Need help defeating wire fraud.
March 30, 2014 1:21 AM Subscribe
My company and industry is under widespread and sophisticated B2B wire fraud attack. Help me locate the vector or mechanism, please.
Since the beginning of January, attackers have attempted fake invoice fraud on my company twice and at least five other companies (some multiple times). The attacks have increased in frequency in the last week. The amounts of money are not inconsiderable with each transaction valued between USD low six to mid seven figures.
The attacks are all identical. The attacker intercepts an email with an invoice to a client to be paid in the near future. Very soon after (+/- one to two hours) the attacker sends a spoofed email resending the invoice that has been doctored to contain "new" banking instructions. In most cases the attacker advises the client to see the "new" banking details giving some plausible reason for the change, and in at least one case the attacker has waited a few hours then sent another spoofed email with the "new" banking details in the body of the email rather than in the attachment. I've found four recipient banks across Asia and Europe.
For background, our industry is a specialized commodities industry operating internationally and that works on 30 days unsecured credit terms issuing invoices via emailed pdf. The six of us that have been attacked have little in common; we range in size from Fortune 50-size companies to companies with 20 employees. The identified target companies are in the US and the EU. Our IT infrastructures are doubtless dissimilar but obviously have at least one thing in common, the presumptive proximal vector (e.g., Outlook). The distal vector could be any number of industry associations or vendors with our collective email addresses, if my presumptions are correct.
However, my IT systems - computers, servers of various sorts, hosted email - are squeaky clean as are those of at least one of our much larger competitors, and we did full scale pen testing the first time it happened. No one has isolated the mechanism of attack. My best guess is a malware package inserted by email that dials home, sucks up all email traffic, and then deploys some a sorting algorithm to select timely targets. But who the hell knows.
We'll probably never find the original vector, but any guesses welcome. The main thing I want to do is figure the mechanism of attack. Where to look? What to look for? What kind of credentials would a consultancy need to help us?
Sock puppet account of long-term user for obvious reasons. I'll be around to answer questions as much as I can without threadsitting or compromising what little anonymity this askme has.