A Security Tale

Comments are off
2
Steve Wemyss
A Security Tale

For something different for this week’s Malware Monday, I want to tell a story. It’s based on fact, but all names have been changed to protect the ‘innocent’.

‘Fred’ owns a small business with a modest turnover of $3-4m per year. They’re doing pretty well, but like many smaller businesses, Fred doesn’t have a lot of time for security or the inconvenience of things like Two Factor security.

It won’t happen to him.

One day, Fred is reading through his daily 200 emails and clicks on a link that then opens his Office365 page and he logs in where he reads his mail in the web browser. A bit odd he thinks, but it’s his mail he sees and so he doesn’t worry.

A few weeks later, Fred gets an SMS from his bank telling him that his mobile number has been changed and that if he doesn’t respond the change will occur in an hour. Fred realises something’s up, and so rings the bank and they cancel the change. “All good,” thinks Fred (not realising he’s been saved by a form of the bank’s two factor authentication that he steadfastly refuses to implement in his business, despite his IT company’s recommendations).

Within a few minutes, however, this happens again.

So back to the bank, and this time they update his passwords to be sure. “Good,” thinks Fred, but showing at least some insight, decides to check his email and discovers that there is a lot of mail being forwarded to a strange Gmail account. His maintenance provider then discovers that there is a forwarder on his email, sending a copy of everything he receives to the same Gmail account – and it looks like it’s been there for months.

The forwarder is removed. Fred breathes a sigh of relief. His maintenance provider advises that this meets the criteria of a Data Breach under the Australian Mandatory Disclosure Regulations. Fred, wanting to avoid an inconvenience, talks to his accountants for a second opinion. Despite the fact that they are neither IT nor security experts, they decide that no one else other than Fred has been affected and he doesn’t need to do anything. Liking this advice more, he keeps it a secret from all the people who have sent him an email over the last two months that their correspondence has been disclosed to a third party.

So, Fred breathes easy and wipes his hands of the problem. “Not my problem.”

Well, Fred is about to get a very nasty lesson. You see, that third party now has a copy of a lot of correspondence between Fred and several of his major customers and suppliers. The bad guy carefully takes these previous message threads, including one talking to a major client and a big project which includes details of the invoice, payment schedule and other pertinent information.

The bad guy then crafts a reply to one of Fred’s customers requesting the customer utilise certain banking details for this transaction as shown on the invoice (including a nice copy attached again for easy reference).

Fred’s customer then receives this email, after all it appears to come from Fred: it contains the history of the previous emails and so is readily accepted at face-value by even an alert user. She diligently deposits the $150,000 progress payment as requested to the details on the invoice.

A few weeks later, Fred realises he hasn’t received his payment, he rings the customer to find out what’s going on and is told that they’ve already made the deposit as requested. Working with the bank, they discover the money was deposited and then immediately transferred out of the false account within minutes. The Customer has lost their payment, and Fred has not received his payment for the deposit. Both parties are losers.

Fred refuses to take any responsibility and demands the payment from the client before anything is delivered. The client cannot afford a second payment and is likely to go under as a result, especially if they don’t have some form of fraud insurance.

So, what have we learned from this?

Well, Fred’s learned nothing. He refuses to accept any responsibility and still won’t use two factor authentications, as it’s too inconvenient.

Fred’s (now former) customer has found out that the original email trail resulted from a compromise in Fred’s emails that he didn’t report. The customer is not happy and is $150k out of pocket. Her insurance company is going to go after Fred who’s likely going to have a bad day when he receives that letter. The Australian government is also displeased with Fred for not reporting the breach in the first instance and decides to levy the financial penalty – the maximum of which can be as high as $2.1m. So Fred’s company is likely to go under as well.

Lessons to Learn from This Story:

  1. Data breaches can involve others, and even if the fraud is perpetrated on you, it can be used to scam others.
  2. Failure to report breaches is a serious, and illegal, omission.
  3. Don’t take legal advice from your accountant or anyone else who is not an expert.
  4. If your IT company gives you advice, then seriously consider that they are probably doing so to help protect you for a reason.

I hope you found this story valuable, as it’s very real. All of us would like to believe that “this won’t happen to me” but it does and it’s usually targeted on those who like to cling to this mistaken belief.