Fake Domain Wire Transfer Scheme: How to Recognize the Fraud & Protect Your Company

Transcription

1 Fake Domain Wire Transfer Scheme: How to Recognize the Fraud & Protect Your Company

2 1 Fake Domain Wire Transfer Scheme: How to Recognize the Fraud and Protect Your Company By Anthony Valenti and Stephen Korinko A new controller reported for his first week of work at ABC Tire Company anxious to prove that his new employer had hired the right person. In his first week, he received an from the company CEO with the instructions: Process a wire of $205, ASAP to the below account information. Code it to professional services. Send me the confirmation when completed. Thanks, Gary, CEO. The new controller promptly followed his CEO s instructions and completed the wire. When he approached the CEO the following day, he smiled and said, Sir, I took care of that wire transfer you requested. The CEO responded, What wire transfer? To his horror, the new controller realized he had been a victim of an Internet fraud scheme. The had come from a fake, cleverly disguised corporate domain EXECUTIVE SUMMARY The scenario above describes an actual event that is happening in all types of companies throughout the U.S. When Stroz Friedberg began receiving reports in spring 2014 about a scheme that tricked companies into fraudulently wiring funds to vendors with overseas bank accounts, it first appeared to resemble a standard phishing attack. But we soon found that the scheme had three unique traits: 1. it uses a fake domain intentionally designed to fool the recipient into thinking it came from his or her company; 2. the victim companies, rather than the banks, suffer the full loss of the funds; and 3. it has an alarmingly high success rate, a sure sign that it will be a growing trend. In a matter of weeks, we had been contacted by several clients reporting attempted or successful fraudulent transfers, with a number of similarities. Specifically, client reports indicated that the fraudsters: - Knew the executives in the organization who were responsible for transferring funds by wire; - Appeared to know the wire transfer limits of those targeted in the organization; - Had access to the box, calendar, and voice messaging systems of those responsible for transferring funds by wire; - Used similar language in the requesting the funds transfer (except for amounts and banking instructions to complete the transfer of funds) - Requested funds be wired to first-time vendors The details of this scheme and the high success rate suggest that the fraudsters are assisted by insiders. However, the facts that we revealed in our investigations are much more insidious. Through a phishing attack or social engineering, the fraudsters gain control of a corporate box and correctly identify and impersonate a corporate official authorized to direct the transfer of funds by wire. Once in control of the box of the relevant executive, the fraudsters wait for the optimum time to execute the scheme: ing the unassuming accounting staffer in the executive s name to request the wire transfer. They typically use a fake domain usually obtained from a foreign vendor that is very similar to the company s actual domain so that it is not suspicious to the recipient, and the is not detected by the executive they are impersonating. The fraudsters have the payment initially directed to a foreign bank account, and then redirect the funds several times until the money reaches a bank located in a known tax haven, making retrieval and/or prosecution difficult, if not impossible. Recent cases have seen funds end up in domestic accounts as well. Successful fraudsters empty the accounts within hours to just days after the wire transfers, so the only way for a victim company to retrieve the funds is to act quickly to recall the transfer and freeze the account. Once the transfer is complete, so is the financial loss to the company, while the banks remain unscathed. Prevention is the only true protection: strong vendor protocols, financial controls and staff communication and training are essential to thwarting these fraudsters.

3 2 FALSE DOMAIN WIRE TRANSFER SCHEME Beginning in April 2014, Stroz Friedberg had been contacted by several clients about a new internet fraud scheme. In this fraud, a company s accounting personnel receives an from a senior executive requesting that they wire funds to an overseas bank account, supposedly for a new vendor, only to find out after the transaction has been made that the was forged and not from the actual corporate domain as it had appeared. As the reports starting pouring in from our clients, the Secret Service confirmed that a wire transfer scheme using fake domains was becoming widespread throughout the country and growing and with an alarming rate of success. Also disconcerting is that, unlike other frauds involving banks, the banks incur no financial loss. The target company is the sole casualty. In each case we reviewed, the fraudsters appeared to have proprietary information uniquely available to the company s executives, their assistants and accounting staffers. This led to the suspicion that an insider was involved in the fraud. However, after some review of the situation, we concluded that, while an insider could be involved, the more likely scenario was that outside fraudsters had penetrated client systems, including corporate s, voice mails, and executive calendars. Thus, by covertly reading s between executives and employees, the fraudsters were able to identify those responsible for transfers, their funding limitations, corporate accounting expense recording, and bank protocols relating to wire transfer requests. Getting Inside For many of the victimized companies, how fraudsters targeted their business, identified the decision makers, and gained access, is often a mystery. It s well known that fraudsters are experts at procuring information needed to execute their schemes through research, social media sites, and social engineering. The job of a fraudster is to steal something of value from someone else. It is their only job; it s what they do all day, every day. Fraudsters know that the United States is a target-rich environment of small and medium size companies that have inadequate controls to prevent an intrusion or fraud. For example, a simple search on social media sites will often supply the names, titles and responsibilities of current and former employees of a targeted company, from C-suite executives to functionaries in the accounts payable department. When social media is unhelpful, calls to employees by fraudsters, who are expert social engineers, can produce the identities of personnel such as the CFO, Controller, and accounting staff members. We have even seen successful schemes in which unsophisticated accounting employees have given out sensitive business information like wire transfer protocols, bank account details, and passwords to fraudsters posing as legitimate third parties.

