It was reported over the weekend that Meath County Council had fallen victim to the cybercrime phenomenon known as CEO fraud, with a sum of €4.3 million now frozen in a Hong Kong bank account while the details are determined.
The Independent is reporting that the incident was a ‘sophisticated’ attack, carried out around 28 October. The bank involved is reported as Bank of Ireland, though no comment has come from that quarter.
The technical prowess of the attackers stacks up to email interception, spoofing and having a bank account from which they can either extract or transfer funds. Quite where ‘sophisticated’ comes into this, one wonders.
RTE.ie is reporting that the funds have been frozen in a Hong Kong bank until they can be properly tracked, identified and, hopefully, returned.
We here at TechPro Towers have reported on the issue of CEO fraud a number of times, but just to recap, it is a form of scam involving social engineering.
Monitored comms
The communications of an organisation are monitored and sometimes intercepted and spoofed, usually email. The movements of executives are monitored for their absence, through various means, to identify the right time to strike. An email is then sent to a relatively junior member of staff, but one with the right sort of authority, and purports to be from someone in authority — hence the term CEO fraud — and asks for the transfer of money to an account to facilitate some deal or negotiation critical to the organisation. And that is it.
So the technical prowess of the attackers stacks up to email interception, spoofing and having a bank account from which they can either extract or transfer funds. Quite where ‘sophisticated’ comes into this, one wonders.
The real ingenuity here, and even that is a bit of a stretch, is in identifying organisations that are susceptible. They have to be cash rich, they have to be multi-layered and they have to be ignorant of the type of scam.
Discipline
The discipline comes in being patient enough to wait until sufficient information is gathered to craft the right kind of scam, as in a plausible scenario with which to fool the operative who will make the transfer. That is the social engineering bit. And then a bit more patience and judgment to wait until the right opportunity to put all of this into action. None of this is sophisticated, the actual scam is as old as banks, but it is well-planned, well-executed and well, baffling!
Brian Honan, of BH Consulting and IRISS CERT, had noted that in this year’s survey of Irish security incidents. A modest rise was accompanied by an increasing fear of CEO fraud. However, he was quick to point out in his presentation of the annual report that CEO fraud is not a cyberattack, it is merely a social engineering strategy that leverages electronic communications — hardly the same thing.
In the case of Meath County Council, there was clearly a lack of communication security and security awareness training that allowed such a lapse to occur. However, to call it a sophisticated attack, if indeed it turns out to be mere CEO fraud, is deeply disingenuous and smacks of the desperation of a victim trying to make themselves sound less culpable.
Now, we have also reported here on the work of Dr Jessica Barker who wrote widely on the fact that cybersecurity suffered the same malaise of victim blaming as did the investigation of sex crime. Dr Barked observed that when victim blaming was eliminated from the investigation of sex crime, not only did conviction rates improve, but more victims were willing to come forward and so a more realistic picture of the extent of such crimes emerged.
Damaging culture
Dr Barker found this same damaging culture was prevalent in cybersecurity and was doing the same damage. As such, we should be careful not to blame the victim in this case too. However, for the victim to cry wolf in the form of labelling something a sophisticated attack when in actual fact it was merely a well-crafted one, is still falling prey to old mentalities that do not serve anyone.
As the facts emerge from the Meath County Council fraud investigation, if it does indeed turn out to be just run of the mill CEO fraud, then the council will have done itself a great disservice by mischaracterising the nature of the fraud. Worse still, it may fall victim to other classic of human behaviour, transference. This might lead the powers that be to overspend on areas that are unnecessary or unwarranted, if it sticks its ‘sophisticated’ tack.
CEO fraud is best tackled by user awareness and simple human elements — few security systems, however sophisticated, will protect an organisation from a well-meaning, but deluded and overly-authorised insider.
Subscribers 0
Fans 0
Followers 0
Followers