BY ANTHONY VALENTI, CFE, CAMS; AND STEPHEN KORINKO, CFE, CAMS, CPP

Transcription

1 DOMAINS IN DISGUISE FAKE DOMAIN WIRE-TRANSFER SCHEME istock/thinkstock Using a classic phishing scheme, fraudsters are taking control of company accounts to initiate wire transfers from unsuspecting employees. We show how crooks lure victims into their traps and how you can protect your clients. BY ANTHONY VALENTI, CFE, CAMS; AND STEPHEN KORINKO, CFE, CAMS, CPP

2 Domains in disguise Anew controller, Sam, reported for work at ABC Tire Company. He was anxious to prove that his employer had hired the right person. In his first week, he received an from the company CEO with the instructions, Process a wire of $205, ASAP to the below account information. Code it to professional services. Send me the confirmation when completed., Gary, CEO. istock/thinkstock Sam promptly followed his CEO s instructions and completed the wire. When he approached the CEO the following day, he smiled and said, Sir, I took care of that wire transfer you requested. The CEO responded, What wire transfer? To his horror, Sam realized he d been a victim of an Internet fraud scheme. The had come from a fake, cleverly disguised corporate domain. This scenario describes a crime that s occurring in all types of international organizations. Our company first began receiving reports in spring of 2014 about a scheme that tricked companies into fraudulently wiring funds to vendors with overseas bank accounts. It first appeared to resemble a standard phishing attack. [Cybercriminals use s to phish for personally identifiable sensitive information (PII) such as usernames and passwords. A legitimate-looking requests the recipient to click a link and log in. The victim enters PII onto the site and the phish is speared.] However, we soon found that the scheme had three unique traits: 1) It used a fake domain intentionally designed to fool the recipient into thinking it came from his or her company. 2) The victim companies, rather than the banks, suffered the full loss of the funds. 3) It had an alarmingly high success rate a sure sign that it will be a growing trend. In this fraud, a company s accounting personnel receives an from a senior executive in the company who requests that they wire funds to an overseas bank account supposedly for a new vendor only to find out after the transaction that the was forged. As the reports started pouring in from our clients, the U.S. Secret Service confirmed that a wire transfer scheme using fake domains and exhibiting the three unique traits listed above was becoming widespread throughout the country. According to our investigation, the fraudsters: Knew the executive and staffer in the organization who were responsible for transferring funds by wire. Appeared to know the wire transfer limits of those targeted in the organization. Had access to the inboxes, calendars and voice messaging systems of those responsible for transferring funds by wire. Used similar language in the s requesting funds transfers (except for amounts and banking instructions to complete the transfer of funds). Requested funds be wired to first-time vendors. Initially, the details of this scheme and the high success rate suggested that insiders were assisting the fraudsters. In each case we reviewed, the fraudsters appeared to have proprietary information uniquely available to the company s 262 FRAUD MAGAZINE MARCH/APRIL 2015 FRAUD-MAGAZINE.COM 2015 Association of Certified Fraud Examiners, Inc.

3 executives, their assistants and accounting staffers. However, we discovered that the fraudsters didn t need any inside help. They had insidiously penetrated client systems by covertly reading s between executives and employees. Via phishing attacks or social engineering, the fraudsters identified those responsible for transfers, their funding limitations, corporate accounting expense recordings and bank protocols relating to wire transfer requests. The fraudsters waited for the optimum time to the unassuming accounting staffer in an executive s name to request the wire transfer. (The best time was when the party who could order the transfer was traveling or otherwise difficult to reach or unavailable but not the functionary who made the transfer request based on the phony .) They typically used a fake domain usually obtained from a foreign vendor that was very similar to the company s actual domain so that it wasn t suspicious to the recipient, and the executive they were impersonating didn t detect the . The fraudsters had the payment initially directed to a non-u.s. bank account and then redirected the funds several times until the money reached a bank located in a known tax haven, which made retrieval and/or prosecution difficult, if not impossible. Recent cases have seen funds end up in U.S. accounts as well. Successful fraudsters emptied the accounts within hours to days after the wire transfers, so the only way for victim companies to retrieve the funds was to quickly recall the transfers or freeze accounts. Once the transfers were complete, so were the financial losses to the companies, while the banks remained unscathed. Prevention is the only true protection: Strong vendor protocols, financial controls and staff communication and training are essential to thwarting these fraudsters. GETTING INSIDE For many of the victimized companies, it s often a mystery how fraudsters targeted their business, identified the decision makers and gained access. However, simple searches on social media sites will often supply names, titles and responsibilities of current and former employees of targeted companies from C-suite executives to functionaries in accounts payable departments. When social media is unhelpful, those fraudsters who are expert social engineers will call employees to obtain the identities of their targets. We ve even seen successful schemes in which unsophisticated accounting employees have given out sensitive business information such as wire transfer protocols, bank account details and passwords to fraudsters posing as legitimate third parties. Fraudsters then will initiate phishing attacks hoping just one staffer will be induced to provide the access that sets the scheme in motion. An early iteration of the scheme used a phishing attack with a fake Google Docs website to capture corporate logins from targeted employees of victim companies usually staffers in the accounting department. (See Figure 1 below.) Recent attacks have leveraged the ability to host the website on Google s hosting platform, so the URL seems legitimate, and the web page is a near-perfect replica of Google s login page. When the employee enters companyprovided credentials into the web form and clicks View Document, the phishing website redirects the employee to a page that claims the document can t be found. But now the employee s credentials have been sent to the fraudster who then uses them to log into the account. Spending just a short time in employees accounts enables the fraudster to gather the information he needs to execute the fraudulent wire transfer requests. Armed with the necessary information and access, the fraudster patiently monitors the executive s account and waits for the optimum time to execute the fraud. The fraudster, who has complete Figure 1: Sample phishing Google Docs webpage. Note login request and non- Google domain Association of Certified Fraud Examiners, Inc. FRAUD-MAGAZINE.COM MARCH/APRIL 2015 FRAUD MAGAZINE 273

