Slashdot Mirror
One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam (softpedia.com)
An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.
If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
All those contractors you outsourced to are selling your internal procedures for scams like this.
Was the money saved in outsourcing greater than the money lost by this scam?? If so keep outsourcing to cheaper labor,,,, and flimsier security.
Are not transactions like this tracked along the way and why can't the banks just reverse all the transactions?
The company I work for is a medium size multinational. We're big enough to do business worldwide but not so big that we get the "good" BPO vendors or hire "good" employees to do our offshore work. I've been working there for a while, and it seems to me that routine work is getting shipped to cheaper and cheaper countries every year. First it was Eastern Europe, then India, then the Philippines, now Central American countries. I can definitely see something like this happening with some of our core processes. If it followed the flowchart exactly, with all the right steps completed, and everything was in order, not one question would be raised.
That said, every company is susceptible to this whether the employees are onshore or off. The problem is knowing when to bother the CEO on his yacht, or the golf course, or the luxury resort he's staying at to ask him a question about routine business...especially when you have a message that looks like it came from right from him. Properly implemented digital signatures would help in this case -- but think about the fact that EV certs turn the entire address bar bright green and no one notices that, and they click "Yes" to every pop-up that comes their way.
The problem with cybercrime is if it's done across international boundaries the hackers are untouchable, but in a world where companies and politicians use those same international boundaries for grubby arrangement to avoid tax, what chance do we have of getting an international treaty to stop cybercrime?
Make it TOR like.
A company CA would only be useful on the first email exchange. After that, it could only be an extra (e.g. also checking the email as it passes the corp email server and adding a warning flag to emails it thinks have the wrong key).
As long as we removed 'revoke' and 'change key' features (which are really attack vectors), then every email server along the route could check and flag emails it thinks have the wrong key.
I don't see why you would trust your corporate email server, but have a separate CA than that server, hence I don't ever want a separate CA.
You could also Onion it. So for example, all emails to @megacorp.com might have a public key for megacorp which is wrapped around the encrypted message that was encrypted for bob@megacorp.com. Megacorps server could then unwrap and verify its emails against the sender (the senders public key is in each layer of the onion), forward the email to Bob, who then decrypted for his key.
*TIME* being the protector here. Time being possible because we've ditch 'revoke' and 'key change' vulnerabilities.
Not having experience in financial environments, can someone tell me if it is common business practice to transfer money simply based on an email request, regardless of the source? I would have thought this needed to be done as part of a formal business transaction.
We're in the process of tracking the same type of emails within our company.
It started two weeks ago when our CFO received an email purportedly from our CEO asking him to transfer money. The CFO was suspicious the second he read it, as the email was well written, had proper grammar and had more than two sentences unlike actual emails from our CEO (I wish I was joking about this, but I'm not)
We're still trying to see where these emails are coming from.
Even if he fell for it and tried to send the money, we have a two factor banking system where someone else with authority has to verify the transfer, authorise it and send it. We handle limits well below 40 million.
I'm suprised one person can transfer 40 million euros without raising any eyebrows beforehand.
This space for rent
Anyone who runs a business will know that businesses are continually sent phony invoices and phony demands for payment of numerous kinds.
At least a good news, the money remains in Europe
Slashdot, fix the reply notifications... You won't get away with it...
* 2 factor authentication * transfer requests should originate through bank system (not emails) OR CFO should be able to add an 'approver', in this case the CEO, to sign the request.
Sneak teach kids Algebra using a game
There is no money laundering check in czech republic???? I can tell you that here in Switzerland if you set up an account and suddenly receive 40 million on it, the bank will make you go through multiple check to ensure that the transaction is real, even if the money is coming from a respectable source. Not doing it will directly engage their responsability.
If you work in a business that regularly moves large sums of money around like this everyday, multiple times a day, it's easy to get conned. That's why they go after these types of accounts.
Wires are instant and depending on the account $40 million wouldn't necessarily throw up a red flag.
This has been going on for at least three years that I know of. There's no real "hacking" involved here at all. Just solid research and social engineering.
The thief finds out the name of the CEO, and possibly his email address.
He then finds the name and email address of the treasurer or controller, someone who can transfer funds.
The thief may register a look-alike domain, for instance, "RealCeoName@cornpany.com" instead of "RealCeoName@company.com". (Depending on your font, you might not be able to tell the difference between those two without a magnifying glass. Or even with one.) Or, he may send the email forged as "from" the CEO's real email address with a Reply-To header diverting replies to a Gmail, Hotmail, or Rob-U-Blind.ru email address. (We all know how easy it is to forge email addresses, right?) Or, he may just have a normal-looking Yahoo address. Usually, the "human readable name" of the From header is the CEO's real name, so MS Outbreak will helpfully not show the victim that the email address is not right.
The thief addresses the treasurer or controller by name. Sometimes the initial email is nothing more than "Hey, Bob, are you in the office today?" If Bob bites, then the pitch for the transfer is sent. Or, the transfer request might be right up front. A common phrase is "I'm in meetings and can't take calls, kindly email me." If the thief gets no answer, he'll often send a "Bob, did you get my last email?" ping.