4 3 With the knowledge gained from these various techniques, fraudsters can conduct phishing attacks 1 hoping just one staffer will be induced to provide the access that sets the scheme in motion. An early iteration of the scheme used a phishing attack with a fake Google Docs website to capture corporate logins from targeted employees of victim companies, usually someone in the accounting department (see sidebar and Exhibit 1). Spending just a short time in the employees accounts enabled the fraudsters to gain the information they needed to execute the fraudulent wire transfer requests, such as who in the company is authorized to send and approve wire transfers and their writing styles, names of other key executives, wire transfer request form details, and transfer authorization amounts. Exhibit 1: Sample phishing Google Docs webpage; note login request form and non-google domain Armed with the necessary information and access, fraudsters patiently monitor the executive s account, waiting for the optimum time to execute the fraud. The s exchanged between the fraudster impersonating the executive and the person directed to make the transfer are not seen by the actual account holder. The fraudster, having complete control of the executive s account, is able to permanently delete s or create mailbox rules to redirect any replies from recipients to the trash or archives. Thus, the s are never displayed to the actual owner of the account. GOOGLE DOCS PHISHING In the earliest version of the fake domain wire transfer scheme, fraudsters used a phishing attack, a fake Google Docs website, and a fake domain to execute the fraud on companies that use or allow the use of Gmail, or another web-based platform. The fraudster, using social engineering or phishing techniques, induces an employee to open a link to a false website. This website is designed to look like a login page for Google Docs. The site asks for the employee s username and password. The URL of the web page is often suspicious to the careful observer and does not exactly resemble the Google login page. However, recent attacks have leveraged the ability to host the website on Google s hosting platform, so the URL seems legitimate, and the web page is a near perfect replica of Google s login page. (Exhibit 1) When the employee enters companyprovided credentials into the web form and clicks View Document, the phishing website redirects the employee to a page that claims the document cannot be found, but now the employee s credentials have been sent to the fraudster. After receiving the user s login credentials, the fraudster logs into the employee s account, occasionally from an anonymizing service or a foreign country (e.g. Africa or Eastern Europe), and spends a short time in the box before logging out. The time spent in the employee s box enables fraudsters to learn information pertinent to executing wire transfers within the company and the ability to read out-of-office notifications. In some cases before executing the scheme, the fraudster, who has access to the appropriate calendar, 1 Phishing is the use of in an attempt to obtain sensitive information (usernames and passwords). The appears legitimate and requests the target to click a link and log in. When the target enters their information into the link, the attacker receives the information. Spear phishing is a more targeted attempt to entice particular individuals or areas in a company to enter sensitive information.

