I've accidentally executed this tactic on myself - no red flags were raised and funds were received.
Being owed a sizable wire from a corporate entity, I requested payment to an account via my personal email (<name>@<name>.co). As they were validating/processing that, I opened up a new bank account that can receive wires with no fees. I then sent them an email with the new information, and a couple weeks later received the funds in my new bank account without any friction. What no one brought up was the fact that the email with the new information was from <name>@<name>.com, as I had transitioned from .co to .com in the meantime. The attack vector highlighted in this article is definitely under-guarded.
Why not just use the approach that banks use? Rather than admit that you got tricked, invent the concept of "identity theft" and blame the intended recipient.
This is why all my invoices and my first contact with my clients’ accountants always make them aware of the problem and ask them to confirm any account details changes out-of-band via another medium (Slack, phone, etc).
It won’t help if the attacker spoofs the first invoice but hopefully will raise alarms if future invoices are spoofed and contain different bank details. I guess it could also give me a legal argument that I’ve explicitly made them aware of this risk and that they should’ve known better and that they still owe me money and should pay again (as the first time they haven’t actually paid me but the attacker).
Forwarded this to my boss because I’m not sure how to handle this. There are many - maybe hundreds of cash real estate transactions happening in my state daily.
I think perhaps in the signature line of our email, we need to implore that last minute or unexpected changes to the original plan- especially involving wire transfers - be verified over the phone.
I don’t use keybase but I’m pretty sure it’s a central location. If it is, and yits manual it will work in theory, but in practice only crypto nerds will verify manually so the entire thing would need to be automated.
Only if the behaviour reflects current functions. I imagine signatures similar to DKIM would work if they were more integrated into mail clients. Browsers could sign emails when using webmail, it would be a functional change to browser behaviour but could end up pretty generic (eg signing for email, forum posts, maybe even credential signatures etc.
Can you describe the process? As far as I've known, up until the moment the transfer occurs, the bank can indeed reverse it if they are suspicious. But the moment the other bank accepts the transfer, it is game over, and the delivery is complete and permanent.
The UCC[1] requires that wire transfers are reversible for 60 days, although only in very special circumstances (only fraud and bank error basically). The receiving (beneficiary's) bank is on the hook for collecting the money back from them.
In cases other than fraud and bank error, the timeline and process depends. Basically ask your bank really nicely, they'll ask the receiving bank really nicely, and if everyone agrees with your reasons (and the money is still there) you'll most likely get it back.
There has to be a way to reverse wires, otherwise if the teller fat-fingers an extra zero onto the end of your requested amount you'd be SOL.
Thanks for the description and the link. I recall being told bank criminals typically used transfers because they couldn't be reversed once completed - especially if the transfer went overseas. Maybe it came from an armchair expert, or confusion over the old Swiss numbered accounts, and just became "common knowledge" from there.
Depends which ones. UK Faster Payments are pretty much irreversible; now the law says that it’s illegal to keep money not addressed to you (if someone fat-fingers the account number for example) but it still doesn’t mean the transfer can be magically reversed; if you take out all that money immediately there’s nowhere to get the money back to reverse the transfer; your only option is the law which won’t work for an actual attacker who’d use a hacked account, stolen identity or money mule’s account.
How do the criminals handle the banking aspect? It's one thing to sit somewhere and cyber-phish/attack someone through email. But they need a bank account. In Canada. They then need to move 800k out quickly to another account somewhere. At least some aspects of this had to be done in person, using some kind of id?
There are many ways to trick people into “washing” money for you — criminal organizations that are sophisticated enough to spearphish on this level surely are sophisticated enough to do that laundering too.
I’m convinced that a lot of the money is in fact reversed.
>If you’re running a law firm, real estate agency, investment bank or any entity that routinely shuffles large chunks of funds around, you should have a mechanism in place that can detect lookalike domains as they become registered.
That's not the obvious technical solution and would not be very effective. The most obvious technical solution would be to insist their customers sign any emails that involve the movement of large sums of money.
We talked today about such problems in the office. Why for ex. is it not possible to allow VBA just inside from the document, but not access other files etc.
Why you have to accept "the document can do everything what it want", if you like to print a PDF from Adobe Acrobat Reader or do Fullscreen mode?
So a permission system:) I approve, and indeed would like for every "executable" "thing" (JavaScript, CSS?, VBA, .exes, ELF binaries, Python, ...) to have a fine-grained permission system similar to Android or iOS.
Maybe yes, something like this. For ex. I do share an Excel Document (with VBA) with a very high person in our company. I could write everything in there and it would executed when he open it with his account with access to all this fancy information. I joke about this all the time.
I mean just VBA is not a problem, just if you start to do things outside of the document.
I've witnessed someone else getting stung (well pieced it together after she realized)
My friend wasn't compromised but the person she was dealing with was. evidently they were reading the other guys mail and when mention of invoicing came up they made a fake email address that was almost the same as his (swapped a l for a 1) and sent through a new banking detail.
the woman at this end didn't realize the email didn't come from who she thought it did and sent a 10k payment directly into the thieves bank account.
From the article is not very clear how the cybercriminals exactly pulled this off (i.e. by simply changing the IBAN or also by changing the name of the recipient of the transfer).
Isn't banking system supposed to protect from this kind of stuff?
I mean, is not responsability of banks to ensure that the recipient of the transfer is indeed the one specified by the sender? Or one should consider a (wrong) placed banking transfer simply gone? The (non-)reversibility of transfers is one of the main arguments against crypto-currencies, and yet this kind of events seems to be happening with banks anyway.
My family runs a small-medium business and a couple of years back we were victim of something very similar.
I'm a professional penetration tester myself (not to brag but I'm pretty sure my family company is pretty secure), anyway as we were the victim here (the one that were not paid in the process), there was no way for us (me) to detect the issue (at the technical level) up until it was too late.
What happened is that one of our customer got their email compromised, and attackers were literally man-in-the-middleing all of their emails. When they detected some bills and payments requests from us, they simply forwarded them back to our customers using a fresh registered domain name that looked a lot like ours. In the process they did alter the attachment, to change indeed the IBAN.
To keep it short, when we realized that something was wrong it was too late, and banks even refused to pay our customer back.
We did report the event to the authorities, however to this day we did not hear anything back :)
TL;DR
Attackers compromised some customers' emails, altering the IBAN in the attachments in the process. Customer did pay attackers instead of the legitimate company, and bank could not undo things.
Is sending money to a wrong IBAN the same as sending it to a wrong wallet address for crypto-currencies? Not a big fan myself, but if there are no guarantees we might as well do the switch.
Being owed a sizable wire from a corporate entity, I requested payment to an account via my personal email (<name>@<name>.co). As they were validating/processing that, I opened up a new bank account that can receive wires with no fees. I then sent them an email with the new information, and a couple weeks later received the funds in my new bank account without any friction. What no one brought up was the fact that the email with the new information was from <name>@<name>.com, as I had transitioned from .co to .com in the meantime. The attack vector highlighted in this article is definitely under-guarded.