Amounts are usually in the few tens of thousands of dollars. If the financial officer falls for it, more transfer requests are likely to follow until they finally wise up.
I saw one where the thief somehow knew about a legitimate transaction, and inserted himself, saying "We changed banks, send the payment for that shipment of widgits to our new account, ..." That one I suspect was an inside job.
A related scam is "Hey, Bob, I'm in China, and this fantastic merger opportunity came up. It is absolutely imperative you keep this completely quiet, and tell NO ONE about it! The lawyer who is handling this will be contacting you in a separate email." This scam can go for hundreds of thousands or even millions.
Defense: Everyone who handles money, and everyone who says how money is to be handled, most especially the CEO, must agree and sign off on an absolutely inflexible rule that financial transactions are NEVER NEVER NEVER done just on the basis of email. Actual voice confirmation should be required, or the request must go through the company's normal accounting application, etc.
For each email received, the receiving server shall send a request to the sending server to have the email resend. The request should be done via an email, as if the receiver answered the sender.
Once the receiver receives the email back, intact, then it is confirmed that this is an original email. Otherwise the email shall be deleted.
This is nothing more than the receiver calling the sender to ask "did you send this email?", automated.
I think the name of the town is misspelled in the summary: there should be a comma below the t.
I tried typing the correct name in this comment, but it didn't show up properly in the preview.
I don't think this is possible under any "professional" circumstance. It is more probable that this was just insider scam made to look like one made by an outsider.
Maybe I can explain that without breaking NDAs, because we have been tasked with solving this problem for a few customers.
First, 40 million isn't really that big a deal for many companies. 40 millions are a routine amount for some industries. That's not to say that they wouldn't "feel" the impact of losing 40 million, there are industries that have an insane amount of money throughput without a lot of revenue. You see that in refinement industries that gobble up insane amounts of (sometimes expensive) raw materials, producing (even more expensive) intermediate products with little revenue, so that you have industries with a turnover in the billions and an annual profit in the single digit millions. You see that a lot in food or even more in oil industries.
So yes, transferring 40 millions could well be a rather normal business operation.
And two factor means little if you have two people who use the same input because the reason behind the two factor was that the company wants to ensure that nobody can pull an inside job and embezzle money. The companies that are being scammed are usually companies with a branch in a foreign country that is fully dependent and takes orders from the main office. Also, in general companies are preferred that have a strictly hierarchical structure where questioning authority is frowned upon and slavishly following orders is rewarded. Such companies are prime targets and there it also usually works.
Your example isn't really comparable for two reasons. First, it was the CFO that noticed the problem, a person who has authority and who would even in a strictly hierarchical system be able to talk directly to the CEO, maybe in secrecy so nobody would notice that he "questions" the boss, but even if not he is in a position where he may, if not must, question such decisions. Also, I would assume that the culture in your company is not one of "me boss, you nothing".
The situation in the scams is very different. Every successful scam so far was pulled at a foreign branch where the people tasked with transferring the money can't simply go informally to their boss and ask whether that's ok, they would have to call or write mails, which might leave a paper trail or be noticed by third parties, also you usually deal with companies here that have a strict hierarchy where you do not question orders.
Two factor doesn't help here either, because then simply the other person who would need to agree gets the same mail, and likewise cannot question it. What would help is being able and allowed to verify the order or, better, have a digital signature system in place and people who know how to use it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Could you please let me know what the limit at your company is?
Did she understand how computers work? Was she doing her nails?
What a joke. How can ONE employee have the power to send 40 MILLION Euros from a company, if they aren't the CEO of the fucking company?
ctrl+z
Could you please let me know what the limit at your company is?
Not the subtlest piece of attempted social engineering I've ever seen.
To have a right to do a thing is not at all the same as to be right in doing it
There is no patch for human stupidity
A few years back, someone emailed different HR people posing as the CEO. The "CEO" wanted them to email a copy of every employee's W-2. While that doesn't affect the company, it affects every employee as the scammers know detailed and vital information about every employee. That information could be used to pilfer the employee's tax refunds, banks, etc.
The CEO is a bit eccentric so a copy of every W-2 would not be the strangest thing he could request. That meant that he wanted thousands of W-2 PDFs emailed to him. Luckily HR knew the CEO well enough that 1) he was technologically capable enough and wouldn't have them email him copies; he would want it on a network drive he could access, 2) he would never ask a low level HR person himself for the information; he would have asked head of HR, 3) and he wouldn't care about details of thousands of employees personal information; he would want someone to create a summarized report about whatever information he needed like the average salary by demographic, state, etc. Also they thought it might be a violation of privacy laws to send information like that over email. But we learned that other companies were not so fortunate and fell for the scam.
After that, the IT department changed the email system so that spoofed email addresses could not look authentic. It would no longer say: "Smith, John (CEO)" but "asdf@random.internetaddress.com".
