back to article Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops

Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams ... and they hate him for it. The director of SEC Consult's Singapore office has made a name striking back at so-called "whaling" scammers by sending malicious Word documents that breach their Windows 10 boxes and pass …

  1. Lord Elpuss Silver badge

    Seems to me that organisations need to start using 2-factor authentication for wire transfers. Give each financially authorised company officer an RSA SecurID or similar, and have them authenticate before transactions are approved.

    Or am I missing something?

    1. Adam 52 Silver badge

      In this particular scam it's the "financially authorised company officer" that is doing the transfer.

      Unless you were proposing a method for the fraudsters to defend against a credential leak due to a Trojan PDF.

    2. Elmer Phud Silver badge

      The higher you aim in an organisation, the easier it is for click-bait to work.

      1. Halfmad

        Sad but all too true, doesn't matter if it's a private company or a local council, from my experience over the years they're just as bad as each other when it comes to senior management thinking it won't happen to them or wanting a more convenient (lazy) solution for them, but a different more complicated (and secure) one for everyone else.

        1. Anonymous Coward
          Anonymous Coward

          >senior management thinking it won't happen to them or wanting a more convenient (lazy) solution for them, but a different more complicated (and secure) one for everyone else.

          Wow explains a lot of the problems in society huh?

    3. Flywheel Silver badge

      That sounds eminently sensible to you and me, but in the world of bean-counters they'll probably say that the extra cost and procedural hassle doesn't warrant spending the money. "After all, how often do these frauds take place?"

    4. Tom Paine Silver badge

      ...organisations need to start using 2-factor authentication for wire transfers. Give each financially authorised company officer an RSA SecurID or similar, and have them authenticate before transactions are approved. Or am I missing something?

      What you're missing is that the sort of broken organisations* that fall victim to BEC scams, by definition, don't know that such things are happening or that they're in danger from them. Sure, 2fa could break the kill chain, but so could any number of other, non-technical controls. The problem isn't that there's no way to prevent this happening, it's that the victim orgs don't know or care about them until it's too late.

      * "organisation" as a movable feast -- the accounts payable team can be considered "an organisation"

      1. Christoph Silver badge

        2fa is not difficult! On my personal bank account, if I want to send money to a new payee I haven't paid before, I have to produce an authorisation code from the 2fa gadget.

        If I can do this for 10 quid, why can't large organisations do it for 10 million? If the CEO sends an email saying to pay a new account, that should be authorised with a one time code.

        1. Alien8n Silver badge

          2fa will only work if the 2nd authorisation is from the CEO. The person sending the money is already authorised to send it, the issue is they're doing it believing their CEO has requested it.

          What is actually required is stronger internal processes that mean even the CEO has to fill in a transfer request form for any money transfers. It's then up to the Financial Controller to have the balls to turn round each time the CEO requests them to send money to someone that they fill in the form first and include that with the email. No form, no transfer. This then prevents 3rd parties from sending transfer requests that look authentic. And if the response to "where's the authorisation form?" is "I don't have it, can you send it to me" your next response is grab it off the server. You make emailing that form a disciplinary action, regardless of who's asking. It's an internal document, you want to make sure NO ONE outside the company can get their hands on it.

          And yes, I've worked for a company that got caught out with this scam. The issue being the CEO would send these exact kinds of requests. The scammer got caught out on the 2nd attempt as they used the wrong name for the SEO's wife. They research their victims very extensively.

          1. Mayhem

            Another defence is making sure that the account being wired to is preregistered in the system, so that the FC can approve it, and the system pays. That requires a paper trail that goes past more eyeballs. This idea of wiring a random account a large sum of money is really strange, but I guess at CEO level procedures are for the little people

            1. Alan Brown Silver badge

              "Another defence is making sure that the account being wired to is preregistered in the system, so that the FC can approve it, and the system pays."

              Funnily enough this is exactly how $orkplace operates - along with contact details of appropriate people in the organisation.

              Lots of grumbling about how slow this is to setup, but we get a steady stream of whaling emails and (so far) haven't been compromised.

