Wire Fraud Just Got More ChallengingFFIEC Controls Do Little to Prevent New Non-Tech Attacks
A $46.7 million business email compromise scheme that targeted Ubiquiti Networks Inc. shows just how little cybercriminals have to do to fool employees into unknowingly committing wire fraud.
Ubiquiti, a wireless networking technology provider, announced last week that it had been targeted by an email impersonation scheme that convinced employees in its finance department to fraudulently schedule wire transfers to overseas accounts.
Ubiquiti's case is a classic example of emerging business email compromise attacks, which federal authorities in June warned were expected to cause more than $1 billion in fraud losses before the end of the year (see Biz Email Fraud Could Hit $1 Billion).
"Criminals have figured out that technical attacks are not needed," says Dave Jevans, chairman of the Anti-Phishing Working Group and vice president of mobile security at cyberthreat defense firm Proofpoint. "Today they simply do a very good job of social engineering, and convince the finance department to send money to the criminals using all the standard controls and protocols."
The New Wire Fraud
In a typical business email compromise, an organization's accounting department receives a fraudulent email from one of the company's C-level executives requesting an urgent wire transfer. The email fools the employee who receives it because it appears to be coming from the executive, when it actually is coming from a fraudster.
Fraudsters mask their identities by taking over the executive's corporate email account or by sending the email request from a spoofed domain that closely resembles the corporate email domain. And because of the urgency of the request, the employee is fooled into skipping standard protocols for confirming wires with a phone call or in-person follow-up before sending the money out.
Experts say these attacks do not involve technology, which makes them extremely difficult to thwart.
Unlike the account takeover attacks of six years ago that compromised companies such as PATCO Construction and Choice Escrow Land Title with malware to steal online banking credentials and schedule fraudulent wires, business email compromises involve no malware at all.
Thus, all of the anti-malware and authentication enhancements banking institutions invested in four to five years ago to ensure conformance with the Federal Financial Institutions Examination Council's updated authentication guidance do nothing to prevent wire fraud perpetrated via business email compromise.
"Account takeover has evolved from mass email consumer takeovers - aimed at compromising PayPal, eBay, Facebook and consumer bank accounts - to targeted attacks against companies," Jevans says. "We saw it become highly technical about six years ago, with man-in-the-browser Trojans such as Zeus, which attempt to defeat two-factor authentication."
But John LaCour, CEO of online security firm PhishLabs, says even though these compromises are not quite so technical, by following basic procedures noted in the FFIEC's guidance for transaction verification, many wire fraud losses could be avoided. The problem is that the commercial customer, not the bank, is the one in these most recent incidents that is bypassing the controls.
This is why customer education is so important, LaCour says.
"Included in the FFIEC guidelines is a section on security awareness training and overall culture," he says. "These guidelines are designed to help shape policies that ensure the right approvals and verifications are in place. These wire-fraud schemes are designed to trick people into making exceptions that deviate from policies and standard practices, and a security-vigilant culture takes time. Organizations need to ensure that tighter controls are in place before money goes out the door."
Ubiquiti notes in an Aug. 6 Securities and Exchange Commission filing that its compromise "involved employee impersonation and fraudulent requests from an outside entity targeting the company's finance department."
By the time the scheme was detected June 5, Ubiquiti's finance department had already transferred millions of funds held by a corporate subsidiary based in Hong Kong. The funds were sent to other overseas accounts held by third parties, Ubiquiti says.
So far the company has been able to recover $8.1 million; an additional $6.8 million, which Ubiquiti says it expects to recover, is currently subject to legal injunction.
"The company is continuing to pursue the recovery of the remaining $31.8 million and is cooperating with U.S. federal and numerous overseas law enforcement authorities who are actively pursuing a multiagency criminal investigation," Ubiquiti notes.
Since discovering the fraud, Ubiquiti says it has implemented enhanced internal controls over financial reporting, and is in the process of implementing additional procedures and controls.
Other firms have reportedly been victimized by the same type of scheme, according to a blog posted about emerging business email compromises posted by Bank of the West.
Internet money-transfer firm Xoom Corp., announced in January that it had lost $30.8 million to a scheme that sounds like business email compromise, the blog notes. And Irish airline Ryanair in April disclosed that it lost $5 million to a similar attack.
Better Email Controls
Beyond the social-engineering piece, another reason business email compromise is so successful, experts agree, is because most companies don't have mechanisms in place to trap or catch spoofed email domains.
"Spam filters are inadequate," Jevans says. "They look for mass emails. Targeted attack protection is a completely different technology, which must be adopted by companies."
Targeted attack protection looks at individual emails, email attachments and links, Jevans adds. "It examines the reputation of sending domains," he says. "It looks for potentially spoofed or cousin domains. It filters on internal emails that are actually being sent from external servers."
The downside is that targeted attack protection delays email delivery by several minutes. "But this is clearly worth it, when you consider the risks," Jevans says.
Mark Wolters, a research analyst and consultant with cybersecurity and forensics firm SecureState, says email spoofing is common, and spoofed domains are well designed and researched to appear legitimate to spam filters.
Ultimately, he says the best solution is to ensure that companies follow protocols for wire approval.
"As long as transactions are allowed to occur based off of solely email, this type of attack will remain popular," Wolters says.
Companies need to spend time on user education, he adds. "Social engineering is a low-hanging fruit and is one of the most successful attacks," Wolters says. "Given the ease of these types of attacks, they will continue to occur."
Email Compromise in Public Sector
Concurrent with email woes in the private sector, a new report alleges that Chinese spies have hacked into the private email accounts of top Obama administration officials. [ See Report: China Spies on Private Emails ]
"We know that malicious actors often target personal email accounts of government and business leaders across the United States," a senior administration official says. "That's one of the many reasons why we believe it is important for not only government and private sector companies but also individuals to improve their cybersecurity practices and why this administration is working hard to raise our cyber-defenses across the board."