Well, there's spam egg sausage and spam, that's not got much spam in it.
Leoni AG isn't among the 159 largest by revenue: https://en.wikipedia.org/wiki/...
We have been getting them for years, We don;t allow anyone in the company to make transfer requests via email, Problem solved.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
14M Euros is pennies compared to an EU fine...
I have investigated several incidents like this, mostly unsuccessful but one which scooped several million dollars from the target company. They know EXACTLY what works with victims, a combination of flattery (e.g. "you were recommended to me to do this important transfer") and threats (e.g. "there will be consequences for you if you do not do as I say"). They know all the answers to the frequently asked questions and can create a convincing patchwork of lies that can certainly fool naive financial controllers.
A lot of it boils down to confidence and authoritativeness. The attackers ooze it. They have nothing to lose in these engagements, if they are rumbled they just disappear behind their cloak of anonymity. In every case I have looked into, the potential victims have always said that the attackers were extremely confident sounding. And when they have someone on the hook they press all the right buttons to get them to continue doing what they want them to do, it is actually quite frightening to see how skilled they are.
So.. don't always blame the victim for being stupid. Obviously any half-competent organisation shouldn't fall for it. But the attackers are cleverer than you might think.
I heard of a scam where I work where an alleged "higher-up" emailed someone asking for some private information we had access to. They didn't tell us if that scam was successful, but they did tell us that if we got any such request, we needed to clear it with our immediate boss before sending anything.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
If the boss is really that much of an asshole, they will blame the hapless victim regardless. "You should have checked with me first" will be the final note on their termination record. There will be no lead-in notes regarding previous ass-hattery by the boss.
Who cares about Europe? It's a trashy shithole. BIZX/whipslash, please refrain from posting news about European trash and stick to real news people care about, like that affecting US, Russia and Asia. Hell, I'd take Australia and Africa over Europe. Maybe even South America or Canada.
Person who wired the money gets a split of the proceeds, then claims they made a mistake. Sure, she's out of a job, but she can live pretty well on 20 million Euros...
I've abandoned my search for truth; now I'm just looking for some useful delusions.
It is honestly maddeningly easy to solve this problem, but right now the banks don't give a shit. The solution is for the large corporations to band together and form a "Better Banking Network" (BBN) or some such and force the banks to do the following, otherwise just create their own banks, god knows they have enough capital to do it. I would move my banking. Alternatively laws could be passed, but the bankers own too many politicians.
1. The final receiving bank accepts liability for fraudulent transactions. This bank in crapistan would be liable for the $40M. The personal finances of the executive level employees and board of directors are also part of this liability for extra motivation as they are likely complicit or at least complacent in the crime. Questionable banks/countries or new banks have restricted electronic transfers and would be required to put up a bond equal to their weekly electronic transfer allowance in case they decide to break the rule they forfeit the bond. Banks that refuse to sign up are blocked from transfering money to or from the BBN.
2. Banks will only transfer money to other BBN trusted banks who accept liability, and to that end put in due diligence to verify the identity of their customers with bio-metrics, photos, IDs etc. and put a 5 day hold on suspicious transactions and until the originator can be contacted to verify the transaction (but a 5 day minimum).
3. Restrict electronic transfers over $5000 such that they can be further transferred, but you can't walk in with a checking account that is 10 days old and ask to cash out the $40M that was just transferred in. You have to build up a history of transactions over a number of years that match the requested financial behavior. If you pull $40M out each month in sacks of cash, chances are you are a criminal enterprise to begin with, unless you are moving $500M plus a month through that account. Even then, legit businesses rarely pull out that kind of cash at one time at one bank location, there is just too much liability.
4. All banks should be able to freeze or reverse electronic transfers back to their origin with a valid order from the originating bank that fraud was involved. By keeping the funds electronic, the thieves can not get the cash out at all, and moving it around does not solve the problem, as tracking 40 transfers is easy if all the banks are relieved of liability by showing the forwarded bank and the destination bank still has the $40M because that new account holder couldn't pull anything out because he couldn't provide a legit identity for the bank to record: fingerprints, clear digital photo matched to drivers license/ID card etc. and/or his account had a history of $600 balance until the EFT today for $40M...
5. Swiss banks and other criminal enabling banks would go belly up or go legit because they would be cut off from the rest of the banking world, so they may offer anonymous banking, but you cant transfer your money in or out from any other financial institution or location.
The entire point of cryptocurrencies like bitcoin is that you can conceal the path of that electronic currency. It should be virtually impossible to conceal or obscure bank money transfers from a technical standpoint. The key to a good theft is to get away with the cash. If you cant get away with the cash, you will stop. The reasons banks got harder and harder to rob was the bank was on the hook for stolen cash. These days the EFT scams push the money through "legit" means to a fraudulent bank in some hell hole with no extradition or law enforcement and neither bank is liable. If they were on the hook: problem solved.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
Why don't they just fork the blockchain to a time just before the fraudulent transfer occurred?