5 appears to wait until the executive is traveling or otherwise difficult to reach. This is apparently to thwart bank protocols, including the call back protocol that banks routinely use prior to executing wire transfers. As a security measure, banks commonly require verbal authorization from the executive with ultimate responsibility for the funds transfer, rather than simply acting upon instructions submitted to them. Stroz Friedberg investigated two instances in which the fraudsters had apparent control of the executives systems and knowledge of bank call back protocols in their attempts to execute the scheme. In one instance, a client reported that the bank, following established protocol, called the executive while he was traveling and left a voice message requesting authorization to execute the transfer of funds. The fraudsters had access to the executive s voice messaging system and intercepted the message. Impersonating the executive, they subsequently wrote an from the executive s box acknowledging receipt of the voice message, informing the bank representative that he could not return the call and confirming the wire instructions, which the bank dutifully performed. Another client reported a similar attempt that was unsuccessful because an employee followed an internal control. 4 Executing the Fraud Regardless of how fraudsters gained access to the company s systems, the attempts and successful frauds our clients reported always included the use of a fake domain. Typically, the fraudster purchases the domain name from a foreign source. Specifically, our investigations identified New Zealand and India as locations of those sources. Acquiring the domain through overseas vendors makes it highly unlikely that the identity of the fraudster can be determined by private parties or U.S. law enforcement. First, investigating those vendors can be cost-prohibitive. Second, due to foreign privacy laws, vendors may not be required to verify the purchaser is a real person or entity, and there is no guarantee that the foreign court would recognize U.S. civil or criminal process and require disclosure of the domain purchaser. As a result, there is little recourse from either civil process or U.S. law enforcement. The fraudsters create a domain is nearly identical to the real domain of the target company. In the ABC Tire Company example, the domain for the fake domain could, for instance, have an extra i in the word Tire (JSmith@ABCTiire.com). Normally, with the rest of the carefully executed, the false domain will go unnoticed. Across the different reports we examined, the s requesting the fraudulent wire transfer of funds used a similar, simple format with particular language engineered to trick the target. The following exhibit provides five actual, sanitized examples of s used in either attempted or successful frauds using fake domains.

6 5 From: Sent: Mon, May 19, 2014 at 10:01 AM Exhibit 2: Fake Domain Wire Transfer Scheme Sample Fraudulent s Name - please wire $35, to our clients XXXX bank account details below today. This is to pay an approved invoice to XXXX [Fraudsters ABA route transit number, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. Thanks From: executive@fakedomain2.com Sent: Tue, May 27, 2014 at 11:07 AM Name - please wire $45, to our clients XXXXX account details below today. This is to pay an approved invoice to XXXX, you can do it online. [Fraudsters ABA, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. Thanks From: executive@fakedomain3.com Sent: Wednesday, May 28, :17 PM Subject: Fwd: Wiring Instructions [Fraudsters ABA, Bank Account and Beneficiary Information] Process a wire of $257, to the attached account information ASAP. Code it to Professional Services. Send me the confirmation when completed. Thanks, Tue, Jun 10, 2014 at 12:54 PM From: executive@fakedomain4.com Cc: xxxxxx@gmail.com, yyyyyy@gmail.com, zzzzzz@pmcupa.com Name - please wire $61, to our clients XXXX account details below today. This is to pay an approved invoice to XXXX. [Fraudsters ABA, Bank Account and Beneficiary Information] Please send me wire transfer confirmation when completed. Thanks From: executive@fakedomain5.com Sent: Friday, June 13, :25 PM Subject: Fwd: Wiring Instructions Attachments: [reflects Fraudsters ABA, Bank Account and Beneficiary Information] Name: Process a wire of $82,050 to the attached account information. Code it to Misc. expense and Send me confirmation when completed. I'll forward support later on. Thanks

7 The s use urgent language from the authorized executive along with specific and familiar expense codes ( Misc or Professional Services ), which place pressure on employees to expedite the wire transfer. While it seems hard to believe, employees in multiple companies prepared wire transfers to new, first-time vendors, which is arguably the biggest red flag in the scheme. In one instance we looked at, the funds were wired to an overseas account a first for the victim company to a first-time vendor. Thus, the employee failed to recognize two bright red flags: the new vendor and the company s first international transfer of funds. 6 Getting the Money Another unique aspect of this scheme is that the fraudsters do not need the company s banking information to execute it. If successful, they will learn the company s bank and account information from the receiving bank, which will be reflected in the wire instruction when funds are deposited. The disclosure of bank account information to the fraudsters could lead to additional exposure for both the company and the bank. To retrieve the funds, fraudsters open a bank account with a small deposit seven to ten days prior to an attempt to execute a fraud. In most early instances of the scheme we saw, instructions were left at the receiving bank to transfer the funds to international accounts. Frequently, the money ends up in countries without an extradition treaty with the U.S. More recently, fraudsters have directed funds to accounts at domestic banks. In one instance that we investigated, the fraudster had funds from a foreign victim transferred to a bank in Miami. The fraudster then had the bank transfer a substantial portion of the deposited funds to a personal account in the same bank and withdrew $50,000 in currency before leaving the bank. Remarkably, bank officials were not suspicious of the customer who within days of opening an account with a $50 deposit was withdrawing $50,000 in cash--the proceeds of a wire transfer from a foreign business entity. (The use of a domestic bank suggests some iterations of the fraud now use a straw man to open and empty accounts, which is a significant, and less sophisticated, mutation of the original scheme.) In another domestic example, the fraudster requested the victim entity to transfer funds to the account of a legitimate yacht broker from whom the fraudster planned to purchase a small yacht. However, the victim company became suspicious of the wire transfer request prior to its authorization. While the use of domestic banks and middlemen potentially exposes fraudsters to law enforcement and increases the risk of being caught, they gain access to the funds more quickly. Additionally, unlike other fraud schemes (counterfeit checks, credit card fraud, identity theft), where typically the bank incurs the financial loss, the fraudsters in this scheme have rightfully concluded that banks are extremely reluctant to question transactions where they have no loss exposure. WHAT CAN VICTIMS DO? Once the wire transfer is complete, it is nearly impossible to reverse if the fraud is not detected almost immediately. And since the bank does not suffer any loss as long as it follows proper procedures, it has no incentive nor obligation to reverse the transaction. The only hope to recovering funds is a quick response. Fraudsters empty accounts within hours or, at the latest, days after the completion of the transfer. Victim companies must react by notifying their bank s fraud

