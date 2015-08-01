He registered a company with a name very similar to an existing, legitimate computer hardware manufacturer. Then targeted companies that already had a relationship and already regularly paid invoices to the company with the similar name.
It mentions the victims were "multinational internet companies". The indictment goes farther, saying:
"Victim-1 was a multinational technology company, specializing in Internet-related services and products, with headquarters in the United States"
and
"Victim-2 was a multinational corporation providing online social media and networking services, with headquarters in the United States"
Edit: It mentions that both victims already regularly paid multi-million dollar invoices to the computer hardware company being impersonated. So, if you're trying to guess who the victims are, they are large enough that they run on their own purchased hardware, in fairly large quantities.
There's very little automation, even EDI is the exception rather than the rule (particularly for one off orders), most are either still paper, fax, or insecure email.
Email remains pretty broken. You'll be lucky to get end to end encryption, and once it arrives it is hard to make assurances that the sender really sent it (or even the sender's domain).
People have tried to fix email but nothing as ambitious as TLS/HTTPS has been. And getting people to use a more secure platform built on top of HTTPS is likely a non-starter...
So what can be done? I legitimately don't know. Even snail mail can be "hacked" via sending a plausible sounding invoice to the right address at the right time.
So, host invoices on your own domain, and only send links to clients. Clients can confirm they are talking to the correct server when downloading the invoice. Same as they should be used to doing for any email with links regarding money.
Totally agree with this. I occasionally deal with relatively large contracts and it is amazing the amount of labor behind processing purchase orders, invoices, etc. Many companies locate their accounts payable/receivable departments in low-cost countries.
Makes me wonder if it's time to metaphorically pack it in, and respecify the SMTP infrastructure on top of HTTP(S), precisely because that seems like the only way we're going to get cert security with email systems. As long as it's an optional add-on to SMTP it seems it just isn't going to be added on. (Of course SMTP wouldn't go anywhere right away; I'm talking about a real process with transition times and such, not a mystical one where this would one day replace SMTP in a big bang.)
I mean, there's a loooot of i's to dot and t's to cross betwixt this little comment and an actual standard, but conceptually it doesn't seem too difficult. SMTP is conversational standard but it seems like we've probably got enough negotiation tech in HTTP to pull it off in a request/response manner nowadays.
Transport security is not the actual issue. SMTP over TLS has been around for a while and is fairly well functional. The problem is attaching an identity to the senders email. That's what S/MIME and GPG/PGP do, but the actual real-world problem here is that you need to somehow certify that the sender is the right person. So you can either have a centralized set of authorities (S/MIME) or Web of Trust (GPG/PGP). Neither option actually scales. Some countries started issuing certificates in their ID cards, but given that other countries don't even have ID cards, this is obviously not going to fix this either.
HTTPS has the same problems in principle, but it only needs to certify a comparatively small number of entities (web servers) as opposed to actual users.
From what I hear from security folks, transport security is still an issue. You can negotiate up to TLS easily in SMTP, as long as you don't care about certificate validity. But without caring about certificate validity, MITM is still quite possible.
This helps reduce the spam problem, because a mail sender needs to be contactable in order to read the content. Serving up the mail with https is a no-brainer.
You still have reputation problems and certificate authority issues, but the value of a botnet to send spam is greatly reduced.
This was a phishing scam over new deals. New deals can't generally be automated, shouldn't generally be automated, and the issue here involved human factors that are likely to always exist. The presumption that more computers and more encryption could fix what happened in this story seems misguided to me.
If you send an existing customer another invoice, but with a changed bank account number, chances are that the money goes to the same bank account as they used previously. Even if you explicitly add a note about the changed account number, chances are still very high that they use the old one.
I live in India and practically haven't seen any company use cheques for payment in the last few years.
Security incidents have a stark resemblance to emergency room visits. People are so hard to sell on prevention, and they end up paying big for an ER visit.
To me, plausibility is important in fictional works that reach for meaning or defined structure, at least where possible. I mean, I love Hackers but of course groan at scenes inside "The Gibson" and whatnot. This guy actually made it work - I'm impressed.
In other words simple social engineering. These finance people are scared of their CEOs and VPs so they jump at their requests, often skipping the verficiation stage because "Bossman will get pissed if I ask him for his secondary auth. My manager told me I'd be fired if I pissed off bossman again."
If anything, the companies that get hit by such simple scams deserve to be. They clearly don't have the corporate culture and accountability to stop a simple fake money request. Lets stop blaming the technology here and start blaming the real problem: executive entitlement and the incredibly classist structures at most companies where the bottom people can't even question the top people.
This is why these scams work so well. The people in finance are petrified at questioning an executive. That shouldn't be the case.
See also: affidavit [1]
That does narrow it down to companies in those spaces that run on their own metal, and significant amounts of it.
Typically the attacker starts by phishing an employee, then uses information discovered through that to trick someone else in the company to initiate a wire.
It was annoying at times, but it also meant their accounts department could match every single expense to a specific contract or pre-agreed authorisation, complete with who (on their end) had made the request and who had signed off the request.
Even if you don't do that for everything, even just doing that for everything above a certain amount would make such fraud a lot harder.
