One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam

An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.

Encryption and Digital Signatures

[The+Other+White+Meat]

If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.

Re:Encryption and Digital Signatures

Surely she should at least have called him on the phone to confirm the request?

Re:Encryption and Digital Signatures

You don't even need that, all you need to do is separately reverse the conversation to confirm.

Get an e-mail from the CEO asking for X? Look the CEO's phone number up in your rolodex and CALL them to ask for confirmation that you should do X.

This form of "authorization verification" has been around for hundreds of years, ever since someone could forge a letter.

(Email equivalent is to compose-new-email and choose their e-mail from your enterpise contacts, NOT reply to the existing message.)

Re:Encryption and Digital Signatures

[NicknameUnavailable]

If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.

Secure crypto tools are illegal to export overseas and there's a good chance they are running Windows. Open source tools don't suffer the same issue, but they do lack a huge amount of the business-specific features needed for an enterprise that large (not to suggest it's impossible, but it's practically impossible given the small number of people capable of operating an open source enterprise scale environment and the number of them needed to keep it running.)

Re:Encryption and Digital Signatures

Can you confirm you want to fire them all?

Re:Encryption and Digital Signatures

[Gussington]

I did a short term job on a business banking support desk about 15 years ago. Back then customers had an app to do their banking which had key mailed out separately to validate the account to the app. I had access to the app and the keys, so only need a valid username and password to impersonate a customer and execute a transaction. Being the old days when no-one knew about computers or security, people would often forget their passwords and ring up to get a new one, and the check for this was a fax of the user's signature against a record at the bank. Also having access to this the plan was simple:
1. Setup a PC with the app
2. Ring up the bank to impersonate a user. Send in a copy of a signature on file
3. Receive password, and empty the account
Bank transfers occur overnight and international takes two days. So if it was done before the afternoon cutoff, you could have the money out of the country within 36 hours. Some of our customers had hundreds of millions of dollars.
The only thing stopping me was balls not made of steel. Looking back I should've done it. Even if caught I'd be out of jail by now :)

Re:Encryption and Digital Signatures

$40m is different from $40M. 4 cents isn't a big deal.

Re:Encryption and Digital Signatures

[dbIII]

The only thing stopping me was balls not made of steel

I'd say you were also stopped by an upbringing that wasn't completely worthless and didn't turn you into a sociopath.

Re:Encryption and Digital Signatures

[Opportunist]

What line? Use digitally signed mails everywhere and the line can as well be drawn at a single cent, it's not like there's any overhead involved.

The first thing that happened when the first scam hit the papers was that we ensured everyone knows how to spot mails with bogus signatures (we have encrypted+signed mails as a standard for a few years now), that was basically all we had to do.

Re:Encryption and Digital Signatures

[Opportunist]

"Are you questioning my orders? Are you trying to undermine my authority? WHAT IS WRONG WITH YOU???"

Re:Encryption and Digital Signatures

[Opportunist]

That's why a good CEO knows what to hand over and to listen to what comes back. He doesn't need to know anything about "that computer stuff". What he needs is a CIO and a CISO who do, who tell him what is necessary and him to heed their advice, because that's why he pays those two (and it better be two) more than their staff combined.

Of course, if you use the CISO position as a scapegoat ejector seat, that's of course also doable. It just might be more expensive.

Re:Encryption and Digital Signatures

[JaredOfEuropa]

"Call him? You really want to call the general to confirm these orders? At this late hour? Sure, go ahead. Here, use my phone, it's your neck". I thought that only worked in movies...

But seriously, in a large company like that I wouldn't expect such large transactions (or even small ones) to happen without prior authorization in the ERP system. The finance guys won't transfer even a handful of euros without having the beneficiary in the system or if there is no PO and invoice, or transfer order (or whatever these things are called). Email by itself should not be considered sufficient authorization, ever, certainly not an email that also contains the request and bank details.

Re:Encryption and Digital Signatures

[houghi]

Perhaps she did it a previous two time and the response was "I SEND YOU THE FUCKING EMAIL, NOW SEND ME THE FUCKING MONEY!" Yes, there are bosses like that.

Re:Encryption and Digital Signatures

[gsslay]

Your company is just ripe for this kind of scam, then.

This is why companies with any sense, and decent financial auditing, has a non-negotiable, set procedure for moving money around. Especially when dealing with large sums like 40 million Euro. All that tedious form filling, signing and authorising is not done just to give the admin staff additional work, and a sense of power. It's to prevent the company being scammed.

IT Contractors

All those contractors you outsourced to are selling your internal procedures for scams like this.

Aren't transactions like this tracked?

[caseih]

Are not transactions like this tracked along the way and why can't the banks just reverse all the transactions?

Re:Aren't transactions like this tracked?