4 Domains in disguise From: Sent: Mon, May 19, 2014 at 10:01 AM Name - please wire $35, to our clients XXXX bank account details below today. This is to pay an approved invoice to XXXX [Fraudsters ABA route transit number, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. From: [email protected] Sent: Tue, May 27, 2014 at 11:07 AM Name - please wire $45, to our clients XXXXX account details below today. This is to pay an approved invoice to XXXX, you can do it online. [Fraudsters ABA, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. From: [email protected] Sent: Wednesday, May 28, :17 PM Subject: Fwd: Wiring Instructions [Fraudsters ABA, Bank Account and Beneficiary Information] Process a wire of $257, to the attached account information ASAP. Code it to Professional Services. Send me the confirmation when completed., Tue, Jun 10, 2014 at 12:54 PM From: [email protected] Cc: [email protected], [email protected], [email protected] Name - please wire $61, to our clients XXXX account details below today. This is to pay an approved invoice to XXXX. [Fraudsters ABA, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. From: [email protected] Sent: Friday, June 13, :25 PM Subject: Fwd: Wiring Instructions Attachments: [reflects Fraudsters ABA, Bank Account and Beneficiary Information] Name: Process a wire of $82,050 to the attached account information. Code it to Misc. expense and Send me confirmation when completed. I ll forward support later on. Figure 2: Fake domain wire transfer scheme sample fraudulent s control of that account, can permanently delete s or create mailbox rules to redirect any replies from recipients to the trash or archives. In some cases, the fraudster appears to wait until the executive is traveling or otherwise difficult to reach to execute the scheme. Apparently, he does this to thwart bank protocols, including the routine call-back protocol that requires verbal authorization from the executive with ultimate responsibility for the funds transfer. Our company investigated two instances in which the fraudsters had apparent control of the executives systems and knowledge of bank call-back protocols when they attempted to execute the schemes. In one case, a client reported that the bank had called the executive while he was traveling and left a voice message requesting authorization to execute the transfer of funds. The fraudsters had access to the executive s voice messaging system and intercepted the message. One of the fraudsters impersonated the executive and subsequently wrote an from the executive s box acknowledging receipt of the voice message. The fraudster, in the guise of the executive, informed the bank representative that he couldn t return the call but he confirmed the wire instructions, which the bank dutifully performed. Another client reported a similar attempt that was unsuccessful because an employee followed an internal control. EXECUTING THE FRAUD Regardless of how fraudsters gained access to a company s systems, they always used a fake domain typically purchased from New Zealand or India. Because the fraudsters acquired the domain through overseas vendors, it was highly unlikely that private parties or U.S. law enforcement could ID the fraudster. First, investigating those vendors can be 284 FRAUD MAGAZINE MARCH/APRIL 2015 FRAUD-MAGAZINE.COM 2015 Association of Certified Fraud Examiners, Inc.

