
A fraudster got $12M out of a Canadian university - endorphone
https://www.thestar.com/edmonton/2018/10/09/how-a-fraudster-got-12-million-out-of-a-canadian-university-they-just-asked-for-it.html
======
walrus01
This is why all staff, whether at a corporation, nonprofit or government that
handle money should be put through a two hour anti-phishing training course.
There's lots of good free training material out there.

There are also services which you can hire. You give them a list of staff
emails, and they send test phishes to everyone. Those who respond or click on
links (there's a GUID in each phish) can be sent for further remedial
training.

As a person that's been seeing and analyzing spurious SMTP traffic since 1993,
this stuff seems obvious, but there's a lot of blithely ignorant people out
there in administrative roles.

~~~
scott_s
While I think everyone should be aware of phishing, I don't think any amount
of education can reliably prevent this sort of fraud. I see this fundamentally
as a process problem, as I assume email was a common way of changing payment
information. Email needs to be taken out of the loop.

~~~
na85
I disagree. Taking email out of the loop is a technical solution to a problem
that is inherently social, not technical.

~~~
scott_s
I don't see it as a technical solution, but fixing a broken _process_.

~~~
na85
But the process is broken by people not realizing that invoices are
fraudulent. The method of delivery, be that email or some other system, is
completely orthogonal.

Running their invoices through SAP or having gpg signed pdf invoices or using
more node.js would not help because all of those solutions fail to address the
fact that people are dumb and need to be trained to avoid scams.

~~~
hunter2_
If a (insert centralized service here) friend tells me about a change of
plans, and I know that messages with that contact were successful in the past,
then plans indeed changed because it's spoof-proof so long as you didn't make
friends with two accounts that end up sharing a name and so long as the sender
didn't fall victim to phishing of creds.

If an email from a contact comes in, the from/sender headers can be spoofed
without anyone having fallen victim yet, so maybe plans didn't really change.

Yes there are social aspects but there is also this plainly technical aspect.

~~~
na85
All you've done is moved the problem from your organization to theirs.

Phishing can still pwn you.

~~~
hunter2_
True, but making credential theft a prerequisite is helpful.

------
PaulHoule
I get incomprehensible bills from the hospital whenever I get a test or see a
physical therapist, etc. Sometimes I get bills about a service that happened 2
years ago, don't remember what the service was, and it seems they can't tell
me because that would violate my privacy or something.

I've always wondered if I sent an invoice to the hospital for unspecified
services if they'd pay it.

~~~
JumpCrisscross
> _they can 't tell me because that would violate my privacy or something_

If someone can't tell you why you owe a bill, don't pay it. If they can't tell
you, they can't tell a court.

~~~
Wingman4l7
The thing is, they probably could tell the court, if it came to that
_(nevermind that most people couldn 't afford the time or money to take it
that far)_. Just because someone isn't being candid about _why_ you owe them
money, doesn't mean you don't still technically owe them money in a way that
can be proven. I don't know if a judge would have the discretion to waive a
debt that wasn't fairly "divulged".

~~~
brokenmachine
Perhaps a good tactic would be to ask them in writing what the bill is for.

------
sjroot
Apologies if it was mentioned in the article, but I am curious as to _how_ the
original attacker acquired the information needed for spear phishing.

I suppose business dealings between the university and contractors is public
to some extent, but it seems plausible that this attack came from within the
university or the contractor.

~~~
crescentfresh
This was the real breach. Bank account numbers, company letterhead, the CFO's
signature, these were all gathered before any attack took place!

~~~
bt3
Bank account numbers weren't leaked - the scammers simply requested the
payments be rerouted to a different account. The letterhead could likely be
easily reverse engineered, and I doubt the University rep knew what to look
for, and the CFO's signature also doesn't carry any weight - any decent
signature font could duplicate that signature (especially a digital one).

I agree with the original comment - how did these scammers gain the knowledge
that these transactions were ongoing, and know exactly who to target?

~~~
scott_s
If you know that a university is doing construction, then you know they're
paying _someone_. It's not hard to know a university is doing construction
because it will be reported on, they will have had to gain permission to do
so, and you can just drive by and see the construction. Once you know that,
then you just need to figure out the name of the companies involved. That
should be simple: often construction companies will put up a sign, or you can
just ask some people on site.

That's assuming no prior knowledge, in which case it would be even easier.

------
neom
As a side note, this is really great journalism.

------
Scoundreller
> Yangjiang City Jixie Zhulu Engineering made four payments to the Mas
> totalling ¥6.7 million, which would have been worth approximately $1.2
> million. In August, Hoi Fu Enterprises received three wire transfers
> totalling $1 million.

Interesting to see that a dollar in Canada is worth 16.7% more than the same
dollar in China.

And that was for a deal that was too good to be true. I wonder what the real
going rate is for getting large amounts of funds out of China.

