Posts

Target: Attack – Atlanta Government Ransomware Attack

March 27th – The City of Atlanta is currently dealing with a ransomware attack. The systems are being held ransom for $51,000. The hack has been ongoing for six days. The systems infected had an effect on some of the city’s critical functions including residents unable to pay electric bills, city employees with no email or internet access, and police taking tickets down by hand. The WIFI has also been shut down at the Atlanta International Airport, the world’s busiest airport. Some sources are saying the ransomware to lock down the systems was SamSam, a tool commonly used in targeted attacks against US entities. NSA exploits leaked by the Shadow Brokers may have also been used to spread the ransomware. The sources claiming these details both on the ransomware and NSA exploits used are unconfirmed at this time.

Local news report on attack- https://www.wsbtv.com/news/local/atlanta/cyber-attack-against-city-of-atlanta-still-causing-problems/721971668

Targeted Wire Transfer Scams on the Rise

While not new, targeted wire transfer scams are alive and well and we recommend that you check your processes to guard against them.

These scams start by targeting corporate executives and attempt to convince their targets to wire funds to accounts controlled by the fraudsters.

In one variant of the attack, the scammer will register a domain name with a similar spelling to the target and establish an email service on the domain. They will then search online for the names of the CFO and managers in the finance department. The attack begins with the attacker sending a targeted email to a manager from what looks like the CFO’s email using a variation of the domain name. If the manager responds, the attacker will stage a malicious funds transfer request after gathering information from the Manager. The attacker will request that the manager perform a wire transfer to a bank account within a short period of time, using language they have phished from the email threads. The manager thinks the CFO is requesting the transfer, requests approval, and the attacker pretending to be the CFO approves the transfer.

In another variant, the attacker impersonates an executive at another company that is likely to be doing business with the target company. The initial email uses a domain name that closely resembles the corporate domain name of the organization being impersonated. The body of the email instructs the target to pay all new or outstanding invoices via wire transfer to a new bank account. This attack leverages the likelihood that Accounts Payable at the target company will have actual invoices from the spoofed company.

In both cases, once the funds are transferred, they are quickly rerouted to other hard to trace accounts.

Who is Being Targeted by Wire Transfer Scams

Scammers frequently attempt to exploit the finance departments of medium to large-sized organizations who are likely to have a high volume of transactions.

Recommended Countermeasures

  1. Internal education – undertake organization-wide phishing awareness training and ensure finance department personnel are familiar with this type scam.
  2. Require validation of new banking information with trusted accounting contacts at suppliers and business partners.
  3. Identify lookalike email domains that could be used by scammers in the above scenarios and create email filters to treat these emails as spam. The following tool generates variations of email domains that could be used in a phishing attack or for URL hijacking: http://www.morningstarsecurity.com/research/urlcrazy.
  4. While you could also block the source IP of the attack, expect that future attacks will come from a different IP address.