We have repeatedly countered the arguments that people don’t have anything to hide, and can comfortable ignore the privacy threats on the Internet. That’s a very unwise attitude and here’s some more examples why.
We have also talked a lot about on-line scams and how to avoid them. A key challenge for any scammer is to be trustworthy in the eyes of the victim. And this is where your data enters the picture. I have written a story about how a scammer can be more convincing if he knows your travel plans. Let’s cover a more business-oriented case this time.
A controller at a firm in Omaha, Nebraska received mails from the CEO asking him to make a series of money transfers to China, and he transferred a total of $17.2 millions. Yes, you guessed it. The sender was not the CEO and a scammer made a nice profit.
The obvious lesson we learn in both these cases is naturally that mail isn’t trustworthy. Mail itself does not provide any kind of sender authentication. The sender address is easily faked. Authentication of the other part must rely on the mail contents, a cryptographic signature or information that only the perceived sender can know. And this leads us to the less obvious lesson we can learn here.
It looks like the Ohama-scammer had information about the victim. He knew who can handle money transfers. He also knew that the CEO had some business in China, which made the transfers sound legit. He probably also knew that this person doesn’t meet the CEO face to face daily as that would have ruined the scam. Part of this info is publicly available, like the name of the CEO. We don’t know how he got hold of the rest, but it is obvious that it helped the scammer.
So here we have an excellent example of how criminals can utilize tiny grains of info to scam huge piles of money. But what should this Ohama-company have done differently? The controller should have called the CEO to verify the transactions. The company should analyze what info the scammer had, and go through their security policies. And that is pretty much what private persons should do too. Learn to think critically when someone approaches you by mail and verify the sender if in doubt. Also guard all your data to make this kind of targeted attack as hard as possible.
This company responded by firing the controller. That’s not an option for you if you fall for a scam and let go of your own money.
PS. Was it right to fire the controller? Hard to say. Part of the responsibility naturally lies on the one who was gullible enough to trust an e-mail. But it also depends on if the company had proper rules in place for validating transfer requests. Did he break any concrete rules when sending the money? If he didn’t, then the company is responsible too.
Photo by Images Money
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018
We’re only four days into 2018, and cyber security is already dominating headlines. Earlier today,…
January 4, 2018