A company in the United Arab Emirates has lost $53,000 (£42,000) after falling for an elaborate phishing attack.
Dubai-based Cheers Exhibition became a victim when cyber-criminals hacked into its email system to trick customers into wiring money to a bank outside the UAE with a spoof email address.
Binu Manaf, CEO and managing director of Cheers Exhibition, told Gulf News that he didn’t realise the company was a victim of a phishing attack until one of his clients enquired if he had sent out emails seeking payments into an overseas account instead of a local bank in Dubai.
"That set the alarm bells ringing because we hadn’t sent out any such email," Manaf told the publication. "As it turned out, our email had been hacked. Unknown to us, a cyber-criminal had been scouring through all our correspondence containing details of ongoing contracts and outstanding payments."
Manaf said that the fraudster had familiarised themselves with the business' operations and created a spoof email address. They took the company’s actual email of email@example.com and replaced with the letter ‘i’ with the letter ‘l’.
Using the firstname.lastname@example.org email, the fraudsters contacted the victim firm’s clients and requested payment to Nordea Bank in Finland.
As the clients failed to spot the slightly different email address, $53,000 was transferred to the criminals. Manaf said that the hacker also spoofed the email addresses of his accountant and managing partner to make the emails appear genuine. Fraudsters even copied email signatures, business logos and invoices.
"This is a prevalent form of Business Email Compromise and these threats are highly targeted and rely on social engineering rather than malware, meaning that such imposter emails often evade security solutions that look only for malicious content or behaviour," said Bindu Sundaresan, director, AT&T Cybersecurity.
A Chinese client alerted the firm to the criminal activity. Manaf said had this not happened, more money would have been lost.
"In this attack, the bad actor had the time to trawl through previous company emails to gain an understanding of the target’s business," observed Peter Draper, EMEA technical director at Gurucul.
"The more time hackers are allowed unhindered access to email systems the more creative they can become with their targeted emails."
"I have little hope of recovering my money as it’s been remitted to a bank in Europe where the fraudster had opened an account in Cheers Exhibition’s name," Manaf said.
Gavin Millard, VP of Intelligence at Tenable, told SC Media UK that the act the email was hacked in the first place, points less towards a sophisticated attack and one of opportunity and persistence.
"The initial weakness being the lack of two factor authentication or a flaw in the email service that could be exploited. Email is a critical business tool that needs to be protected as such, continuously identifying flaws that could be exploited to ensure only permitted users can gain access," he said.
"Whenever dealing with transfers of large sums, any change to the norm should be questioned and validated by multiple communication methods and educating everyone that handles payment to fraudulent approaches."
Technology alone cannot offer effective protection, noted Sundaresan.
"One of the key measures is raising security awareness across the users on how to spot spoofed emails and phishing attempts should be part of EVERY company’s security programme. In addition to investing in an advanced email filtering system, organisations should also bolster the process steps," she said.
Barracuda Networks’ pre-sales manager, UK&I, Steven Peake, told SC Media UK that there are a few ways you can prevent or mitigate such attacks.
"Firstly, by taking advantage of artificial intelligence that deploys technology that doesn’t simply rely on looking for malicious links or attachments, as attackers are increasingly bypassing these tactics," he said.
"Secondly, implementing DMARC authentication and reporting into your organisation, as it can help stop domain spoofing and brand hijacking as well as utilising multi-factor authentication in your organisation, passwords alone are no longer enough to keep cyber attackers out."
"Two-way verification helps companies to solve the problem of this type of financial fraud by implementing a company-wide policy of approving transactions before the funds’ transfer," agreed Sundaresan.
"Also, companies should have a two-person check process in place so that one person can't make a new payment without a colleague verifying the authenticity of the payment."
"Beyond implementing tools, consistent behaviours can help thwart phishing and, in this case, whaling attacks," noted Aaron Zander, head of IT at HackerOne.
"When CEOs sit in an ivory tower or are known to make rash and unplanned requests, they can also be impersonated more easily, even to those employees that know them well. On the other hand, the actions of a CEO that is approachable and interactive are better known to their clients and colleagues, so an unexpected money transfer request is more likely to be identified and flagged as suspicious," he added.