One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam

An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.

Re:Encryption and Digital Signatures

You don't even need that, all you need to do is separately reverse the conversation to confirm.

Get an e-mail from the CEO asking for X? Look the CEO's phone number up in your rolodex and CALL them to ask for confirmation that you should do X.

This form of "authorization verification" has been around for hundreds of years, ever since someone could forge a letter.

(Email equivalent is to compose-new-email and choose their e-mail from your enterpise contacts, NOT reply to the existing message.)

Re:Aren't transactions like this tracked?

[AK+Marc]

In the US, the consumer protections are almost non existent. Fraud is often legal, under the banner "caveot emptor". Most of the world isn't the same. Here, if someone sends you $1,000,000 by accident, the bank will reverse it, and if you spent it, that's theft. Everyone uses bank transfers for everything. Nobody writes checks, and most stores won't take them.

These are rampant.

[Mike+Van+Pelt]

This has been going on for at least three years that I know of. There's no real "hacking" involved here at all. Just solid research and social engineering.

The thief finds out the name of the CEO, and possibly his email address.

He then finds the name and email address of the treasurer or controller, someone who can transfer funds.

The thief may register a look-alike domain, for instance, "RealCeoName@cornpany.com" instead of "RealCeoName@company.com". (Depending on your font, you might not be able to tell the difference between those two without a magnifying glass. Or even with one.) Or, he may send the email forged as "from" the CEO's real email address with a Reply-To header diverting replies to a Gmail, Hotmail, or Rob-U-Blind.ru email address. (We all know how easy it is to forge email addresses, right?) Or, he may just have a normal-looking Yahoo address. Usually, the "human readable name" of the From header is the CEO's real name, so MS Outbreak will helpfully not show the victim that the email address is not right.

The thief addresses the treasurer or controller by name. Sometimes the initial email is nothing more than "Hey, Bob, are you in the office today?" If Bob bites, then the pitch for the transfer is sent. Or, the transfer request might be right up front. A common phrase is "I'm in meetings and can't take calls, kindly email me." If the thief gets no answer, he'll often send a "Bob, did you get my last email?" ping.

Amounts are usually in the few tens of thousands of dollars. If the financial officer falls for it, more transfer requests are likely to follow until they finally wise up.

I saw one where the thief somehow knew about a legitimate transaction, and inserted himself, saying "We changed banks, send the payment for that shipment of widgits to our new account, ..." That one I suspect was an inside job.

A related scam is "Hey, Bob, I'm in China, and this fantastic merger opportunity came up. It is absolutely imperative you keep this completely quiet, and tell NO ONE about it! The lawyer who is handling this will be contacting you in a separate email." This scam can go for hundreds of thousands or even millions.

Defense: Everyone who handles money, and everyone who says how money is to be handled, most especially the CEO, must agree and sign off on an absolutely inflexible rule that financial transactions are NEVER NEVER NEVER done just on the basis of email. Actual voice confirmation should be required, or the request must go through the company's normal accounting application, etc.

Re:Encryption and Digital Signatures

[JaredOfEuropa]

"Call him? You really want to call the general to confirm these orders? At this late hour? Sure, go ahead. Here, use my phone, it's your neck". I thought that only worked in movies...

But seriously, in a large company like that I wouldn't expect such large transactions (or even small ones) to happen without prior authorization in the ERP system. The finance guys won't transfer even a handful of euros without having the beneficiary in the system or if there is no PO and invoice, or transfer order (or whatever these things are called). Email by itself should not be considered sufficient authorization, ever, certainly not an email that also contains the request and bank details.

Re:Suprised she could move that much without conce

[Opportunist]

Maybe I can explain that without breaking NDAs, because we have been tasked with solving this problem for a few customers.

First, 40 million isn't really that big a deal for many companies. 40 millions are a routine amount for some industries. That's not to say that they wouldn't "feel" the impact of losing 40 million, there are industries that have an insane amount of money throughput without a lot of revenue. You see that in refinement industries that gobble up insane amounts of (sometimes expensive) raw materials, producing (even more expensive) intermediate products with little revenue, so that you have industries with a turnover in the billions and an annual profit in the single digit millions. You see that a lot in food or even more in oil industries.

So yes, transferring 40 millions could well be a rather normal business operation.

And two factor means little if you have two people who use the same input because the reason behind the two factor was that the company wants to ensure that nobody can pull an inside job and embezzle money. The companies that are being scammed are usually companies with a branch in a foreign country that is fully dependent and takes orders from the main office. Also, in general companies are preferred that have a strictly hierarchical structure where questioning authority is frowned upon and slavishly following orders is rewarded. Such companies are prime targets and there it also usually works.

Your example isn't really comparable for two reasons. First, it was the CFO that noticed the problem, a person who has authority and who would even in a strictly hierarchical system be able to talk directly to the CEO, maybe in secrecy so nobody would notice that he "questions" the boss, but even if not he is in a position where he may, if not must, question such decisions. Also, I would assume that the culture in your company is not one of "me boss, you nothing".

The situation in the scams is very different. Every successful scam so far was pulled at a foreign branch where the people tasked with transferring the money can't simply go informally to their boss and ask whether that's ok, they would have to call or write mails, which might leave a paper trail or be noticed by third parties, also you usually deal with companies here that have a strict hierarchy where you do not question orders.

Two factor doesn't help here either, because then simply the other person who would need to agree gets the same mail, and likewise cannot question it. What would help is being able and allowed to verify the order or, better, have a digital signature system in place and people who know how to use it.

Re:Encryption and Digital Signatures

[houghi]

Perhaps she did it a previous two time and the response was "I SEND YOU THE FUCKING EMAIL, NOW SEND ME THE FUCKING MONEY!" Yes, there are bosses like that.

Smaller scams also use the same method

[UnknowingFool]

A few years back, someone emailed different HR people posing as the CEO. The "CEO" wanted them to email a copy of every employee's W-2. While that doesn't affect the company, it affects every employee as the scammers know detailed and vital information about every employee. That information could be used to pilfer the employee's tax refunds, banks, etc.

The CEO is a bit eccentric so a copy of every W-2 would not be the strangest thing he could request. That meant that he wanted thousands of W-2 PDFs emailed to him. Luckily HR knew the CEO well enough that 1) he was technologically capable enough and wouldn't have them email him copies; he would want it on a network drive he could access, 2) he would never ask a low level HR person himself for the information; he would have asked head of HR, 3) and he wouldn't care about details of thousands of employees personal information; he would want someone to create a summarized report about whatever information he needed like the average salary by demographic, state, etc. Also they thought it might be a violation of privacy laws to send information like that over email. But we learned that other companies were not so fortunate and fell for the scam.

After that, the IT department changed the email system so that spoofed email addresses could not look authentic. It would no longer say: "Smith, John (CEO)" but "asdf@random.internetaddress.com".