Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Canadian University Gave $11 Million To a Scammer (vice.com)

Posted by msmash on from the trapped dept.

A Canadian university transferred more than $11 million CAD (around $9 million USD) to a scammer that university staff believed to be a vendor in a phishing attack, a university statement published on Thursday states. From a report: Staff at MacEwan University in Edmonton, Alberta became aware of the fraud on Wednesday, August 23, the statement says. According to the university, the attacker sent a series of emails that convinced staff to change payment details for a vendor, and that these changes resulted in the transfer of $11.8 million CAD into bank accounts that the school has traced to Canada and Hong Kong. The school is working with authorities in Edmonton, Montreal, London, and Hong Kong, the statement reads. According to the university, its IT systems were not compromised and no personal or financial information was stolen. A phishing scam is not technically a "hack," it should be noted, and only requires the attacker to convince the victim to send money. The school's preliminary investigation found that "controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed."

52 comments

  1. Canada is full of suckers by mmiscool · · Score: 0

    lol. He was polite enough to update the account details.

    1. Re: Canada is full of suckers by Anonymous Coward · · Score: 0

      TCP at least has a handshake before opening a connection. If you're dealing with a financial transaction, please at least include that much security in your process.

  2. As a result by fibonacci8 · · Score: 5, Funny

    The phisher was awarded an honorary degree in social engineering.

    --
    Inheritance is the sincerest form of nepotism.
    1. Re:As a result by Anonymous Coward · · Score: 0

      scholarship to black hat academy

    2. Re:As a result by Anonymous Coward · · Score: 0

      Somehow when you say it like that I imagine a really nerdy Hogwarts with students walking around carrying keyboards.

    3. Re:As a result by OzPeter · · Score: 1

      keyboards? how quaint

      we use touchscreen tablets now

      Siri, Alexa and Cortana disagree

      --
      I am Slashdot. Are you Slashdot as well?
    4. Re:As a result by Anonymous Coward · · Score: 0

      Have fun coding malware by voice control. You might dictate one whole exploit by the time the semester ends.

    5. Re:As a result by Anonymous Coward · · Score: 0

      Still worth more than a degree in social sciences.

    6. Re:As a result by Anonymous Coward · · Score: 0

      Sir, you just won the Internet. Well played.

      These scams are popular. A company I know (ahem) lost $800k until a vendor was demanding payment (whaa? we, er, they, paid). Needed controls were put into place before routing numbers can be changed.
      I do infosec and about 30 of these 'our new routing number is' emails has been reported to me in the last year. Most are quite well done and the scammer did their research on the targets (supplier and vendor).

      -T

  3. Universities deserve to be scammed by Anonymous Coward · · Score: 0, Interesting

    With the cost of tuition and text books, people should be scamming them.

    1. Re:Universities deserve to be scammed by Anonymous Coward · · Score: 0

      Sucker! Everybody knows you don't need a degree to get a lucrative tech job.

    2. Re:Universities deserve to be scammed by Anonymous Coward · · Score: 0

      With the cost of tuition and text books, people should be scamming them.

      1) Universities don't control the cost of textbooks, publishers do
      2) A quick look a resident's cost for Canadian universities shows an average tuition of $5428 US and a max of $17808 US.
      The average cost of a 4-year college in the US, is, by comparison, at least $23,600, and the most expensive about $43k

    3. Re:Universities deserve to be scammed by Anonymous Coward · · Score: 0

      You're comparing one year of Canadian University to 4 years of US.

    4. Re:Universities deserve to be scammed by magarity · · Score: 2

      1) Universities don't control the cost of textbooks, publishers do

      Professors who write the textbooks that are required for their classes have a non trivial part to play in that cost.

    5. Re:Universities deserve to be scammed by alexo · · Score: 1

      1) Universities don't control the cost of textbooks, publishers do

      Professors require that students use the latest edition of the books, killing the used book market and keeping prices artificially high.

