Picture this: An administrative assistant to a vice president at a multinational company receives an email directing her to process a particular invoice. Given the fact that the invoice is hosted on a file sharing service and the increasing number of email spam messages, the assistant might have hesitated. However, a few minutes later the same assistant receives a phone call from another vice president within the company, instructing her to examine and process the invoice.
As you might have guessed, the invoice was a fake and so were the vice presidents who called her. But fooled by the call, the assistant processed the invoice, thereby releasing the malware Remote Access Trojan (RAT) within the company’s network, enabling the attacker to take control of the infected computer and siphon off funds.
Once the system was infected with the RAT, the attacker was able to retrieve identifying information, including disaster recovery plans, of the organization’s bank and telecom providers. Using this data, the attacker was able to impersonate a company representative and called the organisation’s telecom provider. They proved their authenticity to the telecom provider, claimed that a physical disaster had occurred and said that they needed all of the organisation’s phone numbers to be redirected to attacker-controlled phones.
Immediately following the phone number redirection, the attacker faxed a request to the organization’s bank, requesting multiple large-sum wire transfers to numerous offshore accounts. As this was an unusual transaction, the bank representative called the organization’s number on record to validate the transaction. This call was redirected to the attacker who approved the transaction.
The funds were successfully transferred to multiple offshore accounts, which were subsequently laundered further through other accounts and monetary instruments. The company was ‘Francophoned’!
While this might sound straight from a script of a heist movie, the reality is that cyber-crime is getting more sophisticated and discreet by the day. Such attacks using aggressive combination of spear-phishing email and fraudulent phone calls are becoming rampant.
Since the first of such cases was identified in France in April 2013, the phenomenon was identified as ‘Francophoned’. India stands at sixth spot among the top ten countries infected by this RAT along with US, UK, Germany, Netherlands, Canada, Australia, Mexico, France and Brazil.
“In May 2013, Symantec Security Response published details on the first attacks of this type targeting organizations in Europe. Further investigations have revealed additional details of the attack strategy,” Shantanu Ghosh, VP & MD, India Product Operations, Symantec, said.
The Trojan used in these attacks is ‘W32.Shadesrat’ a.k.a. Blackshades, which is publically available and can be licensed for as little as $40-$100 a year. In June 2012, as part of a global sting operation carried out by the FBI, one of the contributors to the Blackshades project, Michael Hogue, was arrested. However, this RAT is still under active development and clearly shows no indication of going away any time soon.
The victims of these attacks generally tend to be accountants or employees working within the financial department of organisations. Since handling invoices is something they would do on a regular basis, this lure has the potential to be quite convincing. These employees may also have the authority to facilitate transactions on behalf of the organization, a valuable target if the attacker gains access to secure certificates that are required for online transactions or confidential bank account information.
According to Symantec Corporation’s and the Ponemon Institute’s ‘2013 Cost of Data Breach Study: India’, the average number of breached records in the last one year was 26,586 with Indian organisations losing approximately Rs 2,271 per breached data.
A financial loss in such cases can be averted by having appropriate checks and measures in place. Ghosh says there are some best practices that all organisations should follow to reduce data breach risks effectively and mitigate their impact on the organisation’s reputation and bottom line. These include adopting a strategic approach by deploying technologies which enable policy compliance and enforcement, implement two factor authentication and educate employees on information protection policies and procedures, then hold them accountable.
Employees working with very sensitive information should store this in a secure location, ensure that it is encrypted, and only access it from a fully patched computer with adequate security solutions in place.