~~~
walrus01
China has really strict controls on the amount of money that a Chinese citizen
can legally wire transfer out of the country, to a foreign domestic bank
account, per year. People have come up with all sorts of "creative" grey and
black market things involving Vancouver real estate and BC casinos. Google
"china money laundering BC" for news about it.

~~~
grawprog
Ya....a coworker of mine recently had to return to China to bring his
retirement money back to canada. I'm not sure of the details of how he went
about doing that. Does the limit apply to physically bringing currency back
also? I'd ask my coworker but he doesn't speak English and I don't speak
Cantonese.

~~~
Scoundreller
I understand that there’s a yearly limit on how much you can bring over per
person.

Lots of evasion tactics:

hiring mules to use their limits.

finding someone that needs to send money to China, then you can make 2
domestic payments and everything is settled.

Buying goods in a China for export, then accepting payment into your western
accounts.

------
nerdponx
_They quickly discovered that while the email appeared to have been sent by
“accounts.recievable@clarkbuilders.com” the email address had been “spoofed.”
The display name of the email was different than the actual originating
account._

Isn't this glaring security issue trivially fixable from the perspective of an
email client developer?

~~~
wmf
No, because SMTP "accounts" are trivially spoofable as well. (Edit: Although
you wouldn't want to spoof that if you need to get replies, so maybe there is
something the client can do here.) Maybe you could try to do some kind of
trust-on-first-use on the chain of Received headers but that's going to
generate false positives.

~~~
endorphone
We do have several solutions in place for that, though. SPF, DKIM, among
others. If this University were running on gmail I suspect this email would
have been flagged for phishing (the builder did publish an SPF record), or
outright rejected. However they run their own email servers[1].

[1] - They could of course do the same checks and even more, but among self-
hosted installs it is common to disregard those additional securities.

~~~
nerdponx
What about PGP? No signature, immediate red flag.

------
drewg123
_MacEwan was in the midst of constructing the $180-million Allard Hall: a
state-of-the-art building boasting music studios and dance halls with room for
1,800 students_

Why does a college need a building that costs a large fraction of a billion
dollars? Early this week we had an article about college education costs being
one corner of the "Bermuda triangle" of personal finance. Out of control
spending on new, shiny things is part of the problem, I think.

~~~
wk_end
It’s not clear to me that $180 million is an unreasonable amount of money to
spend on a state-of-the-art building with multiple music studios and dance
halls, necessary for music or dance programs that the school (presumably)
offers. Between the tuition the students pay, grants from government, and
potential commercial use of the space (for concerts, shows, etc.) it’ll likely
pay for itself soon enough.

Also bear in mind - while still pricy, higher education in Canada is leagues
cheaper than in the US. My degree from UofT - usually internationally ranked
among or at least near the Ivy Leagues - was about $5000 a year.

So I’m not sure this belongs in the same category of educational institution
excess or Bermuda Triangle of finance stuff you’re talking about.

~~~
ta2121
>it’ll likely pay for itself soon enough.

Thats the problem though right? "Paying for itself" means students paying
higher costs which is the problem.

~~~
bagacrap
Only the students who feel the need to attend a university with state of the
art facilities.

~~~
warent
Unfortunately it's not such an easy decision when businesses value degrees
more from universities with state of the art facilities.

------
JumpCrisscross
> _while the email appeared to have been sent by
> “accounts.recievable@clarkbuilders.com” the email address had been
> “spoofed.”_

That's not how you spell "receivable."

------
axilmar
The technical solution is easy and it is the same solution as when we make
bank transactions online: one time pin codes.

If another company wants you to send payments to another bank account, then
you mail back the received pin code to that other company via another known
email account.

If the known email account responds that the pin is legit, then go ahead and
change the payment details.

Also, before changing the payment details, do send a small amount first, have
it confirmed with the other company and then proceed with the test of the
payment.

------
pythonaut_16
This seems like a place where physical security keys could've be useful.

Any invoice would be expected to be signed using a physical security key. The
University or a trusted third party would have a list of vendor keys, signed
by the university's master key.

Any request to change account details or for payments would require a new
signed invoice. Then any user receiving such an email could easily see if the
invoice had been signed by a person who can cryptographically prove they have
a key that is trusted to be in the vendor's possession.

~~~
nerdponx
What about PGP?

------
kevmo
"Fake it til you make it" is real.

------
forkLding
This is more common than you expect, a friend's company recently suffered a
Business Email Compromise where their clientele were emailed and sent invoices
to the hackers' bank accounts instead of the actual company's bank account.

Email is definitely a unsafe way to send messages.

------
Myrmornis
> They quickly discovered that while the email appeared to have been sent by
> “accounts.recievable@clarkbuilders.com” the email address had been
> “spoofed.” The display name of the email was different than the actual
> originating account.

