“Three million euros is a lot of money to you and I,” says F-Secure’s Janne Kauhanen. “Something was very, very wrong.”
This is the story of a cyber attack. It was purely a combination of luck and post-incident security astuteness that foiled the fraudsters.
Thieves targeted an investment company as they were making a payment at the closing of a deal. Two payments were supposed to be sent; only one had arrived.
What sparked the alert was the standard of Finnish in the cover letter. It had been translated badly, and multiple versions of the payment information had been sent from the employee’s email account until this was finalized. Two of the emails were re-sent as is, but the language had been changed in the third.
“There was only a couple of minutes’ gap between the email info being sent,” explains Janne Kauhanen, Information Security Expert at F-Secure, “on three occasions, and within the course of a few hours. Someone else masquerading as an employee re-sent the same message from employee’s Office365 account.”
One bank account number of many was changed in a large Excel file. But it was that particular one that concerned the three million euro transfer.
The investment firm’s lawyers contacted F-Secure’s experts. Principal Risk Management Consultant Marko Buuri and his forensic team started building a timeline to verify what happened. The investigation showed that that employee’s Office365 email account had been hacked about a month before the incident.
“Their account was breached after getting what looked like a genuine email about a parcel delivery. In reality, it turned out to be a phishing campaign using a well-known global company as bait,” says Marko.
Unfortunately, two-factor authentication (2FA) was not being used at that time – though the company has since implemented this following advice from F-Secure. Firms are typically not very familiar with how easy it is to lose control of Office365 accounts.
“We don’t know all of the background discussions they’ve had about 2FA or the risk decisions they’ve made, but companies typically opt out of this for two reasons,” comments Janne.
“Firstly, it will cost more, because this makes Microsoft licenses more expensive. Then, you need to train your people and provide guidance and support when you set it up. It’s hard to set up, and there’s inconvenience for users involved.”
“The password was gone”
The cyber criminals also tried to fool other people at the firm, but their efforts failed. Janne explains that “personnel often don’t realize that these types of phishing campaigns could lead to this.”
“They’re not typically mindful of password reuse either, e.g. when their employees use passwords somewhere else and those services get breached. What we are seeing now is that the attackers take those dictionaries and run them against corporate accounts. Some of them will always get breached,” adds Marko.
Phishing is still number one way that these types of attacks occur.
“The employee clicked on the DHL link in the email and opened a page. It looked like an ordinary Office365 sign-in one. A typical user can’t detect any visual difference between this and the correct login form. Once the employee typed in credentials, the password was gone. It’s a mistake that most of us could make,” Janne Kauhanen relates.
F-Secure analysts went through emails between the investment company and the bank. They also examined the employee’s Office365 in the cloud service’s security logging activities and the hardware they used.
“We investigated the laptop just in case there were any keyloggers. This is because it would have been speculative to say at that point that this just happened due to phishing without looking at the PC,” explains Marko Buuri. “We were able to reconstruct the user’s activity from the web browser. It showed that they did open that email and entered the credentials there.”
That is when investigators could confirm that this actually happened.
“Moreover, we had to assume that all the user’s emails amassed during their 2.5-year tenure were lost. The emails also contained others’ personal information such as names, email addresses, and contact details. But there were also scanned passports because the job required this. We had to assume that was all gone.”
This particular person was targeted because the cyber criminals had correctly identified that employee’s role in the company. One of many services used for this is LinkedIn, where email addresses can often be deduced from the company’s LinkedIn address.
Once an account has been breached, attackers can go through discussions to try and identify really interesting ones then hoodwink people from there.
“For example, the attackers could find a recent discussion between the parties and reply to it, building on the mutual trust between them. The parties know they had the conversation. You recognize the topic. You’ll always check out a link if they provide one because you remember having a conversation about it,” Janne explains.
The weakest link
F-Secure’s experts also provided the company with instructions as to how to verify whether other accounts had been breached.
“We advised them to go through all their other employees’ Office365 accounts and look for a certain type of settings on them. This would be a strong indication that those accounts have also been breached if these were present,” says Marko.
No evidence of this was found, but personnel were told to reset their passwords and warned not to click a link in an email if they got one in order to try and contain the situation.
“They followed our instructions. It was sound advice because the employee got the same email again immediately after resetting the password. So someone was trying to regain access,” explains Marko.
He adds that the company has nothing to be ashamed of, and that nobody is blaming the employee.
“You’ll always get through to a human being,” Janne Kauhanen says.
The incident raises curious questions, though. One is why was Excel being used for this type of transaction?
“Excel spreadsheets sent over unencrypted email is the way that these things [money transfers] are done. Nobody bats an eyelid at it. Perhaps these companies with millions and millions of euros need a better way to do things than just via email,” says Janne.
The thieves had done their preparation, waiting patiently for the right kind of information to surface in order to commit the crime. They were sitting online, constantly monitoring the emails.
They had masked their identity, though Marko explains that his team “knows that the multiple IP addresses which were used to gain access to hacked account belonged to a Nigerian ISP provider.”
“Of course, we can’t say who the attackers were or even if they were in Nigeria. They could have used breached computers from this ISP belonging to a certain Nigerian ISP address range. Unless these guys used multiple breached computers, it looks like they came in using this ISP.”
Fortunately, the company was able to recover the three million euro transfer within a matter of hours because the remittance and payment currencies were different. The money was frozen in a holding account while the FOREX transaction was taking place.
“The cyber criminals nearly got away with it,” concludes Marko Buuri.