              Any attempt to change the account details requires (at least) a phone call to the preregistered contacts and more usually an exchange of emails before it would get approved.

    5. TheVogon Silver badge

      "organisations need to start using 2-factor authentication for wire transfers."

      Most already do. And / or multiple approvers.

      "Or am I missing something?"

      If you think that fixes this problem, then yes. The people making the transfers in each scammed company are those authorised to do so...

  2. frank ly Silver badge

    Say What?

    "We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook."

    Those scammers are really .....smart?

    1. Tom Paine Silver badge

      Re: Say What?

      Smart enough to be getting a lot richer than you, I suspect, and certainly richer than me.

      If we're so much cleverer, how come we're all flat broke at the end of the month?

      1. not.known@this.address Bronze badge

        Re: Say What?

        Smarter than the people who fall for the scam, at any rate.

        Which isn't necessarily saying much since most people trust everything the computer says...

      2. Florida1920 Silver badge

        Re: Say What?

        If we're so much cleverer, how come we're all flat broke at the end of the month?

        OTOH, we're not being hunted by the law and facing prison. Not me, at least.

  3. Sir Barry

    Make a phone call

    We received an attempt a few weeks ago, our Financial Director received an email purporting to be from our European CEO instructing to wire funds urgently.

    One phone call uncovered it as a scam....

    1. lglethal Silver badge
      Facepalm

      Re: Make a phone call

      You seem to have a Financial Director who has something between his ears. Call me a cynic but I most certainly don't put him in the majority category.

      Most would look at the email they receive, and even if they think to make a phone call, would see a phone number in the email, and dial that number (rather then taking the two seconds to actually look up the phone number in the company directory). Then the CEO's "secretary" would confirm that he really does want the wire transfer but I'm afraid he's in a meeting at the moment. That's more then enough to get most things moving in most of these cases.

    2. Test Man

      Re: Make a phone call

      What I don't understand is why a Financial Controller, upon being told to move lots of company money, is not immediately checking the authenticity of that message? I mean, seeing as it's company money, they should NEVER accept that message at face value and should always verify it?

      Surely there should be business processes for moving money and it should always rely on verification of the original message?

      And anyone who is authorised to make these sort of decisions (i.e. someone who is allowed to ask for money to be moved) should know this?

      1. Andrew Moore Silver badge

        Re: Make a phone call

        Usually it comes after years of weakening of standards at the management/board level. Controls and protocols are bypassed as they make "business difficult". Of course, the rank and file employee is still intended to jump thru all the hoops.

      2. Drefsab_UK

        Re: Make a phone call

        the problem often is that when you get higher up certin ceo's etc think policies/procedures apply to everyone but them. Often these emails are crafted in such a way to suggest that their is a bisness critical reason to break procedure for this transaction.

      3. Tom Paine Silver badge

        Re: Make a phone call

        They're verifying it by looking at the "From:" field. If you think this class of attack is what will finally push PGP signatures into widespread use... I've this great garden bridge to sell you.

      4. Esme

        Re: Make a phone call

        because the higher your salary level the less likely you are to suffer ANY bad consequences of any actions you do, perhaps?

        1. Prst. V.Jeltz Silver badge

          Re: Make a phone call

          indeed - look at that lady last week - Thrown out of her job at the top of one of the NHS trusts for incompetance - all the way down to , well, the next level down , where she is going to have to survive on 180k and brood about what she did! That'll teach her!

      5. Disgruntled of TW
        Facepalm

        Re: Make a phone call

        @Test Man - completely agree. A CFO that doesn't have the CEO's number on speed dial, isn't a CFO. Duh.

    3. kmac499

      Re: Make a phone call

      I'll bet if the FCO received an email from the boss saying "You're fired, clear your desk" They would check it's authenticity; even if only to up their severance terms..

