Andy Norton, director of threat intelligence at Lastline adds: "This is a pretty low tech attack where the criminal sets up lookalike domains to the University, the premise is similar to a Business Email Compromise attack, except that, impersonation not compromise has taken place. The best defence for organisations Is to have robust policies and procedures that ensure a second pair of eyes validates business transactions and the shipment of goods, services or payment."
Companies supplying universities have been warned that fraudsters are faking domain names of educational institutions to defraud victims out of vast sums of money.
According to Action Fraud, this type of fraud, known as European distribution fraud, happens when a company from overseas (usually from Europe) delivers products to the UK, but isn’t paid for the goods or the cost of shipping.
Fraudsters imitating one university’s address lead to a total victim loss of over £350,000.
Fraudsters are registering domains that are like genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk. These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name.
Suppliers will receive an email claiming to be from a university, requesting a quotation for goods on extended payment terms. Once the quotation has been provided, a purchase order is emailed to the supplier that is similar to a real university purchase order. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.
Director of Action Fraud, Pauline Smith, said this type of fraud can have a serious impact on businesses.
"This is why it’s so important to spot the signs and carry out all the necessary checks, such as verifying the order and checking any documents for poor spelling and grammar," she said. "We know that there is a lack of reporting by affected companies and without this vital intelligence, a true picture of EDF cannot be reflected."
Action Fraud urged businesses to ensure that they verify and corroborate all order requests from new customers. They should also use telephone numbers or email addresses found on the retailers website and not use the details given on the suspicious email for verification purposes.
If suppliers receive an order request from a new contact at an organisation that’s an existing customer, they should verify the request through an established contact to make sure it is legitimate. Action Fraud said that poor spelling and grammar is often a sign that fraudsters are at work.
Kevin Bocek, chief cybersecurity strategist at Venafi, told SC Media UK that universities and other businesses affected by this scam are certainly not alone – "spoofing sites is now big business".
"Last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cyber-criminals, allowing them to appear trusted so that they can trick unsuspecting businesses out of huge sums and damage brand reputations across the internet," he said.
Adenike Cosgrove, cybersecurity specialist, EMEA, Proofpoint, told SC Media UK that to defend against threats that spoof legitimate domains, it is critical that organisations use authentication to safeguard their email communications to customers, partners and their own employees.
"When implemented, Domain Message Authentication Reporting and Conformance (DMARC) is a significant barrier to cyber criminals who are attempting to impersonate trusted figures within organisations. It stops criminals from spoofing businesses’ domains and sending emails on their behalf to unsuspecting recipients. Without DMARC, cyber-criminals have a powerful tool to lure employees of the organisations into accidentally opening the door to a hack, fool business partners, and trick any unsuspecting individual into giving away information that can have substantial consequences," he said.