      2) A quick look a resident's cost for Canadian universities shows an average tuition of $5428 US and a max of $17808 US.
      The average cost of a 4-year college in the US, is, by comparison, at least $23,600, and the most expensive about $43k

      The Canadian tuition you quoted is per-year (see official stats here

    6. Re: Universities deserve to be scammed by Anonymous Coward · · Score: 0

      Actually he is not. If you went to university you'd realize that. Or do you really think the mist expensive school in the US charges under $11,000/yr?

      Cue the goal post shift in 3...2...1...

    7. Re:Universities deserve to be scammed by easyTree · · Score: 1

      Yep, it's only fair, universities have been scamming students for generations - that does seem to be tailing off though...

      --
      Requiem for the American Dream
    8. Re: Universities deserve to be scammed by easyTree · · Score: 1

      Cue the goal post shift in 3...2...1...

      Actually, goal-posts are no longer the de-facto standard for this type of idea-transfer.

      --
      Requiem for the American Dream
    9. Re:Universities deserve to be scammed by Hognoxious · · Score: 1

      The Canadian tuition you quoted is per-year

      And? Do you seriously think the most expensive college in the US is 43 grand for the whole shebang?

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    10. Re: Universities deserve to be scammed by KGIII · · Score: 1

      It's CAD, so the conversion is probably wrong. It's more like $82.50 USD.

      --
      "So long and thanks for all the fish."
    11. Re:Universities deserve to be scammed by Gr8Apes · · Score: 1

      Doing a quick search reveals that even the cheapest universities tuition and fees run $5K per year. Tuition runs between 10-24K depending upon in/out of state tuition. However, if you're wanting to go to an accredited university, you can look at 10K / year as a minimum, if you're in-state, and that was checking two known "cheap" universities for in state tuition. It's more than 21K / year if you're out of state.

      --
      The cesspool just got a check and balance.
  4. How is this any different? by SirDrinksAlot · · Score: 0

    Not really any different than all the shysters applying for grants for research projects at any University and providing bullshit results for the funding and additional funding?

    So much research these days is bunk, with stats and results skewed to support predetermined results or conclusions. Worse yet when someone gets a grant without the intention of just bullshitting, not being able to determine a result and skews it to justify funding.

    Granted there is sort of a reddit or imgur of research papers but it's totally voluntary. I feel like this could be curbed significantly if people were graded on their paper's quality regardless of where it's published (like the made up publications to 'publish' papers) and universities required a certain karma or what not to obtain funding. IF you were a shitty researcher with consistently unreproducible results? No funding.

    1. Re:How is this any different? by Anonymous Coward · · Score: 0

      Yeah, because you as a /. expert on contemporary research know what you're talking about...

    2. Re:How is this any different? by Mitreya · · Score: 4, Informative

      Not really any different than all the shysters applying for grants for research projects at any University and providing bullshit results for the funding and additional funding?

      Eh? Have you ever applied for a grant?

      1) Grant application goes through a peer review -- so at the very least you need to convince ~5 peers and at least 1 program officer that your research is worthy of funding.
      2) 95% of money goes to the university and to students or postdocs (professors can only pay themselves in the summer for up to 2 months at most)
      3) You have to do annual reports, follow a bunch of rules on anything you buy, fill out an ungodly number of conflict-of-interest forms.

      I could go on. But it is really, really different from just getting the money, I assure you.

  5. Depends who's spinning by ScentCone · · Score: 2, Insightful

    A phishing scam is not technically a "hack,"

    Unless you're Clinton's campaign man Podesta or the DNC, in which case it's a Super Powerful Russian Hack That Only Trump Could Have Payed For.

    --
    Don't disappoint your bird dog. Go to the range.
    1. Re:Depends who's spinning by Anonymous Coward · · Score: 0

      ah, still butthurt that Trump dealings with Moscow keep on piling up?

      He can't pardon himself for everything, nor all his stooges. No surprise that he's already begun to done so though.

    2. Re:Depends who's spinning by ScentCone · · Score: 1

      ah, still butthurt that Trump dealings with Moscow keep on piling up?

