EY is a global leader in its Assurance, Tax, Transaction and Advisory services. It develops leaders who team up to deliver on their promises to all its stakeholders. In doing it plays a critical role in building a better working world for their people, their clients and their communities. EY refers to the global organization and may also denote one or more of the member firms of EY Global Limited, each of which is a separate legal entity. EY Global Limited, a UK company, which is limited by guarantees, does not provide services to clients. Through this blog EY will provide viewpoints, commentary on trends and the delivery of fresh perspectives to evolving issues relevant to executive decision makers. Disclaimer: The information presented on this blog should not be construed as legal, tax, accounting or any other professional advice or service.
Image: wk1003mike / Shutterstock.com
*Gaurav, a finance manager in a multinational company, rose to attention one Monday morning as he received an email from *Shephali, the company’s chief financial officer (CFO). The email directed him to urgently make a payment of $10,476 toward an attached invoice to a Cyprus-based vendor. Gaurav instantly initiated the process, bypassing some of the usual vendor checks as it was urgent and approved by his CFO. Later that week, only when he met Shephali for a monthly meeting, did he realise that the email was not sent by her and that they had been defrauded.
Thereafter, a pursuant investigation revealed that the email came through from a domain which looked very similar to the one belonging to the company. In fact, the perpetrator had just replaced the letter “m” with “rn”. The findings revealed that the email server for the fake domain was hosted in The Netherlands, using a lesser-known cloud service provider. The hacker had bought a cloud instance for a mere $10 and created his own email server using some of the well-known open source libraries available for free. He then identified his targets, using their social media profiles, which clearly stated details of their company, designation, location and their connections. Subsequently, the hacker destroyed the cloud instance or email server moments after receiving the payment, leaving no trace of the crime.
In another instance, another company was the target of a similar, but a more complicated attack. The attacker in this case impersonated one of the employees and sent an email to a customer informing them of a new set of bank account details to make payments. To mislead the customer, the hacker had even added the ongoing mail trail between the two companies, making it virtually impossible for the email recipient to realise that it was fake.
Upon performing a forensic investigation on the systems of the users who were participants in the trail, investigators discovered that the hacker had been spying on the activities of these users for almost six months. This was done using malware which gave the hacker all the information he required to understand the business, as well as read and infiltrate emails. Once it was time for the customer to make the payment, the hacker realised that the opportune moment had arrived and he surreptitiously sent the fake email along with the mail trail. Thus the customer had no reason to doubt the communication and transmitted payment to the fake bank account.
“Spear-phishing” – an emerging cyber issue These two instances exemplify a few common variants of cyber-attacks which fall under the “spear-phishing” category, which is a growing concern for countries across the world. As per Kaspersky Securelist‘s Spam and Phishing Report till Q3 of 2015, there were more than 117 million phishing attempts worldwide.
Social media networks tend to provide hackers with a rather appropriate database to choose their targets. Furthermore, lesser-known cloud services provide perpetrators with the ease of on-demand machines and secure infrastructure to conduct the crime. The credit cards used to purchase the cloud instance are usually stolen credit cards bought from underground online markets such as “Rescator”, making it extremely challenging for law enforcement agencies to trace.
The impact of phishing on business can be extremely severe ranging from financial losses, reputation loss to leakage of personal and confidential data. The reactive actions of the IT team to contain the situation may also create confusion, access issues and down time of critical services. As per recent statistics from the Federal Bureau of Investigation, the estimated loss due to these scams worldwide is as much as $1.2 billion. These indicators demonstrate that it is only a matter of time before a company gets hacked. It is time organisations change their mindset from a reactive one to being pre-emptively proactive to be able to thwart these kind of targeted attacks.
Pre-emptive measures being undertaken
Chief Information Security Officers (CISOs) who are remotely aware of this type of modus operandi are implementing a four-fold strategy to thwart these kinds of attacks. This strategy includes:
a) Domain security – Identifying and purchasing any domain which looks visibly similar to their domain name
b) Securing the email server – Enabling some anti-spoofing features like SPF (sender policy framework) and email validation systems like DKIM (Domain Keys Identified Mail)
c) Pro-active assessment and monitoring – Continuous monitoring of the network for compromise and performing quick triage on the systems to identify any signs of compromise
d) Phishing simulation – Simulating real life phishing attacks on the employees to keep them alert about occurrences of these types of attacks
While it is challenging for companies to completely deflect risks across their perimeter, it is necessary to implement measures to evade the propensity of such cyber-attacks. With the constant evolution of cyber-crime methodologies progressing at an alarming pace, an all-encompassing awareness mechanism is extremely crucial. Companies need to proactively ensure that they are consistently alert and aware of the threat landscape. These types of attacks are inherently going to amplify and extend to new avenues if not thwarted effectively.
Notes: *Names mentioned are fictitious and to be considered as examples only
- By Mukul Shrivastava, Partner, Fraud Investigation & Dispute Services, EY