    4. Anonymous Coward
      Anonymous Coward

      Re: Make a phone call

      Likewise - the personal data in the email was remarkably convincing but what gave it away was the "Sent from my iPhone" humblebrag tag at the end - use an iPhone? Hahahahahaha

      1. Prst. V.Jeltz Silver badge

        Re: humblebrag

        humblebrag

        didnt know that was a thing , thanks AC

        calling things a "thing" is quite new too, and a bit "Joss weadon"

      2. Duffaboy
        FAIL

        Re: Make a phone call

        Sent from my Fanbios iphone

    5. sitta_europea

      Re: Make a phone call

      "... One phone call uncovered it as a scam...."

      It would have been cheaper to look at the email headers.

  4. GFK1

    Hoist by their own Petards

    It boggles the mind that these companies have such poor checks and balances that millions - MILLIONS! - can be sent out without any decent verification. A phone call to a secretary should not be all it involves. It's just plain incompetence.

    And the vey CFOs who should be making sure those systems are in place are he ones being hoist by their own petards. There's a certain delightful irony to it - I wouldn't want to be in their shoes after one of these transfers.

    1. lglethal Silver badge
      Big Brother

      Re: Hoist by their own Petards

      Why? They'll just blame IT for the Scammers getting through to them in the first place. Then they'll sack a few low level workers to save some money and then collect their bonuses for reducing expenditure.

      Cynic, moi?

    2. Tom Paine Silver badge

      Re: Hoist by their own Petards

      To be fair, it's never been a problem before -- it's only in the last few years that this type of attack has turned up.

      1. Doctor Syntax Silver badge

        Re: Hoist by their own Petards

        "the last few years"

        Years? These are people who should be aware of likely scams. If it takes a few years to find out about this one they're asleep at the wheel.

    3. not.known@this.address Bronze badge

      Re: Hoist by their own Petards

      Have you never worked for an organisation where people are expected to do things their seniors ask without questioning them? Having fallen foul of (previous, not current) Managers because they KNEW better than me, I would like to point out you don't always get the luxury of asking questions or suggesting that someone has asked for, or is about to do, something monumentally stupid...

      1. Vic

        Re: Hoist by their own Petards

        I would like to point out you don't always get the luxury of asking questions or suggesting that someone has asked for, or is about to do, something monumentally stupid...

        I got hauled into a "meeting" to discuss the fact that I didn't want to change code in a repository[1] that we'd already shipped. It would have left us with two versions of code in the field with a single revision number. My management couldn't see a problem with this...

        Vic.

        [1] Yes, SVN does allow this, although it requires some administrative effort.

    4. tfewster Silver badge
      Facepalm

      Re: Hoist by their own Petards

      Hoist by their own Retards, more like. And I look forward to hearing of some CFO's being sacked and sued for such gross misconduct.

    5. Alan Brown Silver badge

      Re: Hoist by their own Petards

      "There's a certain delightful irony to it"

      This very website ran a story within the last month detailing how the CEO and CFO were _both_ shown the door after falling for a spear phishing scam.

  5. Mk4

    Is this just a puff piece for Sec Consult?

    There isn't any information showing that crims "hate him for it". Do they? How do you know?

    There is a proper place for puffery posing as journalism and it's in those horrible spamfomercials that go to my work email address pretty regularly. Don't just recycle a report about this security conflab and pass it off as news.

    I'd be interested in a properly researched piece with multiple unrelated examples of how this kind of defence is denting global crime. Is opening bank accounts really that hard? Where is the evidence.

    Go and get some stats from Europol, Interpol, FBI, whoever, and work it out.

    1. Robert Carnegie Silver badge

      Re: Is this just a puff piece for Sec Consult?

      I think hate is a reasonable inference from interfering with a criminal's business. Think "Valentine's Day Massacre". These are not forgiving people.

      However, hacking a criminal's Microsoft account name (or even their postal address) and sending it to police may not count as "evidence" that can be used.

  6. Pen-y-gors Silver badge

    And the next e-mail is...

    Dear Friend in Christ,

    I am Inspector Daniel Matombe of the Nigerian State Police. I have recently locked a number of bank accounts containing a total of $47,000,000 (FORTY SEVEN MILLION DOLLARS) that has been stolen from major companies including your own.Please send me details of your losses, including your bank account details, together with a Western Union transfer for $10,000 to cover administration fees, and we will refund your stolen money at once.

