Slashdot Mirror
Tech Firm Ubiquiti Suffers $46M Cyberheist
An anonymous reader writes: Brian Krebs reports that Ubiquiti Networks, known for their wireless networking hardware, has lost $46.7 million to a scam in which thieves were able to impersonate employees and initiate fraudulent wire transfers. Ubiquiti was able to recover only $8.1 million of the amounts transferred, and an additional $6.8 million is subject to legal injunction. Krebs explains, "Known variously as 'CEO fraud,' and the 'business email compromise,' the swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. ... CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name." The theft was disclosed in Ubiquiti's quarterly financial report.
Or, companies should institute a policy of calling the business with whom they're conducting business through a known-reliable means (like a telephone call) to speak with company officials that they're actually acquainted with, and to contact the financial institutions with whom they're coordinating such funds transfers, to confirm that all of the Is are dotted and Ts are crossed...
There's a reason why they say that if you need to contact your bank, you should call the telephone number on the back of card, and reject any attempts by an entity claiming to be your bank that contacts you out of the blue, unless that caller literally asks you to contact the bank via the contact information that you already have on-file.
Scams like this require the mark to be complacent. With this level of finances that's completely inexcusable.
Do not look into laser with remaining eye.
Because the technical/engineering portion of the company doesn't have anything to do with the back-office clerical/financial division?
Do not look into laser with remaining eye.
Their products are actually very good. This seems to be a case of social engineering, not a technical security breach. Social Enginering is very hard to defend against, since humans are involved. Both high ranking and minimum wage types can be too trusting and / or gullible.
Here's the SEC Filing that got the ball rolling on this unfortunate situation.
... unknown how those relate to what happened.
There's also some info in the WSJ writeup.
Their CFO had left in April and their Chief Accounting Officer just resigned
Bummer to see this happen to Ubiquiti as they seem like a good company.
Hulk SMASH Celiac Disease
If employees are initiating wire transfers on the basis of simple emails - the problem is less one of them being scammed than it is lack of basic accounting controls. It's a large scale version of the "toner cartridge" scam, and works on the same principle.
"Trust, but verify [the paperwork]" should be the order of the day. Preventing (or at least raising the difficulty of) this kind of scam is why purchase orders, invoices, etc... were invented in the first place.
Look no further than the sorry state of email today. This problem was fixed 25 years ago:
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Digital_signatures
One is almost tempted to think that someone is trying to keep private communications open and accessible...
You're confused. Just because someone in IT journalism calls it the "CEO scam" doesn't mean it's the CEO who falls for the phishing scheme that compromises their email account. It could be someone in the A/P side of procurement, it could be someone in the CTO's office, or the company's comptroller. If you think those people aren't all highly motivated to be cautious, you've never worked with any of them. Especially not those who work for publicly traded (and highly scrutinized) companies. You're pointing out that the CEO doesn't handle financial transactions and then wondering how someone "that dumb" gets the job. Well which is it?
Don't disappoint your bird dog. Go to the range.
I wish I was wealthy enough to be defrauded of 46 million dollars...
There's no body who was that wealthy and defrauded. That was some of the operating cash of a fairly good sized publicly traded company funded by lots of investors - you might even be one of them if you own some mutual funds.
Don't disappoint your bird dog. Go to the range.
Something I always wonder when fraud occurs involving bank transfers - why can't the money be traced? The whole system works on computers, which are inherently good at keeping records. Even if multiple hops are involved, I see only one reason why law enforcement agencies should not be able to trace funds to their destination - the unwillingness of banks to cooperate.
There needs to be an international banking agreement that facilitates tracking. If some shady offshore bank refuses to sign on with the agreement, participating banks should refuse to transfer money to them.
The fact that such an agreement is not already in place points to the corruptness of our finanacial institutions. There is simply no motivation to impede movement of funds by criminals.