An organized crime group has spent the last month defrauding US companies, fooling them into making large wire transfers into fake partners' accounts.
According to a blog posted Friday by researchers at security firm TrustedSec, the crime group is conducting "a major offensive" against US firms using a sophisticated social engineering attack that appears to be a request for funds from one of the victim companies' legitimate partners. The attacks have a high rate of success, often fooling enterprises into sending amounts of $50,000 to $1 million, the blog says.
"A number of companies are still unaware that they have been victims of this attack," TrustedSec says.
The attack works in much the same way as a traditional phishing attack, only the stakes are much higher. The attacker compromises an email account in the victim's accounting department -- or that of the business partner -- and then registers an Internet domain that is very similar to the partner's legitimate domain name.
The attacker will establish communications with the victim using the partner's email credentials, often communicating via legitimate company letterhead with legitimate signatures. Initially, the communications may include the legitimate domain names.
Once communications have been established, the attacker will then submit requests for funds, change orders, or lines of credit from the victim company, TrustedSec says. If the initial requests don't work, the attacker may spoof emails to authorize the funds transfer or conduct a convincing social engineering attack over the phone.
The attackers often are successful in getting wire transfers to the fake domains, the blog says. A large number of the transfers are processed by banks in China.
"Note that the attackers are persistent; they use emotional triggers in order to entice the affected company to expedite the fraudulent requests," says TrustedSec. "They will become agitated, demand that it be expedited and even spoof emails coming from internal employees to coax the company to hurrying the process. They will also target your company again if successful."
IT organizations should warn their accounting departments about this fraud and verify all transactions with third-party partners and vendors, TrustedSec advices.