An all-too-common cyber-crime today is spoofing, which is the practice of deceiving people into believing an email or website originates from a source that it does not. In a recent case we are investigating, the perpetrator substituted a number in the URL to mimic the actual URL with the hopes that the recipient wouldn’t notice and would click on the fraudulent link.
The email in question contained a URL where the letter “o” was replaced by the number “0” and asked the recipient to reply with banking information. For example, it would be like substituting a “0” in the web address www.hal0ck.com and hoping the recipient didn’t notice.
Luckily, the recipient was vigilant and noticed the number “0” was out of place and did not click on the link and avoided a potentially disastrous situation. But that’s not the end of the story. The investigation is for a multi-billion dollar corporation with satellite offices around the world. This scam was aimed at one of those remote locations and we were called to investigate who was trying to defraud them.
In reviewing a situation like this, we view it as a crime scene and investigate it as such – collecting as much evidence as we can.
The following were the recommended steps to examine the situation:
- Review all financial information and check for anomalies on accounts receivables.
- In an effort to prevent any other organizations from being impacted, active clients were notified of the potential scam and told that they would never be contacted via email for sensitive information such as banking information.
- Advanced packet capture technology was implemented to gain better insights on all internet traffic.
- Review application logs for both financial and email systems, to look for anomalies.
- Review email history and content to determine if the intelligence required for the fraud attempt was available by way of email recon alone.
- Review a list of all personnel who had access to accounts receivable data and then note relevant information such as unusual spending, new employee status without background checks, left organization recently, etc.
While this investigation is ongoing, we have already gleaned a great deal of learning:
- The organization needed better logging, especially application and database logs and the logging needs to be centralized.
- The organization lacks appropriate network forensic tools.
- Remote offices require special considerations in the absence of strong local security staff.
While it appears that the scammers didn’t get away with the financial treasure they were seeking, it still resulted in a cost to the organization. As their trusted security partner we want to be sure that they have the appropriate controls in place so that the next time an attempt is made (large corporations with intellectual property are always being targeted), they are prepared to deal with it.
Stay tuned for updates to this ongoing investigation!