5 cost-prohibitive. Second, due to foreign privacy laws, vendors might not be required to verify the purchaser is a real person or entity, and there s no guarantee that the foreign court would recognize U.S. civil or criminal processes and require disclosure of the domain purchaser. The fraudsters created domains nearly identical to the real domains of the target companies. In the ABC Tire Company example, the domain for the fake domain could, for instance, have an extra i in the word Tire (JSmith@ ABCTiire.com; instead of JSmith@ABC- Tire.com). Normally, if a fraudster carefully executes the rest of the , the victim won t notice the false domain. In all the different reports we examined the s requesting the fraudulent wire transfer of funds used a similar, simple format with particular language engineered to trick the target. Figure 2 (on page 28) provides five actual, sanitized examples of s used in either attempted or successful frauds using fake domains. The s use urgent language from the authorized executive along with specific and familiar expense codes ( Misc or Professional Services ), which place pressure on employees to expedite the wire transfer. While it seems hard to believe, employees in multiple companies prepared wire transfers to new, first-time vendors, which is arguably the biggest red flag in the scheme. In one instance, the employee wired the funds to an overseas account a first for the victim company to a first-time vendor. Thus, the employee failed to recognize two bright red flags: the new vendor and the company s first international transfer of funds. GETTING THE MONEY Another unique aspect of this scheme was that the fraudsters didn t need the company s banking information to execute it. If the fraudsters were successful, they learned the company s bank and account information from the receiving bank, which possibly led to more theft. Fraudsters will open bank accounts with small deposits seven to 10 days prior to attempts to execute frauds. In most early instances of the scheme we saw, fraudsters left instructions at the receiving banks to transfer the funds to international accounts in countries without an extradition treaty with the U.S. More recently, fraudsters have directed funds to accounts at U.S. banks. In one case, the fraudster transferred funds from a foreign victim (Canadian) to a Miami bank. The fraudster then had the bank transfer a substantial portion of the deposited funds to a personal account in the same bank and withdrew $50,000 in currency before leaving the bank. Remarkably, bank officials weren t suspicious of the customer who within days of opening an account with a $50 cash deposit was withdrawing $50,000 in currency. (The fraudsters use of a U.S. bank suggests that in some iterations of the fraud they now use straw men to open and empty accounts a significant and less sophisticated mutation of the original scheme.) In another U.S. example, the fraudster requested the victim entity to transfer funds to the account of a legitimate yacht broker from whom the fraudster planned to purchase a small yacht. However, the victim company became suspicious of the wire transfer request prior to its authorization. Fraudsters who use U.S. banks and middlemen potentially increase their risk of being caught, but they gain access to the funds more quickly. Additionally, unlike other fraud schemes (counterfeit checks, credit card fraud, identity theft), in which banks typically incur financial losses, the fraudsters in this scheme have rightfully concluded that banks are extremely reluctant to question transactions in which they have no loss exposure. WHAT CAN VICTIMS DO? Once the wire transfer is complete, it s nearly impossible to reverse it if the fraud isn t detected almost immediately. And because the bank doesn t suffer any loss as long as it follows proper procedures, it won t freeze an account or return funds unless it s notified of the fraud. The only hope to recovering funds is a quick response. A victim company must react by notifying its bank s fraud unit and requesting the immediate recall of the wire transfer or freeze accounts with balances. Bank protocols permit the freezing of accounts where funds from suspected fraudulent activity have been deposited. The victim company s insurance company might require it to file complaints with local and federal law enforcement, FBI and/or Secret Service, which it should do regardless. As first-responder investigators, we also advise companies to review past transfers to spot other possible fraudulent wires. PROTECT YOURSELF AND YOUR CLIENTS Fraudsters typically target mid- to largesize companies because they routinely transfer hundreds of thousands of dollars to third parties that are unfamiliar to accounting staffers. However, smaller companies aren t immune; a significant loss may severely impact their ability to continue operations. The first prevention step is to review wire transfer protocols, both internally and with the bank. Companies must insist that banks have call-back protocols and adhere to them regardless of how difficult it might be to reach the designated officials Association of Certified Fraud Examiners, Inc. FRAUD-MAGAZINE.COM MARCH/APRIL 2015 FRAUD MAGAZINE 295

6 Domains in disguise Internally, companies need to review their controls relating to payments and wire transfers and consider a higher level of authorization for disbursements to first-time vendors. For example, designate an official who owns each vendor and require that accounting staff member to contact the appropriate official before transferring funds. Companies also need to arm against phishing attacks and social engineering. The best defense is education and training to help employees recognize these techniques. Companies that use or allow Google Docs or Gmail should enable Google s 2-Step verification, also known as twofactor authentication, to prevent an outside party from logging into Google without a requisite authenticator token. However, while a successful attack using Google 2-Step login code hasn t been reported, fraudsters often change tactics as defenses evolve. A higher barrier to prevent unauthorized access into Google Apps is the use of a third-party SSO (single sign-on) or SAML (security assertion markup language) provider, such as Ping Identity and Centrify. These services allow for a much stronger login system into Google applications because they restrict login based on location, device and tokens. They also allow the login portal to be customized, which makes it difficult for an attacker to anticipate and mimic on their phishing page. No one is safe. Fraudsters have successfully targeted all types of companies. The more successful they are, the more the scheme is likely to grow. Review your vendor protocols, financial controls and compliance policies. Most importantly, regularly train and encourage employees to recognize red flags and question suspicious requests. An employee who senses something is wrong is usually right. n FM Anthony Valenti, CFE, CAMS, is managing director of Stroz Friedberg, LLC, which specializes in investigations, intelligence and risk services. His address is: [email protected]. Stephen Korinko, CFE, CAMS, CPP, is vice president of Stroz Friedberg, LLC. His address is: [email protected]. The authors wish to thank Daniel Blank, digital forensic examiner, at Stroz Friedberg. Reprinted from the March/April 2015 issue of Fraud Magazine, Vol. 30, No Association of Certified Fraud Examiners, Inc. ACFE, CFE, Certified Fraud Examiner, Fraud Magazine, Association of Certified Fraud Examiners and related trademarks, names and logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world. 306 FRAUD MAGAZINE MARCH/APRIL 2015 FRAUD-MAGAZINE.COM 2015 Association of Certified Fraud Examiners, Inc.