by the CFO or his delegated staff.
Er, yeah, I meant CFO, thank you for assuming that. But I really do mean that all transactions over a certain amount should be going through the CFO himself.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
out of their own pockets they caused the problem due to their own negligence.
Nice try, scammer.
... Its a great company. I love their stuff.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Some companies do many of these over the course of a day. If there are CFO-level wire transfers (using amount as a criteria), and the CFO isn't available (sick, vacation, in transit, etc) should the business grind to a halt? Someone (or a few someones) will need to have that ability, in order to avoid a bus factor of 1 on the entire business.
Never underestimate the power of stupid people in large groups.
Good luck getting that set up. You won't be able to hear yourself think over the howls of the end users (some of which are C-level executives) that that policy will generate. Especially with the text-only policy.
The problem is there, the solution is known and technically possible, but you won't fix it, because it would inconvenience the end users.
The true problem in this situation is that people are stupid. You'll never get that fossil in A/R who really uses the optical drive tray as a cup holder, to understand that sometimes you shouldn't click something in an email. It's beyond their ability (or willingness) to comprehend.
Never underestimate the power of stupid people in large groups.
And what happens when your outgoing phone calls get rerouted by a hacker?