      No, still highly amused that anonymous coward trolls think they're scoring some sort of rhetorical points in their safe space echo chamber by continuing to trot out the delusional narrative that Clinton lost the election, and the Democrats over years have lost nearly a thousand legislative seats and most of the governorships and both houses of congress, because Trump was working with the Russians ... in some way that nobody can cite, and for which there is no evidence.

      No surprise that he's already begun to done so though.

      Really! Please, do tell. Which people working on his campaign has he pardoned because they were convicted of working with the Russians? Can't wait for your citation, since you obviously know things that even CNN isn't willing to lie about. Please, some links to those pardons. That would be great. No? Ah, I see.

      --
      Don't disappoint your bird dog. Go to the range.
  6. Apparently this is popular by Sloppy · · Score: 2

    My city fell for that one.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  7. Proof again by Anonymous Coward · · Score: 0

    That Canadian's are really nice people!

  8. I blame lazy staff by Anonymous Coward · · Score: 0

    I know we can't expect a minimum wage paid clerk to understand the content of an email header, let alone know how to display it, but....How hard is it to make A PHONE CALL to said vendor to confirm the change of bank info?

    1. Re:I blame lazy staff by Anonymous Coward · · Score: 0

      I blame years of budget cuts for tired overworked staff.

    2. Re:I blame lazy staff by Anonymous Coward · · Score: 0

      Maybe they did. It's possible the scammer included a bogus, but functional dial-back number.

      How many office clerks would realize the importance of dialing a number they've used in the past verses going by whatever is shown in the email / fake website. I'd wager even some savvy internet users would fall for it. A related approach some scammers use is calling and spoofing the number caller-id as being from the alleged company. Many people assume caller-id can be trusted, or at least being somewhat accurate, when it's generally anything goes.

      To digress, it's interesting how many news articles make it seem caller-id spoofing is relatively recent when it was a known issue even 25 years ago. Heck, even some BBSes utilized dial-back security as did many companies back then. ANI provides more information, but the general public doesn't have access to that, and it's no panacea with how open the phone system infrastructure is today compared to back then.

      Some phone companies, at least a decade or more so ago, did provide a special paid feature (Verizon was *57 from what I recall) to report fraudulent or harassing calls that would be researched in more detail, presumably utilizing ANI data. These days it seems phone companies will often claim they have no idea where calls are coming from, which seems dubious, since surely they need to for billing purposes. They just don't want to put in the effort to help tackle the issue, since they're making money either way. It's the main reason telemarketing calls got so bad on land-lines.

      Bottom line, the bigger issue is the lack of controls for large fund transfers without a defined procedure of verification out of band.

  9. No honor among thieves, eh? by Anonymous Coward · · Score: 0

    University is pretty much a scam these days, so at this point I laugh at stories like these.

  10. College, not University by Anonymous Coward · · Score: 0

    Technically Grant McEwan is not really a university but a college. They were just allowed to change their name a few years ago and don't have an academic research program.

  11. Canadian Universities not like US by Roger+W+Moore · · Score: 1

    With the cost of tuition and text books, people should be scamming them.

    Have you looked at the cost of tuition in Canada? It is far, far less than the US and now even the UK. At UAlberta the typical total tuition costs (all union, transit etc. fees included) for a Canadian (resident or citizen) student taking a full course load are ~$8k/year for science - and those are Canadian dollars so about US$6k. If you want accommodation and food in a residence the cost rises to just under $16k/year (CAD). You can do the calculation here. The institute in question, Grant McEwan, should be even cheaper. Compare that to the standard £9,000 tuition (~$14,500) in the UK and ~US$40-60k for a top university in the US.

    As for the text books, those profits go to the publishers, not the university and frankly the price has started to tick off so many of us faculty that we are either writing our own or using free/open resources at least for lower level courses.

    1. Re:Canadian Universities not like US by Wrexs0ul · · Score: 1

      Maybe if you're not taking labs. I graduated from there a long time ago and had science semesters over that amount.

      This number is deceivingly low. Add a couple chem or bio labs that most science programs require and you'll easily hit 10k. Engineering or any professional degree is significantly more.

      --
      --- Need web hosting?
    2. Re:Canadian Universities not like US by easyTree · · Score: 1

      How about a comparison of the quality of their graduates?

