It all started with a simple email message directing a VP's administrative assistant to deal with a particular invoice. Given that the invoice was hosted outside the company, on a file-sharing site, the admin might have hesitated. However, minutes later that same assistant got a phone call purportedly from another VP urging her to expedite the invoice. Fooled by the fraudulent phone call, she opened it, thereby releasing a RAT within the company network. The aggressive combination of spear-phishing email and fraudulent phone call caught the interest of Symantec researchers; they dug deeper and found more, and worse, attacks on other French companies.
In a blog post released today, Symantec revealed how attackers managed to defeat all of one company's protections against unauthorized money transfers. It really does read like the script for a heist movie.
For starters, they used the double-pronged social engineering attack described above to load a RAT onto the PC of an administrator's aide. The RAT harvested company information, including the company's disaster plan and its telecom provider details. Using the stolen information, the crooks invoked the disaster plan, claiming a physical disaster. This let them redirect all of the organization's phones to a new set of phones under their control.
Next they faxed a request to the company's bank for multiple large fund transfers to offshore accounts. Naturally the bank representative called to confirm; the crooks intercepted the call and approved the transaction. As soon as the money showed up in those offshore accounts, they siphoned it out. Mischief managed!
Symantec discovered quite a few other cases, many of them much less elaborate. For example, one attacker simply called the victim and stated that regular maintenance required disabling two-factor authentication for fund transfers temporarily. Another informed the victim that computer upgrades required a "test" fund transfer; the "test" actually wired real funds to an offshore account. Clearly gullible humans are the weak point in many security systems.
Knowing that this kind of chicanery was taking place, the Symantec team managed to get a lead on an in-process operation, a caper they dubbed "Francophoned." They managed to trace the command-and-control traffic through Ukraine to IP addresses originating in Israel.
Analyzing the IP addresses used, they noticed two oddities. First, the addresses came from a block assigned specifically to MiFi cards—GSM cellular radios that can be used to provide Internet access via the cellular network. Second, they were constantly changing, meaning that the bad guys were driving around, passing different cell towers. The telecom couldn't triangulate a moving target, and the MiFi connections were apparently anonymous and prepaid, so there was no way to catch the crooks.
I can't wait for the movie version!