  7. Hans 1 Silver badge
    Holmes

    Really cool what this guy did, but this is crazy:

    >Scammed funds are often wired between banks on its way to the Chinese port city of Wenzhou, a hub of cybercrime on the East China Sea, where money trails run cold.

    Wnzhou should lose its banking rights NOW, problem solved. Any other bank/city/country/whoCaresWhat where money trails go cold, same thing ... in the space of three days, no problem ... you've solved the problem ... a single money trail that goes cold, the bank on the receiving end loses banking rights. While you are at it, make moneygram & co legally responsible for the funds they transfer.

    That, sir, is dead easy common sense - of course, our politician's don't want that because they use these "banking services", too.

    1. Tom Paine Silver badge

      The government of China are unlikely to take kindly to unilateral breaking of banking treaties they've signed up to. Neither will the legitimate businesses in that city. And don't you think the attackers will just move 30 miles south and start again in the next city? Seems unlikely that the AML / KYC / ATF compliance people in the banks in that one city are uniquely corruptible...

      1. Doctor Syntax Silver badge

        "The government of China are unlikely to take kindly to unilateral breaking of banking treaties they've signed up to."

        Do these treaties include investigation and prevention of fraud? If so just who is unilaterally breaking treaties?

        1. Anonymous Coward
          Anonymous Coward

          I can't help wondering if this is what is really behind Prime Minister May's "security" concerns about the Hinckley Point nuclear agreement. If it turns out the Chinese investment banks have even a taint of suspicion about laundering SCAM$ possibly looted from US corporations, well, it could be jolly embarrassing to explain to President Trump at the G8 dontchaknow!

          1. Alan Brown Silver badge

            "I can't help wondering if this is what is really behind Prime Minister May's "security" concerns about the Hinckley Point nuclear agreement."

            Quite possibly.

            The Chinese interest in Hinkley (and other nuke plants) being built (quickly and safely) is extreme self interest.

            If you look at a topographical map of China you'll understand why. Even a sea level rise of 2-3 metres will result in more than half of lowland China (home to 70% of the population) becoming tidal lagoons, marshes and mangrove swamps. They have a vested interest in cutting carbon emissions NOW and nuclear is the only long-term solution - current tech now, but LFTR or other safer tech as soon as it's viable (the biggest problem with current tech is the fact that it uses water in the radioactives loop, which is an inherently bad idea)

            (I could rant on with stats, but the short version is that with the best will in the world, no matter how much buildout of renewables there is, it'll only equal current electricity generation and that only accounts for 40% of carbon emissions at best. To replace heating/transport/etc you'll need to increase capacity by a factor of at least 6, probably 8 over current total levels and there's just not enough space for that many windmills/solar panels close enough to points of consumption to be able to economically send it over wires - sea crossings are notoriously low capacity+expensive+lossy and long lines are extremely expensive/lossy/visually intrusive due to tower height)

    2. John G Imrie Silver badge
      Devil

      Wnzhou should lose its banking rights NOW, problem solved. Any other bank/city/country/whoCaresWhat where money trails go cold, same thing

      You can't do that. You'd shut down the City of London in under 24 hours.

  8. Xamol

    Secure Email

    Surely the solution for this kind of problem is a secure ID so that you know the sender is who they say they are? I would have thought this would be a simple solution to implement and a simple procedure to require it to be used for emails requesting money transfers?

    1. Pascal Monett Silver badge
      WTF?

      Don't think so

      The real solution is to have proper checks and balances, and a CRM solution that is up to date.

      If these spammers can send you mail that looks like your Financial Officer in <other country> needs money, then they can probably send you one that looks like the Secure Mail conditions are correct, even if the normal flags are red.

      Managers are not technical people. However, sending money should be an easy affair of telling the local accountant : send this amount to our <country> branch, and ask a report as to why they need the money. The accountant then fires up his accounting package that has the IBAN account number and does the transfer.