      --
      Requiem for the American Dream
    3. Re:Canadian Universities not like US by Anonymous Coward · · Score: 0

      Yes. How about it? Placing Canadian University graduates up against US schools is not something Canadian are afraid of

    4. Re:Canadian Universities not like US by tlhIngan · · Score: 1

      Maybe if you're not taking labs. I graduated from there a long time ago and had science semesters over that amount.

      This number is deceivingly low. Add a couple chem or bio labs that most science programs require and you'll easily hit 10k. Engineering or any professional degree is significantly more.

      It's even cheaper if you're in-province, actually. I think I paid just about $100/credit, and a typical engineering load was 36-39 credits a semester. So it was under $8K Canadian a year. Arts and Sciences with 20-30 credits a semester is even cheaper.

      My labs were included - they are billed by credits as well. Books were a significant part of the cost.

      Out of province Canadians were charged a little more, probably around $200/credit. Out of country people were really billed a lot - a few of my friends were out of Canada students and they were paying the $20K/semester fees.

      And yes, if you're wondering, taxes pay for a lot of it. Though I'm sure I've repaid them a few times over already. Government also gives a huge incentive to save up for education - Registered Education Savings Plans (RESP) are tax-free (you're taxed when you withdraw), and the government contributes 20% of what you contribute every year up to $500. Put in $2500 and the government/taxpayers kick in $500 so it grows by $3000 a year. You can't withdraw it until you're at least 18 and it has to be used on a recognized educational program - otherwise the government will want their contribution back and you lose the tax-free status.

      Canadian universities are cheap, and a lot of them great. Most provinces should actually have world class university so really, one shouldn't need to study out of province, or even out of Canada.

    5. Re:Canadian Universities not like US by Roger+W+Moore · · Score: 1

      How about a comparison of the quality of their graduates?

      US graduates, at least in physics, have to spend several years taking a lot of courses to get to the same level that a Canadian graduate can get to with far fewer courses. The US system provides a slightly broader but very much shallower education which makes US graduates far weaker than comparable graduates from Canada or Europe when it comes to knowledge of the subject they graduated in. This is why the US needs such extensive graduate programs for MSc/PhD students to bring them up to the level to compete on the international stage. At the post-grad level the US is just as good as anywhere else because of this but after a bachelor's degree, the US standard of knowledge in a subject is decidedly lower than most other countries I'm aware of.

      This also reflected in the textbooks we use for first year courses which are aimed at the US market and which are becoming increasingly below the standard we need in Canada and indeed this has now lead to several publishers to work on Canadian-specific versions.

  12. Off-topic by Anonymous Coward · · Score: 0

    "...a scammer that university staff believed to be a vendor in a phishing attack..."

    Why would the send money if they believed they were the target of a phishing attack?

  13. they have bankruptcy for student loans by Joe_Dragon · · Score: 1

    they have bankruptcy for student loans

    https://www.ic.gc.ca/eic/site/...

  14. lol by Anonymous Coward · · Score: 0

    The best and brightest amongst us indeed.

  15. A little education goes a long way by kbsoftware · · Score: 1

    "A phishing scam is not technically a "hack," it should be noted, and only requires the attacker to convince the victim to send money." It's also the easiest scam to protect yourself or organization from, all that is required is a bit of education.

    1. Re:A little education goes a long way by Anonymous Coward · · Score: 0

      all that is required is a bit of education.

      Maybe send them to a university? Oh, wait...

  16. A wise professor once said by Anonymous Coward · · Score: 0

    It's immoral to let a sucker keep his money.

  17. Misleading Info by Anonymous Coward · · Score: 0

    The story is a bit misleading. The Contractor was actually doing work at the university and was owed money for the work it was doing. What the miscreants did was convince the appropriate university staff to change the banking information they had in their system for the contractor. When their AP department then wired the expected payment, it was sent to the miscreants bank account rather than the contractors bank account. They DID NOT convince the university to send money to the "hackers".

  18. Thank goodness by Anonymous Coward · · Score: 0

    It's only Canadian money, I was worried for a second.