One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam

An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.

Aren't transactions like this tracked?

[caseih]

Are not transactions like this tracked along the way and why can't the banks just reverse all the transactions?

Suprised she could move that much without concern

[Scoldog]

We're in the process of tracking the same type of emails within our company.

It started two weeks ago when our CFO received an email purportedly from our CEO asking him to transfer money. The CFO was suspicious the second he read it, as the email was well written, had proper grammar and had more than two sentences unlike actual emails from our CEO (I wish I was joking about this, but I'm not)

We're still trying to see where these emails are coming from.

Even if he fell for it and tried to send the money, we have a two factor banking system where someone else with authority has to verify the transfer, authorise it and send it. We handle limits well below 40 million.

I'm suprised one person can transfer 40 million euros without raising any eyebrows beforehand.

Re:Encryption and Digital Signatures

[Gussington]

I did a short term job on a business banking support desk about 15 years ago. Back then customers had an app to do their banking which had key mailed out separately to validate the account to the app. I had access to the app and the keys, so only need a valid username and password to impersonate a customer and execute a transaction. Being the old days when no-one knew about computers or security, people would often forget their passwords and ring up to get a new one, and the check for this was a fax of the user's signature against a record at the bank. Also having access to this the plan was simple:
1. Setup a PC with the app
2. Ring up the bank to impersonate a user. Send in a copy of a signature on file
3. Receive password, and empty the account
Bank transfers occur overnight and international takes two days. So if it was done before the afternoon cutoff, you could have the money out of the country within 36 hours. Some of our customers had hundreds of millions of dollars.
The only thing stopping me was balls not made of steel. Looking back I should've done it. Even if caught I'd be out of jail by now :)