This is a specific variation of spear phishing which is targeting large companies and SMEs, and more specifically the financial departments of these companies. This scam has been on the rise in Luxembourg over the past months.
A recent report from French law enforcement stated that more than 200 millions of euros have been stolen since 2010, using this well developed and effective technique.
The process used to achieve this type of fraud, which primarily affects but is not limited to larger companies, is technically not very difficult. It requires some research and a good portion of preparation in order to generate legitimate looking documents and the ability to sell a good story to the target.
The thief is specialized in social engineering, he analyses in-depth a company, from its status, business plan, internal communications, meeting minutes, bank details, organization chart, turnover to the contact details of every employee. This enables him to understand the general philosophy of a company, the vocabulary and language used internally and the general strategy.
“What happens next is a well-defined process that the attacker follows. They usually send well-crafted documents to one of the employees from the accounting or treasury department and pretend to be the Chairman or Managing Director of the company. The fake ‘President’ convinces the employee from the accounting department to do an urgent transfer of funds as soon as possible to Asian, English, Polish or Cypriot bank accounts. The reasons given are variations ranging from ‘you need to change the bank account of a supplier’ to ‘payment is due in order to cover an exceptional operation of the company’, explains Alexandre Dulaunoy from CIRCL. In addition, attackers more and more often register domain names very close to the ones targeted. ‘In contrast to the spoofed emails we used to see in the past, it enables the attacker to communicate with the target and even put more social pressure on the targeted victim via email in complement to phone calls.’, Alexandre Dulaunoy concludes.
In order to prevent such attacks, CIRCL recommends the following actions:
- Do regular security awareness trainings to your personal and ensure they know about such kind of attacks.
- Ensure that the accounting department is well aware of all the verification procedures for wire transfers, especially international transfers. Verify the digital signature procedures of wire transfers.
- Increase level of control when new bank details are recorded.
- Verify source email addresses and reply-to addresses.
- In case of doubt or suspicious emails, employee should contact their IT security staff or CIRCL.
- Transfer such email (including email headers) to your IT security staff or CIRCL.
If you were a victim of such an attack, CIRCL recommends the following actions:
- Contact immediately the bank of your organisation and the destination bank to block the fraudulent wire transfer.
- File a complaint with the local police or the “service de police judiciaire”.
- Contact CIRCL if you need technical support or advice related to IT security incidents.
In some of the past similar incidents, time is critical. An IT network security engineer in a company based in Luxembourg explains: “If an employee spots something unusual, we extract indicators (SMTP headers or email addresses). In this case, we checked our internal logs to see if the thief has tried to reach other employees within our organization. Contacting CIRCL helped to correlate more indicators from other targets. Finally, CIRCL supported us in the take-down of a server supporting the attack”.