Cybercrime only affects the big players? Certainly not! Last week, we witnessed live how an attacker – unfortunately successfully – defrauded the customers of a retailer and stole a considerable amount of money in the process.

What happened?

Previously unknown perpetrators have forged purchase contracts from a medium-sized trading company and replaced the bank details given on the contracts with a different bank account. To this end, emails were forged and the victims were induced to make payments to a false bank account. The total loss was around 25,000 euros.

Analysis – How it came about

As the company’s IT security officer, we carried out extensive research and supported the IT forensics. We can say with reasonable certainty that the email inbox used to send purchase contracts and invoices was temporarily taken over by the attacker. This enabled the attacker to manipulate the genuine purchase contracts sent and – presumably with the help of an image editing programme – to add the attacker’s bank details. The documents were then sent to the victims again.

The unsuspecting victims did not pay attention when making their transfers – and did not compare the false account holder with the letterhead of the purchase contracts. The perpetrators were not quite so perfect: although the footer of the purchase contract with the bank details was manipulated, the letterhead was not. An attentive customer could therefore have realised that something was wrong – especially as the name of the account holder clearly differed from the name of the retailer. An interesting aspect: the incorrect bank details are a German IBAN from an online bank. I am curious to see whether the perpetrator can be identified from this; if not, this should immediately raise questions about compliance with the KYC (Know Your Customer) rules on the part of the banking industry.

Lessons Learned

There are two main topics to consider when analysing the situation:

  • How was the attacker able to take over the email inbox?
  • Why did the victims transfer the money without exercising due diligence?

As far as the takeover of the mailbox is concerned, the merchant cannot currently be accused of negligence: Neither was the password used for the account too simple, nor was it used for more than one service – or even stuck on a PostIt note under the keyboard. Whether the attack was possibly directed against the e-mail provider is still being investigated. There is also currently no information about the method used (e.g. rainbow table attack or brute force attack). It will certainly have to be scrutinised in retrospect why the email provider does not offer the option of using 2-factor authentication.

On the subject of caution: We were able to speak briefly with one of the victims. He told us that he had already fallen for such a scam once. So for me, this is clearly an awareness issue. People need to be made aware of what attacks there are and how attackers try to steal money. Only then will potential victims be able to recognise such scams.

The police investigation may shed some light on this. Incidentally, I was there when the report was taken and found the police officer’s documentation of the offence very professional. Who a

Tags

Share post

More articles

Privilege escalations in applications – often referred to as privilege escalation – are vulnerabilities that allow attackers or even regular users to access data, information or system functions for which they have no authorization. Attackers...
Checks of IT security are useful and advisable for a variety of reasons. External reasons such as regulatory requirements – the KRITIS regulation or the IT security law are examples – may require such reviews....
ISO 27001 – Management of technical vulnerabilities The newly published ISO 27001:2022 in October 2022 brings a restructured catalogue of measures. Among other things, the new measure A.8.8 – Management of technical vulnerabilities – was...