Many companies run legacy billing systems, either cause of historical or financial reasons, incompatibility or the low technical knowledge of the employees. Some business contacts cannot agree on what or whose system to use and so fall back to the all-available email system. They send unversioned PDF invoices in email attachments. Most attackers operate to gain money and thus the billing system that directly operates on money is a very juicy target.
The incident we were requested to investigate happened at an international software development company. It started with the compromise of the email account of an assistant. From her previous email messages, the attackers got to know her job status and the people she exchanged messages with. The compromise was discovered when the attackers tried to convince a partner to pay an invoice, they already have paid.
We were asked to investigate the incident and uncover any malicious activity. The attacker utilized email threading to make messaging participants see different information. They managed to mislead a customer to make a very large transfer to the attacker’s bank account. This is when the incident was discovered. It was immediatelly classified as high severity.
As our partner is an international company we could only exchange minimal data, such as email messages, attachments. We were also provided brief access to the workstation of one of the suspectedly compromised accounts. We uncovered that the attackers (with names) were a criminal organization based in Lagos, Nigeria. We provided an initial and a final report soon enough that the victims could lock the attackers bank account and the transfer was reversed. We gave evidence that neither our partner, nor their customers aimed to mislead each other, it was all attacker activity. We also made suggestions to our partner on how to evade future incidents of this kind.
Copyright 2021 Ukatemi Technologies LLC.