bearmtnmartin
bearmtnmartin GRM+ Memberand SuperDork
6/21/19 11:57 a.m.

I very nearly lost a lot of money to a scammer from Rwanda. They diverted a large wire transfer from my customer in Japan to a new Japanese bank account they set up to receive the funds. I was one click away from giving them the money, and a week later I am still a little shell shocked. It was an extremely professional and organized attack, and I suspect the same people who got the City of Burlington recently.

https://nationalpost.com/news/canada/city-of-burlington-ont-falls-for-503k-phishing-scam-investigations-underway

They inserted themselves into a conversation I was having with my customer, diverted his emails to the archive so I would not see them, and eventually casually notified me that the next payment would go to a different bank account. So to be clear, this was part of an existing email thread, and all the previous emails to my actual customer were still in the thread, and the email that showed up was the correct email. And to top it off, my customer owns a pump company and the new bank account was in the name of another reputable Japanese pump company. They went through my emails and built a knowledge base so they could reference other people and transactions and I was completely taken in. Only an alert bank teller (at the next wicket, not the one I was dealing with) smelled a rat as she overheard my conversation with the teller doing the transaction. 

So.... these guys are really good. Do not think it can't happen to you even though you think you are far too smart for that sort of thing. My tech support cannot tell me how they cracked my computer and my impossible to decipher 10 symbol (two week old!) Microsoft password, and I sure as hell did not click on anything strange, or open any suspicious attachments. 

I am not sure what other fallout there will be from this. I have email tracking and I see that some of my old emails are being opened in Africa. I am sure they copied all my info and sold it. I have told everyone I deal with, although no sensitive data was in my email other than names and addresses. I canceled every card I had and replaced them, and I am in the middle of notifying Trans Union and Equifax. Ironically they require payment to flag my account and I do not yet have new credit cards so I have not done this yet. 

What else should I be doing? How do I protect myself better? My email now has two factor verification which I strongly recommend to everyone.  (need to type in a code that is sent to my phone to gain access now.) If there is anything else I should be doing I want to do it.  And....be careful out there. 

Slippery
Slippery GRM+ Memberand SuperDork
6/21/19 12:03 p.m.

That’s scary. 

Was you password auto generated by Microsoft? Or you came up with it?

GameboyRMH
GameboyRMH GRM+ Memberand MegaDork
6/21/19 12:07 p.m.

Sounds like they broke into your computer itself or your email account before pulling off the meticulous impersonation attack. Maybe they got lucky with a brute-force attack on your email address, or backdoored your computer through a zero-day attack on a browser - those happen sometimes, there was one in Firefox just a few days ago. If it was your office computer and you're at a big company, it's understandable how you would've been targeted.

bearmtnmartin
bearmtnmartin GRM+ Memberand SuperDork
6/21/19 12:12 p.m.

It is my personal laptop and no one has access except me. And the password was generated by the security company I use. It is a long random mix of numbers letters and symbols. 

I am not very tecchie and I do not know what a zero day attack is.

bearmtnmartin
bearmtnmartin GRM+ Memberand SuperDork
6/21/19 12:13 p.m.

As far as I know they only got to my business email. But who knows. I am prepared for more unpleasant surprises. 

codrus
codrus GRM+ Memberand UberDork
6/21/19 12:30 p.m.
bearmtnmartin said:

It is my personal laptop and no one has access except me. And the password was generated by the security company I use. It is a long random mix of numbers letters and symbols. 

I am not very tecchie and I do not know what a zero day attack is.

Generally speaking, sotware is intended only to let in people who have the correct credentials (passwords, etc), and the way that other people attack it is to find bugs that allow them to bypass the code that checks those credentials.  Reputable manufacturers will fix these kinds of bugs as soon as they know about them and push out patched versions to their customers, so the utility of a bug like this decreases the longer that it is known about.  A "zero day" attack is one that uses a "zero day" bug -- one that the manufacturer does not know about, and has therefore had zero days available in which to try to fix it.

2 factor authentication is a good backup, but be aware that text-message based 2FA is not really considered secure these days.  The problem is that the protocol the phone switches use to talk to each other is not secure, and so it's possible for an attacker to hijack the text messages as well. 

