Long-time FACC CEO, Walter Stephan, was fired this week because the company he led – an Austrian airplane parts maker – fell victim to a CEO email scam that successfully siphoned off €52.8 million euros ($56.79 million) last January. FACC customers include Airbus, Boeing and Rolls-Royce.
“The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular in relation to the ‘fake president incident’,” said FACC.
The CFO was released from his position in February. According to Techworm, “On Wednesday, the company disclosed its 2015-2016 financial year results, where it stated that it managed to recoup €10.9 million euros of the stolen funds from being transferred.
The company nonetheless reported total losses of €23.4 million for the 2015-2016 financial year, of which a majority amount was the €40.9 million loss from the online scam incident.”
How it Works
The company fell victim to an email fraud scam. Criminals are using fake domains and emails to pose as CEOs and other high ranking officers or key employees, and convince employees to send them money, in many cases millions of dollars. The FBI calls this scam business email compromise (BEC), or CEO fraud. The scams start with crooks spoofing or hijacking the email accounts of business executives or employees.
It is easy and cheap--there is no barrier to entry for criminals to set up new domains. And, they can set them up using a completely anonymous throw away email address so it can’t traced back. And, it’s free, because domain issuers often run promos for free, 30-day trials.
How to get started:
- Pick an organization you want to defraud.
- Get any credit card number (stolen or fake) and a throw away free email address.
- Use the credit card number and email account to sign up for a free new domain of your choice and an associated email address using any one of the myriad providers that give away services as a marketing promotion. Pick a domain name very similar to the target organization’s domain, with a slight misspelling. For example, if you are targeting AcmeRoadRunner.com, you could sign up for the AcmeRoadRuner.com domain (notice it is short an “n”) and then set up a fake email account for the CEO, firstname.lastname@example.org.
Why does this work? The Internet business "freemium" model of "eyeballs" is driven by getting as many people using your platform as possible. Anything that serves as an obstacle to people signing up, like verifying their identity, or that the credit card they gave you is legit and belongs to them, is an obstacle (and a cost) to acquiring that eyeball. The conversion rates of the eyeballs to paying customers is abysmally low, and so the cost of doing this for all sign-ups kills the business model. Companies generally ONLY do this when the eyeball converts to a paid account, because that is when it is worth the cost and effort.
The result is that most consumer and small business web hosters offer a month’s free web hosting with the available domain of your choice plus an email account that uses said domain. They do not verify the requestor’s identity, nor charge the card used to sign up. This offer has proven to be very attractive to fraudsters. They can instantly stand up a domain and email account and immediately begin perpetrating fraud. Our research shows that the average time between setting up the domain and email, to sending the first fraudulent email is minutes.
This is important because the hoster/registrar only has to pay ICANN $0.18 per domain for 1 year, and doesn't have to do so immediately, leaving a window where it costs no-one anything to provide infrastructure that is only required for less than a day in most cases. So EVEN if they DO verify after the fact, and cancel the account, the odds are that the damage has been done.
Here’s an example of how it works: criminals begin by sending a fake CEO email request to the accounting department for an immediate wire transfer payment for an urgent purchase. The request will include wire transfer payment information for a bank account controlled by the criminal. The accounts payable clerk receives the meticulously crafted CEO email request with only one likely undiscernible error—the company email address is missing a letter. There is a high likelihood that accounting will ask for more information, but enough transactions of this type are completed without any questions from accounts payable to make this scam profitable.
And even if it is questioned initially, a confident fraudster can manage the follow-up email conversation well enough to get the money transferred. Whether the scam succeeds or fails, the stolen credit card and disposable email address make tracking down the perpetrator difficult.
A couple of successful scams include:
- Ubiquiti Networks suffered a $46.7 million loss (http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/ )
- The Scoular Co. lost $17.2 million (http://www.omaha.com/money/impostors-bilk-omaha-s-scoular-co-out-of-million/article_25af3da5-d475-5f9d-92db-52493258d23d.html )
How can you protect against this scam?
- First and foremost: PICK UP THE PHONE. If someone asks you to wire them money, CALL them. Don't use the number they sent in the e-mail, use the one from the company directory. This is basic common sense, and should be a part of the basic financial controls in place at all companies.
- Second, have proper financial controls in place for large transfers with your financial institutions. It should take multiple people, and multiple steps (and two factor authentication) to approve large electronic transfers.
- URL filtering will only work if the action is to click on a link. BEC doesn't usually use this.
- Last, but by no means least, run proper domain checking and validation on your e-mail. Pretty much all companies are running SPAM filters on the INBOUND side, but there is still precious little verification on the outbound. It's a little bit more complex, but not all that hard if you know how. The catch is, you need to be running your own mail and DNS servers.
- RHSBLs like SURBL can sometimes recognize the domain in the header or body, and block it at the Mail Server inbound. Running a RHSBL is a best practice for the mail provider, just like running a RBL.
- The best way to handle this is to block outbound mail to suspicious mail servers and throwaway domains. One of the simplest things to do is to run a DNS Firewall (Response Policy Zone) that blocks the lookup for newly registered zones for some period of time, thereby stopping mail being sent to them. One of the key things about BEC domains is that they tend to be NEW, and short lived (see the business model above). So, if you simply don't send e-mail to domains that haven't been around for more than a couple of days, you will cut out most of the issues. Legitimate domains typically don't send or receive traffic for some time, since you have to register the domain as one of the first things you do on the Internet, and the rest of setting up a legitimate business takes at least days, and usually weeks. A good source of this data is ThreatSTOP's partner Farsight Security, and their Newly Observed Domains RPZ is useful here.