[AK+Marc]

In the US, the consumer protections are almost non existent. Fraud is often legal, under the banner "caveot emptor". Most of the world isn't the same. Here, if someone sends you $1,000,000 by accident, the bank will reverse it, and if you spent it, that's theft. Everyone uses bank transfers for everything. Nobody writes checks, and most stores won't take them.

Re:Aren't transactions like this tracked?

[whoever57]

Apparently, they are instant and basically the same thing as handing a bag of cash to the recipient

What, you mean that the money doesn't flow, a few dollars at a time, from one account to the other, with a progress bar to show how much has transferred, like Hollywood has shown me in countless movies and TV shows?

I'm shocked! </sarcasm>

Re:Aren't transactions like this tracked?

[whoever57]

My thoughts exactly. I've been able to get my bank to refund as little as $200 before due to identity theft using my debit card, and that was when an item was purchased, so someone had to actually eat the charges. In this case, it seems like they see where the money went.

There was no recovery of your money. Someone ate the cost of the loss: either your bank or the merchant.

Maybe since it has to do with international borders, it'll just take a little more time.

No, it's gone. The money will have flowed through a jurisdiction where the banks will not cooperate in recovery.

On a smaller scale, a similar scam is happening with house purchases in the UK (and perhaps elsewhere)

Re:Aren't transactions like this tracked?

[FlyHelicopters]

It sounds like you've never had money stolen from a bank account via a debit card, and I hope you never have to go through that. But I can tell you it's a pain in the ass. Due to that situation, where I did very much get my money back, I never use a debit card, only a credit card.

You aren't listening... The bank didn't get your money back, the bank gave you some of its own money...

Sounds like a problem with BPO

[ErichTheRed]

The company I work for is a medium size multinational. We're big enough to do business worldwide but not so big that we get the "good" BPO vendors or hire "good" employees to do our offshore work. I've been working there for a while, and it seems to me that routine work is getting shipped to cheaper and cheaper countries every year. First it was Eastern Europe, then India, then the Philippines, now Central American countries. I can definitely see something like this happening with some of our core processes. If it followed the flowchart exactly, with all the right steps completed, and everything was in order, not one question would be raised.

That said, every company is susceptible to this whether the employees are onshore or off. The problem is knowing when to bother the CEO on his yacht, or the golf course, or the luxury resort he's staying at to ask him a question about routine business...especially when you have a message that looks like it came from right from him. Properly implemented digital signatures would help in this case -- but think about the fact that EV certs turn the entire address bar bright green and no one notices that, and they click "Yes" to every pop-up that comes their way.

Re:Sounds like a problem with BPO

[whoever57]

We're big enough to do business worldwide but not so big that we get the "good" BPO vendors or hire "good" employees to do our offshore work.

It has nothing to do with size. The problem is that your CXX execs are too tight-fisted to pay for and develop quality outsourcing. I know, because I worked for a vary small company that was able to hire the very best offshore employees.

Suprised she could move that much without concern

[Scoldog]

We're in the process of tracking the same type of emails within our company.

It started two weeks ago when our CFO received an email purportedly from our CEO asking him to transfer money. The CFO was suspicious the second he read it, as the email was well written, had proper grammar and had more than two sentences unlike actual emails from our CEO (I wish I was joking about this, but I'm not)

We're still trying to see where these emails are coming from.

Even if he fell for it and tried to send the money, we have a two factor banking system where someone else with authority has to verify the transfer, authorise it and send it. We handle limits well below 40 million.

I'm suprised one person can transfer 40 million euros without raising any eyebrows beforehand.

These are rampant.

[Mike+Van+Pelt]

This has been going on for at least three years that I know of. There's no real "hacking" involved here at all. Just solid research and social engineering.

The thief finds out the name of the CEO, and possibly his email address.

He then finds the name and email address of the treasurer or controller, someone who can transfer funds.

The thief may register a look-alike domain, for instance, "RealCeoName@cornpany.com" instead of "RealCeoName@company.com". (Depending on your font, you might not be able to tell the difference between those two without a magnifying glass. Or even with one.) Or, he may send the email forged as "from" the CEO's real email address with a Reply-To header diverting replies to a Gmail, Hotmail, or Rob-U-Blind.ru email address. (We all know how easy it is to forge email addresses, right?) Or, he may just have a normal-looking Yahoo address. Usually, the "human readable name" of the From header is the CEO's real name, so MS Outbreak will helpfully not show the victim that the email address is not right.

The thief addresses the treasurer or controller by name. Sometimes the initial email is nothing more than "Hey, Bob, are you in the office today?" If Bob bites, then the pitch for the transfer is sent. Or, the transfer request might be right up front. A common phrase is "I'm in meetings and can't take calls, kindly email me." If the thief gets no answer, he'll often send a "Bob, did you get my last email?" ping.

Amounts are usually in the few tens of thousands of dollars. If the financial officer falls for it, more transfer requests are likely to follow until they finally wise up.

I saw one where the thief somehow knew about a legitimate transaction, and inserted himself, saying "We changed banks, send the payment for that shipment of widgits to our new account, ..." That one I suspect was an inside job.

