Cybercrime only affects the big players? Certainly not! Last week, we witnessed live how an attacker – unfortunately successfully – defrauded the customers of a retailer and stole a considerable amount of money in the process.

What happened?

Previously unknown perpetrators have forged purchase contracts from a medium-sized trading company and replaced the bank details given on the contracts with a different bank account. To this end, emails were forged and the victims were induced to make payments to a false bank account. The total loss was around 25,000 euros.

Analysis – How it came about

As the company’s IT security officer, we carried out extensive research and supported the IT forensics. We can say with reasonable certainty that the email inbox used to send purchase contracts and invoices was temporarily taken over by the attacker. This enabled the attacker to manipulate the genuine purchase contracts sent and – presumably with the help of an image editing programme – to add the attacker’s bank details. The documents were then sent to the victims again.

The unsuspecting victims did not pay attention when making their transfers – and did not compare the false account holder with the letterhead of the purchase contracts. The perpetrators were not quite so perfect: although the footer of the purchase contract with the bank details was manipulated, the letterhead was not. An attentive customer could therefore have realised that something was wrong – especially as the name of the account holder clearly differed from the name of the retailer. An interesting aspect: the incorrect bank details are a German IBAN from an online bank. I am curious to see whether the perpetrator can be identified from this; if not, this should immediately raise questions about compliance with the KYC (Know Your Customer) rules on the part of the banking industry.

Lessons Learned

There are two main topics to consider when analysing the situation:

  • How was the attacker able to take over the email inbox?
  • Why did the victims transfer the money without exercising due diligence?

As far as the takeover of the mailbox is concerned, the merchant cannot currently be accused of negligence: Neither was the password used for the account too simple, nor was it used for more than one service – or even stuck on a PostIt note under the keyboard. Whether the attack was possibly directed against the e-mail provider is still being investigated. There is also currently no information about the method used (e.g. rainbow table attack or brute force attack). It will certainly have to be scrutinised in retrospect why the email provider does not offer the option of using 2-factor authentication.

On the subject of caution: We were able to speak briefly with one of the victims. He told us that he had already fallen for such a scam once. So for me, this is clearly an awareness issue. People need to be made aware of what attacks there are and how attackers try to steal money. Only then will potential victims be able to recognise such scams.

The police investigation may shed some light on this. Incidentally, I was there when the report was taken and found the police officer’s documentation of the offence very professional. Who a

Tags

Share post

More articles

Numerous details about people, their purchases and other sensitive details could be accessed unprotected on the web for months, as Der Spiegel (German content) prominently reports on its website. A service provider had inadequately secured...
One of the biggest challenges in setting up and operating information security management systems according to ISO 27001 is the adequate documentation. This is subject to audit reviews and also helps the organization to appropriately...
A serious vulnerability exists in the popular Samba server, which provides Windows file and print services in Linux environments. Linux systems should be updated as soon as possible, because the vulnerability with the identifier CVE-2020-27840...