Recently, we encountered a very sophisticated phishing scheme at one of our financial services customers. We feel it is important to share the level of sophistication of the attempt, and how it was discovered in order to raise awareness and serve as a case study.
There are three actors in this scenario:
- Financial Services Firm: Receives bank wires on a regular basis for the facilitation of the purchase of products or services.
- End Client: A user that is purchasing the products or services.
- Broker: the person or company that is connecting the Financial Services Firm with the End Client.
Because both the broker and the financial services firm deal with each other as well as other brokers and firms on hundreds of transactions a day, we suspect a high level of social engineering was involved in this fraud attempt.
The attempt consisted of an email that appeared to be forwarded from the broker to the end client with wiring instructions. The forwarded email included what looked on the surface to be an email from the financial services firm complete with an actual employee’s name and a signature block that is identical to the one used by the financial services firm’s employee. The email referenced an actual transaction where all parties were involved.
Content form the actual email is below but excluding actor information:
Broker to End Client: “Read messages from the (financial services) company below, Looks like we are moving forwards and expected to close early smoothly.
Am currently handling a (service) for a client right now but we really need to move forward, email me back to know if you will be able to wire the balance of down payment to the (financial service) company today and I will forward the wiring instructions to you immediately.
I will be checking my email constantly to be able to respond to your email promptly.”
Forwarded Financial Services Firm to Broker included in the email to the end client: “Congratulations to your buyers for the purchase of the (service or product).
We are currently doing our final (service) process to close this (service or product) smoothly, as you already know we require the balance of down payment as signed on the contract be wired to us at their earliest convenience (Today if possible).
Please find attached the wiring instructions”
So the phishing artist here knew all three players in the transaction. The attachment in the email were instructions to wire money to an actual Wells Fargo account. Three things gave this away as a fraud attempt.
- A change in the wiring procedures that seemed somewhat out of place.
- For all of the scheme’s sophistication, the grammar was poor and not typical for the actual players involved.
- The signature block of the financial services employee used a .corn (c o r n) instead of .com (c o m) for the email address.
This fraud is still under investigation so the true source of the detail of the transaction is unknown, but there are several possibilities:
- Public information: Transactions performed by the broker and financial services firm can be publicly known due to required filings by state and local governments.
- Social Engineering: Both the financial services firm and the broker are small enough in size that the pool of possible employees involved in a transaction like this are small and finite and could possibly be derived. Simple phone calls to each firm posing as the end client can put all the pieces together.
- Systems Hack: We have already ruled out the financial services firm, but there is a possibility that the broker’s email system could have been compromised.
If it wasn’t for the diligence of all parties involved, this fraud could have easily been perpetrated.
After researching this particular fraud attempt we discovered that this is a known scam that started out as targeting executives in large companies. For reference see the following: http://blog.phishlabs.com/targeted-wire-transfer-scam-aims-at-corporate-execs