Token Theft and Wire Transfer Scam

With cybersecurity threats on an all-time rise, it is important for organizations to protect their sensitive information and financial assets. In a recent incident, a business fell victim to a cyber-attack, resulting in a financial loss of $60,000. The attack also exploited vulnerabilities within the organization.

What Happened?

One must understand the meaning of "authentication token" before proceeding with this newer threat type. Imagine you're using your favorite web browser, let's say, Google Chrome. You decide to log in to your Google account to check your emails and enter your credentials on the login page. After logging in, a behind-the-scenes process occurs. Google generates an authentication token for your session. You can then log in to other services with Google using the same browser without having to type the credentials as long as the browser is still open. This is done via an authentication token stored inside your browser after you type in the credentials for the first time.

The incident likely unfolded as follows:

Malicious actors stole an employee's authentication token for their Microsoft email account. This was likely done via a phishing email where users clicked on a link within a malicious email, leading to opening a site by the default browser that already contained the authentication token. The token allowed access to the employee's mailbox, enabling the perpetrators to browse the communication history and create emails.

The hackers, armed with knowledge of the company's internal communications, sent a fraudulent email to another employee, most likely in the accounting department. The email looked legitimate, making it hard to detect as a scam.

Wire Transfer Authorization:

The second employee, who was deceived by the seemingly legitimate request from a colleague, did not verify the authenticity of the request and proceeded with the wire transfer.

What Should Have Been Done

Enhanced Security for Personal Devices:

The first employee should not have used a personal, unprotected computer for work tasks. Businesses should implement policies prohibiting the use of personal devices for work and provide secure company-owned devices. If this was a company computer, it should have been protected by the company firewall to filter website traffic and prevent access to compromised sites.

Email Security Measures:

The company should have deployed email security measures to identify and filter phishing emails sent to the first employee. Employee cybersecurity and training on recognizing suspicious emails are also essential.

Verification Protocols:

Companies must establish stringent rules to prevent unauthorized wire transfers or financial transactions. These rules must include verifying all transfer requests via phone and confirming the requestor's identity through a verified phone number.

Overall, in the era of relentless cyber threats, adapting, educating, and protecting against evolving attack tactics is imperative in maintaining any organization's security and financial stability.