Thought leadership. threat analysis, news and alerts.
Another Canadian City Falls Victim to Phishing Email, Loses Half a Million Dollars as a Result
The City of Burlington, Ontario recently revealed that it fell victim to a phishing email, resulting in the loss of the City’s funds worth half a million dollars.
In a statement, the City of Burlingtonsaid that phishing email was sent to City staff requesting for the change of the banking account information of an established City vendor. As a result of the phishing email, the City said, a single wire transfer of funds worth approximately half a million dollars was sent to the bank account controlled by an unknown attacker or attackers last May 16.
The City said it only discovered it was a victim of fraud last May 23. The cyber incident has been reported to authorities and criminal investigations are underway by the appropriate authorities, the City said.
What Is Phishing Email?
Phishing emails are malicious emails used by cyber-attackers to launch attacks against their victims. Traditional phishing email contains a malicious attachment, that is, when clicked, downloads and installs malware into the victim’s computer. Traditional phishing email may also contain a malicious link, that is, when clicked leads to a malicious website that hosts malware and from there, the malware is downloaded and installed into the victim’s computer.
In recent years, cyber-attackers have weaponized the emails to commit fraud, known as Business Email Compromise (BEC). BEC attackers target small, medium and large organizations, as well as individuals. Prior to sending the phishing emails, BEC attackers monitor and study their selected victims.
Targeted organizations and individuals are those that regularly perform wire transfer payments. In a BEC attack, an email address of a high-level employee or an executive involved with wire transfer payments are either spoofed or compromised, resulting in the loss of funds.
According to the Federal Bureau of Investigation (FBI), as of July 12, 2018, BEC became a 12 billion dollar scam. The FBI said that from October 2013 to May 2018, a total of 78,617 BEC incidents were reported worldwide, with loss to this scam amounting to US$12.5 billion.
In April this year, another Canadian city, the City of Ottawa, revealed that it fell victim to a similar attack. Based on the report released by the Office of the Auditor General of the City of Ottawa, on July 6, 2018, the City Treasurer received an email which appeared to be from the City Manager.
This email, which was later identified as a spoofed email, requested that a wire transfer in the amount of US$97,797.20 be processed for the completion of an acquisition. On the same day the spoofed email was received, with the City Treasurer’s approval, US$97,797.20 was sent to the bank account controlled by malicious actors.
The said amount was transferred from one bank account to another, with a portion of the amount ending up in one of the bank accounts monitored by the U.S. Secret Service. The City of Ottawa was contacted by the U.S. Secret Service that the funds had been seized. The City of Ottawa, through its City Solicitor, filed a petition before the U.S. Government, asserting the City’s claim on the seized funds. It’s still unclear how much would the City of Ottawa eventually recover.
Spoofed and Compromised Emails
BEC attackers trick their victims into wiring funds into bank accounts they control by spoofing or compromising email accounts belonging to persons in authority, in particular, those in charge of approving the release of funds. Email spoofing refers to the sending of an email which is made to appear as though it was sent by someone other than the actual sender.
Many BEC attackers purchase a domain name similar to the target organization’s domain in order to own an email address that closely resembles the target organization, for instance, “xocompany.com” is similar to “xoc0mpany.com”. Attackers send this spoofed email hoping that the receiver wouldn’t notice the wrong email address.
Email spoofing can also be achieved by an attacker by manipulating the visible email header. Each email contains two headers, one visible and the other one that isn’t readily visible. The visible header shows the typical "From" which contains the email address of the sender.
This visible header can be changed by the attackers, that is, it can show a correctly-spelled email address that’s familiar to the email receiver. If the email receiver checks the not readily visible header, also known as “SMTP envelope”, the real email address of the malicious sender can be seen.
BEC attackers also launch their phishing emails by compromising legitimate emails, for instance, an email address of the organization’s CEO. BEC is also known as “CEO scam” because of the growing spoofing and compromised of CEO emails.
In a compromised email, the attackers gain total access to a legitimate email account. One way an attacker gains unauthorized access to a legitimate email is through another phishing email, tricking the victim to click on the malicious attachment or link, resulting in the installation of malware into the victim’s computer.
An example of malware is the keylogger – a type of malware that records every keystroke made by a computer user, capturing information such as usernames and passwords to emails and sending these data remotely to the attackers. Armed with these stolen login details, attackers can then access the victim’s email. From this compromised email, attackers can send an email ordering a lower-ranked employee in charge of releasing funds to proceed with the bogus wire transfer.
When you need assistance protecting your business from phishing attacks, help is a phone call away. Connect with ustoday and take a step forward to better cybersecurity posture.
Steve E. Driz, I.S.P., ITCP