      Of course, the real CEO of <country> branch then calls to find out what the hell is going on. the situation is resolved without trouble.

      The issue is only that people get mails telling them to wire money to an account in the email. Sorry, that should just never work. You tell me to send funds to one of my suppliers, I don't need your mail to know what account to send the money to. I will also check whether or not I have any pending invoices with that customer before sending anything.

      Organization, people. It is just inconceivable that major organizations depend on IBAN account numbers sent in emails to do their work. If they are so big as companies go, then they have all the details in their accounting packages, so why is this a problem ?

      1. Alan Brown Silver badge

        Re: Don't think so

        "It is just inconceivable that major organizations depend on IBAN account numbers sent in emails to do their work. "

        The whaling scams I've seen purport to be from XYZ large supplier requesting a change of account details.

        The amazing part is that I've had people complain that the system won't just let them enter the details that have come in via email and as others have mentioned, will make the confirmation call to the phone number in the email, not the one already in the system. (Which is why the system won't just let them bang in changes. There's a procedure to follow for a reason and I don't give a monkeys if you're the CEO, I'm not deviating from it unless you give me an order in writing, indemnifying me from any consequential liabilities)

    2. Vic

      Re: Secure Email

      Surely the solution for this kind of problem is a secure ID so that you know the sender is who they say they are?

      Digital signatures have been possible for years.

      Now try to get that implemented in any commercial organisation. It's always "too hard"[1], and we need to understand that "loss of productivity costs real money"[2].

      Vic.

      [1] It isn't. It's actually rather easy,.

      [2] There's a tiny amount of training required to teach people how to sign emails. But apparently, that costs too much, whereas the sort of losses we see from this article are acceptable costs of doing business.

  9. Christoph Silver badge

    If all the ways of fiddling money transfers are blocked, how will the CIA manage its transfers?

  10. Hans 1 Silver badge
    FAIL

    Accenture ?

    Anyone else notice the ONLY tech-savvy company, or so purported to be, is Accenture ?

    I have talked to several of these guyz, show them CMD.EXE or PowerShell.exe and they wet their pants ... I am talking "consultants" here. No surprise to me that they are in that list, they would, generally, not know what 0wned means even if you hacked their website and put it on there.

    Now to the scary thing, a lot of you hire these IDIOTs in, to "solve" your IT problems ... and their standard line is: "You should scrap all those vendors and go Microsoft only, because, well, one vendor is better." I read that line all too often on here.

    To those that have fallen to this line, you probably don't know that the Redmond-based security-sieve purveyor and data-harvesting corp is their greatest investor. D'oh, I know.

    Not only are they telling you, the car mechanic, that a Swiss army knife is better, because, well, it has a spoon as well as the Philips screw-driver, along with sizes 1/8, 1/4, 3/8, 2/4 spanners ... yes, you can repair a car with it AND got to lunch, who would need more than that, hey ? They are doing so to please their investors.

    You will have guessed, Accenture consultants? I laugh them out of the building, only to return when my job's done at the clients ... I have the decency NOT to ridicule them in front of the client, but that might change soon!

    1. Valeyard

      Re: Accenture ?

      Did someone from Accenture like... touch you anywhere?

  11. bombastic bob Silver badge
    Devil

    A positive story about hackers

    It's nice to see a positive story about hackers. MOST hackers aren't law breakers [they typically do engineering work, solving complex problems with rapidly adapting and often non-traditional techniques] and so are of the 'white-hat' variety. Some are black-hats, and these guys were arrested in THIS story. But you have to appreciate the 'grey-hat' hackers as well, like the "protagonist" of this story, sending the carefully crafted documents to the bad guys to reveal their identity.

  12. Anonymous Coward
    Anonymous Coward

    It amazes me in this day and age of technology that any company with large amounts of money don't use accounting software. I used to work for a billionaire real estate developer and I setup multiple controls and procedures for processing payments. First off the CEO never allowed wire transfers for anything, ever. If you wanted money out of this company the only way is for this procedure to happen in this order:

    New Vendors are verified by Accounts Payable over the phone and are required to supply tax id info and liability insurance.

