I never cease to be amazed at the creativity and effort of cyber criminals. Any time I think I’ve seen it all, our team runs across a new tactic that has caused significant harm to a business. This week we assisted a client that fell victim to a complex, yet simple cyber-scheme, leading to the compromise of bank accounts and the possible loss of millions of dollars. Please share this article with anyone in your organization who is involved in the banking and finance area. You do not want this happening to your organization.
Just when we get comfortable with the assumption that our controls are protecting us, cyber criminals find a new way to bypass security measures. This industry is ever-changing. We spend a lot of time preaching about multi-factor authentication (MFA) and for years banks have provided customers with comfort in this control. This week we saw that control fail, further enforcing the importance of layered security measures and continual risk assessment and control improvement.
It all started with a user in our client’s accounting department who had elevated administrative access to the corporate online banking platform. This user searched for their banking login page through a normal Google search. She clicked the search result and navigated to the bank login website (or so she thought). She entered her user ID, her password, and her rotating MFA token code to login as normal. Little did she know, the top result was not the site that she expected. The website in which she entered her sensitive information, including MFA token, was a fake site, mocked up to look identical to her real banking login site. The cyber criminals instantaneously initiated a login to the real banking site using her credentials and MFA token to gain access to the bank account. Think about the sophistication here—on average, MFA codes change about every 30 seconds.
Upon gaining access to the real account, the cyber criminals quickly moved to create additional user accounts. These accounts were used to initiate multiple wire requests for hundreds of thousands of dollars each (totaling close to $2 million in total). They then used the compromised account to approve the wires they had initiated with the fake user accounts. During this same time, they initiated attacks on the compromised user’s email to flood the inbox and distract the user from seeing any banking communication. Later they initiated a distributed denial of service (DDoS) on the user’s internal internet connection. This rendered the user’s internet connection basically useless. The cyber criminals attempted to limit the user’s ability to access the real bank account or any other online resources, thus helping to cover their tracks.
At the time of this article, the user is still working with the bank to recover a large portion of the funds that were not stopped before they were fully processed.
What are the critical lessons learned and how do we improve our controls to protect your organization?
- Be sure you have a robust and continual user awareness training program.
- Users should be cautious of search results
- Users should be cautious about clicking links in emails and never click on links regarding banking
- Review your online banking platform security and controls.
- Be sure all users’ logins have multi-factor authentication
- Be sure you are using all of the latest security controls offered by your bank
- Think through segregation of duties. First, an approver should not be able to create/initiate transactions. Second, a user who can approve/release funds should not have the ability to create users and manage user security.
- Your bank should provide controls that prevent any one single person from making changes to user security. Any security changes should require secondary approval and the secondary approver should not have any transaction approval authority.
- Many people ignore segregation of duties in smaller organizations, likely due to physical personnel limitations. This should not be an excuse. Leverage trusted advisors like your CPA or attorney to give you the secondary approval, if needed.
- Continually evaluate your cyber risks and improve your controls. As we have seen here, very reliable controls like MFA can potentially now have vulnerabilities under certain targeted campaigns. Layer controls whenever possible.
Contact us to evaluate your cyber risks and improve controls before your organization becomes the next victim.