The anatomy of a spear-phishing scam, or how to steal US $100M with a fake email

The email address used by the assailant was a dead giveaway that something was wrong.
The email address used by the assailant was a dead giveaway that something was wrong.

A lawsuit filed on 14 April by US Attorney for the Southern District of New York Preet Bharra gives an insider's view on how frighteningly easy it is for a company to be duped out of a huge sum of money. In this case almost $100 million (£70.4M).

The civil forfeiture lawsuit was filed in federal court in New York City and is being brought on behalf of an unidentified American company that was suckered out of $98.9 million (£69.6M) over a four-week period late last summer. Luckily, the majority of the money has already been recovered and this suit is specifically going after the remaining $25 million (£17.6M) that is being held in at least 20 overseas banks, according to court documents.

“This is more than twice as large as any reported loss that we have seen,” Ryan Kalember, senior vice president of Cyber-security Strategy, told SCMagazine.com in an email Friday.

What this case perfectly illustrates is the step-by-step process a criminal can take implementing such a scam and all of the warnings that were ignored by the victim.

Considering the massive pile of money involved, the scheme itself was extremely simple and used by cyber-criminals every day, albeit to normally steal smaller amounts of plain old data. It was a classic spear-phishing attack.

According to Bharra's suit, the scam was initiated around 10 August 2015, when the victimised company received an email purportedly from an Asian-based vendor with which it has frequently done business in the past. The email in question contained the name D Talan, AR and was not picked up not by the victim company itself. Instead it came to an email address set up and monitored by an outside firm hired by the victim to deal with its vendors and other payees.

The initial email from Talan simply asked for some background information regarding its billing history with the victim. This information was supplied on 11 August and then that same day a follow up email was received by the vendor's partner from Talan informing the company that the “vendor's” banking information would be changing and they wished to know who to contact at the victim company to make the change so any payments would go to the correct account. On 17 August Talan gave the victim's payment partner the new account information and it was placed into the victim's system.

Starting around 21 August the payment partner began sending a series of 16 payments to the new, fraudulent account, as part of its usual business. All appeared to be going well when on 14 September both the victim and its payment company received word from the real vendor that it had not received any payments starting 22 August, or the day after Talan's account information was input into the system.

A quick investigation ensued and when Talan's email was studied it was quickly discovered to have several irregularities, including a @mail.md domain instead of the vendor's corporate domain name. In addition, it indicated that the domain was hosted in Moldova, far from the vendor's true location in Asia.

The final indicator that something was amiss was that the funds were deposited into a Eurobank facility in Cyprus, and not at a bank in the vendor's home nation.

If any of these indicators had been flagged from the start, the entire scam would have been stopped in its tracks.

“Employees should be suspicious if they receive a request for unusual information or a wire transfer via email, even if it appears to come from a high-level executive. Check the reply-to email address and always call to confirm. If a vendor changes their wiring instructions over email, call them to confirm. If the CEO requests a significant transfer that is unusual, call him or her to confirm it. If the email header has a warning from your email security system, such as a subject like [BULK] or [SUSPICIOUS], then contact the vendor directly on the phone, do not enter the invoice for payment,” Kalember said.

A US magistrate working with Eurobank quickly froze the Cypriot account stopping about $74 million (£52M) of the stolen money from moving out.

This was an extremely lucky and somewhat rare occurrence as most wire transfers one completed are tough to reverse.

“Recovering money can be difficult if sent by wire. As the transaction may be irreversible within a short time window. There have been many variations of these scams in the past and they have been going on for some time. Luckily, international law enforcement has been taking note of these scams to better monitor, mitigate the financial losses and arrest the criminals responsible,” Terrence Gareau, chief scientist of Nexusguard, told SCMagazine.com in an email.

The victim was not so lucky with its remaining funds because the bad guys had almost immediately moved them from Eurobank and spread them around to 19 other banks to help duck authorities.

The court document did indicate that US authorities know where those accounts are located with one being in Estonia.