    1. An invoice for payment is received by Accounts Payable in email or paper copy.

    2. Invoices are entered into the accounting software.

    3. Invoices and then approved/denied by the person who ordered the items on the invoice.

    4. Checks are then approved for printing by the Accounting Director.

    5. Accounts Payable then prints the checks, checks under $10,000 are printed with signature.

    6. Accounts Payable downloads a Positive Pay file from accounting software.

    7. Positive Pay file is sent to the CFO who then logs on the the bank with Two Factor Authentication (RSA SecurID) and then uploads the file, which then instructs the bank to allow the checks to be paid. Checks presented for payment that are not pre-approved in this matter are not paid.

    8. Printed checks are then presented to CEO for visual approval and a signature if over $10,000.

    9. Accounts Payable stuffs the checks in envelopes and is mailed or picked up by a vendor.

    You would think that if there is so much money involved that these companies and banks wouldn't accept just a forged email to send out a wire transfer. If they allow such stupidity maybe they should be fired or loose the money that was stolen.

    1. Wensleydale Cheese Silver badge

      No oheques in my country

      "5. Accounts Payable then prints the checks, checks under $10,000 are printed with signature."

      Well, maybe for high value items (e.g. 10K+), but everything else is done by bank transfer.

      There's no reason why similar checks and balances to the ones you describe can't be incorporated into that of course.

  13. Herby Silver badge
    Joke

    Why can't I...

    Send one of these scam emails to a government (after all they print the money) and have them drop off a load of cash.

    I'd probably end up in the hoosegow, but I'd live large for a couple of days. Then again with government efficiencies it might take a while. I get all these offers of IRS forgiveness all the time, so they must have some spare change floating around to line my pockets. I might even retire.

    Message to IRS: I am due a refund of (large) amount. Send it to me. Cash is OK.

  14. Anonymous C0ward

    Any internal-internal mail that fails SPF, originates in a NIC area you don't do business in, or has a from/reply-to domain with a close misspelling, should get dropped at the inbound MX and the originating server reported to several blacklists.

  15. DougS Silver badge

    Do CEOs really order multi-million dollar expenses via email?

    To vendors with which their company has no prior business relationship? If so, they deserve what they get for having such poor internal controls.

  16. Anonymous Coward
    Anonymous Coward

    Wait... so these "hackers" are using Windows 10 machines and Outlook? I guess when you are just throwing emails over the fence at controllers, you don't need stealth mode equipment. Kind of funny that Windows lack luster security worked to their advantage and then to their disadvantage. Maybe that is MSFT new security strategy... if anyone hacks you, you can hack them right back.

  17. Kiwi Silver badge
    FAIL

    2016.. Still..

    Great that they're hurting the hurters to some degree, and recouping some of the losses of these big organisations (while the smaller ones who actually feel it may not get the same help but anyway...)

    But FFS, it's 2016! And you can still have your personal information lost or your computer harmed by opening a document on Windows!

    Come on MS, this sort of crap should've been ended 20 years ago. You claim to be an innovative company who produces secure software, so get with it!

  18. Anonymous Coward
    Anonymous Coward

    How to stop fools from making uhrm... fools of themselves?

    Answers in the mail please.

    Our CEO suddenly announced the acquisition of a business partner that we had had a long (i.e. a year) relationship with.

    They do not make any money. A year later and our CEO had to admit to the board of directors that his move was a bad one. Now we either have to think of something outlandishly smart, or offload the problem to somebody else.

    You can add as many two-step authentications as you wish, but the underlying problem is the same: Most smart people want to work with technology, not manage others. So the ones left applying for the top brass jobs are usually quite a bit short on the intelligence front. The light is on, but nobody is at home.

  19. Mandoscottie

    you have to give them credit, if companies are that inept to enforce 2FA with their banking systems, then fair play, they get everything they deserve.

    Even with our company bank accounts enabled with SecureID 2FA (with RBS no less) there really is no excuse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019