A related scam is "Hey, Bob, I'm in China, and this fantastic merger opportunity came up. It is absolutely imperative you keep this completely quiet, and tell NO ONE about it! The lawyer who is handling this will be contacting you in a separate email." This scam can go for hundreds of thousands or even millions.

Defense: Everyone who handles money, and everyone who says how money is to be handled, most especially the CEO, must agree and sign off on an absolutely inflexible rule that financial transactions are NEVER NEVER NEVER done just on the basis of email. Actual voice confirmation should be required, or the request must go through the company's normal accounting application, etc.

Re:Question for finance folks

[Hognoxious]

I've worked on accounts payable systems.

The right way is that (petty cash aside) you don't pay anything that doesn't have an invoice. You wouldn't have an invoice if there's no purchase order. You might also have a delivery note, in which case you'd check the quantities match at least approximately. And you wouldn't have any of the above if there's no vendor master. The vendor master contains the account details to pay into.

You split the task up so it takes at least two people (ideally three) to do all the steps above.

Of course that's not agile or webspeed enough for millenials, which is why fuckups happen.

Re:Question for finance folks

[Opportunist]

What's common practice is dictated by how your company is run. I don't remember who did the analysis, but the bottom line was something akin to "the more authoritarian the company is led (read: the more of an asshole your boss is), the higher the chance that employees will simply carry out even unsigned orders, knowing that their boss would go ballistic if they dared to ask him for confirmation, which would be considered talking back or challenging his decision and position of authority".

So in other words, this mostly affects companies with asshole bosses. And who could ever deserve it more?

Re:Suprised she could move that much without conce

[Opportunist]

Maybe I can explain that without breaking NDAs, because we have been tasked with solving this problem for a few customers.

First, 40 million isn't really that big a deal for many companies. 40 millions are a routine amount for some industries. That's not to say that they wouldn't "feel" the impact of losing 40 million, there are industries that have an insane amount of money throughput without a lot of revenue. You see that in refinement industries that gobble up insane amounts of (sometimes expensive) raw materials, producing (even more expensive) intermediate products with little revenue, so that you have industries with a turnover in the billions and an annual profit in the single digit millions. You see that a lot in food or even more in oil industries.

So yes, transferring 40 millions could well be a rather normal business operation.

And two factor means little if you have two people who use the same input because the reason behind the two factor was that the company wants to ensure that nobody can pull an inside job and embezzle money. The companies that are being scammed are usually companies with a branch in a foreign country that is fully dependent and takes orders from the main office. Also, in general companies are preferred that have a strictly hierarchical structure where questioning authority is frowned upon and slavishly following orders is rewarded. Such companies are prime targets and there it also usually works.

Your example isn't really comparable for two reasons. First, it was the CFO that noticed the problem, a person who has authority and who would even in a strictly hierarchical system be able to talk directly to the CEO, maybe in secrecy so nobody would notice that he "questions" the boss, but even if not he is in a position where he may, if not must, question such decisions. Also, I would assume that the culture in your company is not one of "me boss, you nothing".

The situation in the scams is very different. Every successful scam so far was pulled at a foreign branch where the people tasked with transferring the money can't simply go informally to their boss and ask whether that's ok, they would have to call or write mails, which might leave a paper trail or be noticed by third parties, also you usually deal with companies here that have a strict hierarchy where you do not question orders.

Two factor doesn't help here either, because then simply the other person who would need to agree gets the same mail, and likewise cannot question it. What would help is being able and allowed to verify the order or, better, have a digital signature system in place and people who know how to use it.

Re:Suprised she could move that much without conce

[tehcyder]

Could you please let me know what the limit at your company is?

Not the subtlest piece of attempted social engineering I've ever seen.

Smaller scams also use the same method

[UnknowingFool]

A few years back, someone emailed different HR people posing as the CEO. The "CEO" wanted them to email a copy of every employee's W-2. While that doesn't affect the company, it affects every employee as the scammers know detailed and vital information about every employee. That information could be used to pilfer the employee's tax refunds, banks, etc.

The CEO is a bit eccentric so a copy of every W-2 would not be the strangest thing he could request. That meant that he wanted thousands of W-2 PDFs emailed to him. Luckily HR knew the CEO well enough that 1) he was technologically capable enough and wouldn't have them email him copies; he would want it on a network drive he could access, 2) he would never ask a low level HR person himself for the information; he would have asked head of HR, 3) and he wouldn't care about details of thousands of employees personal information; he would want someone to create a summarized report about whatever information he needed like the average salary by demographic, state, etc. Also they thought it might be a violation of privacy laws to send information like that over email. But we learned that other companies were not so fortunate and fell for the scam.

After that, the IT department changed the email system so that spoofed email addresses could not look authentic. It would no longer say: "Smith, John (CEO)" but "asdf@random.internetaddress.com".