Um, and it was mis-spelled apparently.

~~~
LocalH
According to this link posted in another thread:

[https://www.thestar.com/content/dam/thestar/edmonton/2018/10...](https://www.thestar.com/content/dam/thestar/edmonton/2018/10/09/how-
a-fraudster-got-12-million-out-of-a-canadian-university-they-just-asked-for-
it/_20181001141124982_1_.jpg)

The email was sent containing the email address
"accounts.receivable@clarkbuilders.us" and the name field
"accounts.receivable@clarkbuilders.com"

------
ig1
I'd love to fund a startup fixing this problem.

It's a clear space where technology has the edge over humans and there's huge
network advantages (e.g. you see a new account # for a known entity,
especially at a different bank it's a big red flag).

~~~
eswat
In particular, this kind of low-tech spoofing could have been mitigated if the
email client had highlighted the fact that the sender’s “name” was nearly
identical to the sending address, and therefore likely a phishing email.

~~~
deepGem
This seems quite simple to accomplish - compare the name and email address in
the email header and flag based on even regex matches/mismatches. Perhaps a
Chrome plugin for gmail to test out ?

------
cknoxrun
This seems like a technology problem, not a personnel problem. There should be
more checks in a system when you are changing bank accounts where so much
money is going to be deposited.

~~~
rwmj
This scam has been going on in the UK for a few years. It's called "authorised
push payment (APP) fraud". Typically you're having some building work done (or
any other large project or purchase), and an email will arrive from the
builder saying they've changed their account details, could the purchaser
please send future bank transfers to the new account. Of course the email is
fraudulent and usually happens because the builder has a virus on their
computer (or even the customer).

The problems are:

* since cheques are no longer in widespread use, the only good way to send money is by a bank transfer to another account; in the UK these are free and nearly instantaneous

* but every account is identified only by a 6 digit sort code and 8 digit account number[edit 1]; the numbers don't even have parity checking, forget about any sort of way to verify the destination account

* complete insecurity of email and computers in general

Finally, after years of foot dragging, the banks are promising they will
introduce an "amazing" new feature, where before you do a bank transfer the
name (I think surname only) of the account holder will be displayed. This
should, when it finally arrives next year, prevent most of these frauds,
although I guess the scammers will quickly adapt.

The fraud: [https://www.theguardian.com/money/2018/sep/25/uk-bank-
custom...](https://www.theguardian.com/money/2018/sep/25/uk-bank-customers-
lost-500m-to-scams-in-first-half-of-2018)

How the banks propose to solve it: [https://www.psr.org.uk/psr-
publications/consultations/APP-sc...](https://www.psr.org.uk/psr-
publications/consultations/APP-scams-report-and-consultation-Nov-2017)

[edit 1] True story to illustrate what a shitshow this is: When I started
working for my current company they asked for my 6 digit sort code and 8 digit
account number to pay my salary in. However the first payment was bounced by
the bank. When my employer checked with me, it turned out they had only
entered the first 7 digits of my account number into the payments system.
Surprisingly this was _not_ an error. For example say my a/c number is
12345678, they entered 1234567, and the system assumed that meant 01234567
(this is a feature of all UK banks, not something to do with the payroll,
because bank accounts are really just natural numbers, the first customer is
given bank account number 1, etc.) Luckily the 01234567 account was dormant or
closed so the payment was returned, otherwise several people would have had a
bad day (and one person a good day).

~~~
tacostakohashi
As much as people make fun of the widespread use of checks in the US, it
actually seems much better for this use case, for at least two reasons:

1) the check will be handed over in person to someone you've met before, or at
least mailed to a known postal address which is harder to spoof than email.

2) If you present a check for $12m to a bank, it will get the scrutiny it
deserves, and won't clear immediately.

~~~
JamesCoyne
To your second point, my anecdotal experience has shown that once a check
makes it past the receiving bank clerk into the electronic clearing system,
all manner of errors are allowed. E.g. dates in future, wrong payee, garbage
signatures. The simplest way to pass a check with an error is to deposit it
with 9 other "good" checks.

Has anyone had a check bounce due to a bad signature?

------
olalonde
Did they ever find out who the masterminds were and were they charged
criminally? I couldn't tell from the article.

~~~
3p0ch
I believe one unnamed person in China was caught with $5 million or so; but
$960,000 CAD was still missing; so maybe not? Even if they only walked away
with 8% of the total originally 'stolen', that's still pretty damn good.

Plus, it would probably bring the heat off of you. The investigators and the
university get to say 'we successfully recovered 92% of it!' because that
makes a great headline where 'justice was served' and have the case take a
lower priority.

------
mduncs
Is there a reason the submission titles are altered away from the articles?

------
browsercoin
steal money from Canadian university and buy real estate in Vancouver...only
in BC folks