8 7 unit and requesting the immediate recall of the wire transfer and freezing accounts with balances. Bank protocols permit the freezing of accounts where funds from suspected fraudulent activity have deposited. Account holds usually require a bank to indemnify another bank. The victim company should also file complaints with local and federal law enforcement, FBI or Secret Service, as this may be required as part of an insurance claim. As first-responder investigators, we also advise companies to review past transfers in case an earlier fraudulent wire had gone through undetected. Protecting Yourself All types of companies need to take proactive measures to protect themselves from this type of fraud. Mid- to large-size companies are more typically targeted as they routinely transfer hundreds of thousands of dollars to third parties that are unfamiliar to accounting staffers. However, smaller companies are not immune, and they are particularly vulnerable to this fraud as a significant loss may severely impact their ability to continue operations. The first step to prevent against becoming a victim is to review wire transfer protocols, both internally and with the bank. Companies must insist that banks have a call back protocol and adhere to it regardless of how difficult it may be to reach the designated official. Internally, companies need to review their controls relating to payments and wire transfers and consider a higher level of authorization for disbursements to first time vendors. For example, this could mean designating an official who owns each vendor and requiring that accounting staff contact the appropriate official before transferring funds. Companies also need to arm against phishing attacks and social engineering. Education and training to help employees recognize these techniques is the best defense. For companies that use or allow Google Docs or Gmail, enabling Google s 2-Step verification, also known as two factor authentication, will prevent an outside party from logging into Google without a requisite authenticator token. However, while a successful attack using Google 2-Step login code has not been reported, fraudsters often change tactics as defenses evolve. A higher barrier to prevent unauthorized access into Google Apps is the use of a third party SSO or SAML provider, such as Ping Identity, Centrify, and others 2. These services allow for a much stronger login system into Google applications, restricting login based on location, device, as well as tokens. Not only do these services increase the complexity required for an attacker to gain access to corporate , they allow the login portal to be customized, making it difficult for an attacker to anticipate and mimic on their phishing page. Fraudsters involved in this scheme have successfully targeted all types of companies, so no one is safe. The more successful they are, the more the scheme is likely to grow. Review your vendor protocols and financial controls as well compliance policies. Most importantly, regularly train and encourage employees to recognize red flags and question suspicious requests. An employee that senses something is wrong is usually right. 2 These SAML (security assertion markup language) and SSO (single sign-on) services operate instead of the Google Apps login page and are highly configurable, making access to a corporate webmail platform much more difficult when attempted by an unauthorized user without the necessary components, such as access to corporate authentication tokens, laptops, networks, or geographic location.

9 Contacts Authors: Anthony Valenti, Managing Director Stephen Korinko, Vice President +1 (212) Other contributors: Anthony Fung, Vice President Daniel Blank, Digital Forensic Examiner About Stroz Friedberg, LLC We are a global leader in investigations, intelligence, and risk services. To help our clients manage risk, we have assembled a collection of the brightest minds in the fields of Digital Forensics, Incident Response, Security Science, Intelligence and Investigations, Data Discovery, Forensic Accounting, and Compliance. Together, we are driven by a defining purpose: seeking truth for our clients. Learn more at BOSTON CHICAGO DALLAS HONG KONG LONDON LOS ANGELES MINNEAPOLIS NEW YORK SAN FRANCISCO SEATTLE WASHINGTON, DC ZURICH 2014 Stroz Friedberg. All rights reserved.