Slashdot Mirror

← Back to Stories (view on slashdot.org)

One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam (softpedia.com)

Posted by BeauHD on from the business-email-compromise dept.

An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.

8 of 189 comments (clear)

  1. Encryption and Digital Signatures by The+Other+White+Meat · · Score: 5, Insightful

    If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.

    --

    --- Generation X: The first generation to have SIG lines inferior to their parents... ---
    1. Re:Encryption and Digital Signatures by Anonymous Coward · · Score: 5, Insightful

      Surely she should at least have called him on the phone to confirm the request?

    2. Re:Encryption and Digital Signatures by Gussington · · Score: 5, Interesting

      I did a short term job on a business banking support desk about 15 years ago. Back then customers had an app to do their banking which had key mailed out separately to validate the account to the app. I had access to the app and the keys, so only need a valid username and password to impersonate a customer and execute a transaction. Being the old days when no-one knew about computers or security, people would often forget their passwords and ring up to get a new one, and the check for this was a fax of the user's signature against a record at the bank. Also having access to this the plan was simple:
      1. Setup a PC with the app
      2. Ring up the bank to impersonate a user. Send in a copy of a signature on file
      3. Receive password, and empty the account
      Bank transfers occur overnight and international takes two days. So if it was done before the afternoon cutoff, you could have the money out of the country within 36 hours. Some of our customers had hundreds of millions of dollars.
      The only thing stopping me was balls not made of steel. Looking back I should've done it. Even if caught I'd be out of jail by now :)

    3. Re:Encryption and Digital Signatures by Anonymous Coward · · Score: 5, Funny

      $40m is different from $40M. 4 cents isn't a big deal.

    4. Re:Encryption and Digital Signatures by houghi · · Score: 5, Informative

      Perhaps she did it a previous two time and the response was "I SEND YOU THE FUCKING EMAIL, NOW SEND ME THE FUCKING MONEY!" Yes, there are bosses like that.

      --
      Don't fight for your country, if your country does not fight for you.
  2. IT Contractors by Anonymous Coward · · Score: 5, Insightful

    All those contractors you outsourced to are selling your internal procedures for scams like this.

  3. Suprised she could move that much without concern by Scoldog · · Score: 5, Interesting

    We're in the process of tracking the same type of emails within our company.

    It started two weeks ago when our CFO received an email purportedly from our CEO asking him to transfer money. The CFO was suspicious the second he read it, as the email was well written, had proper grammar and had more than two sentences unlike actual emails from our CEO (I wish I was joking about this, but I'm not)

    We're still trying to see where these emails are coming from.

    Even if he fell for it and tried to send the money, we have a two factor banking system where someone else with authority has to verify the transfer, authorise it and send it. We handle limits well below 40 million.

    I'm suprised one person can transfer 40 million euros without raising any eyebrows beforehand.

    --
    This space for rent
  4. These are rampant. by Mike+Van+Pelt · · Score: 5, Informative

    This has been going on for at least three years that I know of. There's no real "hacking" involved here at all. Just solid research and social engineering.

    The thief finds out the name of the CEO, and possibly his email address.

    He then finds the name and email address of the treasurer or controller, someone who can transfer funds.

    The thief may register a look-alike domain, for instance, "RealCeoName@cornpany.com" instead of "RealCeoName@company.com". (Depending on your font, you might not be able to tell the difference between those two without a magnifying glass. Or even with one.) Or, he may send the email forged as "from" the CEO's real email address with a Reply-To header diverting replies to a Gmail, Hotmail, or Rob-U-Blind.ru email address. (We all know how easy it is to forge email addresses, right?) Or, he may just have a normal-looking Yahoo address. Usually, the "human readable name" of the From header is the CEO's real name, so MS Outbreak will helpfully not show the victim that the email address is not right.

    The thief addresses the treasurer or controller by name. Sometimes the initial email is nothing more than "Hey, Bob, are you in the office today?" If Bob bites, then the pitch for the transfer is sent. Or, the transfer request might be right up front. A common phrase is "I'm in meetings and can't take calls, kindly email me." If the thief gets no answer, he'll often send a "Bob, did you get my last email?" ping.

    Amounts are usually in the few tens of thousands of dollars. If the financial officer falls for it, more transfer requests are likely to follow until they finally wise up.

    I saw one where the thief somehow knew about a legitimate transaction, and inserted himself, saying "We changed banks, send the payment for that shipment of widgits to our new account, ..." That one I suspect was an inside job.

    A related scam is "Hey, Bob, I'm in China, and this fantastic merger opportunity came up. It is absolutely imperative you keep this completely quiet, and tell NO ONE about it! The lawyer who is handling this will be contacting you in a separate email." This scam can go for hundreds of thousands or even millions.

    Defense: Everyone who handles money, and everyone who says how money is to be handled, most especially the CEO, must agree and sign off on an absolutely inflexible rule that financial transactions are NEVER NEVER NEVER done just on the basis of email. Actual voice confirmation should be required, or the request must go through the company's normal accounting application, etc.