There are a bunch of other 2FA products out there which use an app you install on the phone, rather than relying on the text message system.    Google Authenticator is one, but there are a lot of others.

bearmtnmartin
bearmtnmartin GRM+ Memberand SuperDork
6/21/19 12:36 p.m.

Thank you for the explanation.

dculberson
dculberson MegaDork
6/21/19 12:38 p.m.

This is really terrifying. I know they do targeted phishing attacks (“spear phishing”) but did not know they went to this extent for a single relatively small target. I know I need to up my security game. 

bearmtnmartin
bearmtnmartin GRM+ Memberand SuperDork
6/21/19 12:47 p.m.

In reply to dculberson :

It was $81,000.00. There were enough references to large payments in my emails that I was probably worth a little extra effort. I still have no idea how some guy in Rwanda sets himself up a company account at a reputable Japanese bank.

(not) WilD (Matt)
(not) WilD (Matt) Dork
6/21/19 1:28 p.m.

Something isn't quite adding up.  You mention a personal laptop, a microsoft account, and an email breach.  What email service/product are you using?  I suspect a breach of the email server, not necessarily your laptop.

And the password was generated by the security company I use.

A third party generated a password for you?  This sounds sketchy at face value.  How does this work?  How was this password communicated to you?

bearmtnmartin
bearmtnmartin GRM+ Memberand SuperDork
6/21/19 1:36 p.m.

In reply to (not) WilD (Matt) :

Outlook 365 which is a Microsoft product. The tech guy came up with the password on his computer and punched it into mine, and I took a photo of it to remember it. 

nderwater
nderwater UltimaDork
6/21/19 1:39 p.m.

Thanks for sharing your story. Awesome news that you were warned in time!

Datsun310Guy
Datsun310Guy UltimaDork
6/21/19 1:43 p.m.
The0retical
The0retical UberDork
6/21/19 2:14 p.m.

In reply to bearmtnmartin :

That's a pretty sophisticated attack.

Someone mentioned it already but SMS is subject to a Sim-Swap attack. That's likely how Reddit was attacked a few years ago.

Physical keys or token based authentication are, at the moment, the best way around this. Even with that RSA has a couple known flaws.

Streetwiseguy
Streetwiseguy MegaDork
6/21/19 8:48 p.m.

Is it possible the breach was at the other end?  A dude with a single computer would generate less scammy info than, say, a large Japanese pump manufacturer.  I'm probably wrong, but I don't worry a great deal about my stuff.  I figure the Royal Bank of Canada will probably be a better target, and I might get caught up in the fallout, but its hardly worth hacking me.

 

Also- A friend of mine in the computer business deciphered the very same diverted payment thing for a client of his a year or two ago. Too late, I think, in that case.

Brett_Murphy
Brett_Murphy GRM+ Memberand UltimaDork
6/21/19 9:47 p.m.

Ten characters isn't that long of a password any longer.

I know a lot of older systems can't handle long passwords, but the more characters your password has, the better.

Jerry From LA
Jerry From LA SuperDork
6/21/19 11:51 p.m.

If they broke into your phone, they saw the pic you took of the password.  Or the pump company was the original target and they phished around until they found a transaction that was about to drop.

OHSCrifle
OHSCrifle GRM+ Memberand SuperDork
6/23/19 8:25 a.m.

It’s damn scary.

A similar thing happened to a project manager at my company as well. An email conversation was “interrupted” and the messages diverted somehow. A wire transfer was redirected (client didn’t call and question the request to use a new bank mid project - but it was based on email from my PM so it’s understandable). Luckily, a banker in Hong Kong flagged the transfer and stopped the payment. We still spent $60k in legal fees to recover $280k. 

This was investigated and attributed to the PMs corporate login username and password being lifted at an airport... “free WiFi”. It could also have been somebody looking over his shoulder  or even recording to steal the same thing.

The worst part of the scenario above is once the corporate username and password were stolen, the hackers also went into Workday (HR software) and redirected his direct deposit - paychecks - to another bank. That was an extra fun discovery. 

...We now have 2 factor authentication for any network login from outside of the company network. 

You'll need to log in to post.

Our Preferred Partners
r4FaAAttvm2tblX3RjurHhzD9n8m3IthoMPHjWvgHfcX3MaxdQ5xKKn8LzbZ9aVM