Wire Transfer Fraud, Meme Style

Welcome to a special meme edition of the WeekendByte. It’s really just an excuse to give you more memes as a distraction while I take some time off.

So, what are we doing here this week? Well, we need to talk about the middle child of cybercrime. While the first child, ransomware, captures the headlines and attention of doting security researchers, a quiet and misunderstood troublemaker with all the potential in the world operates in the background, stealing millions of dollars away from businesses every year, with no fancy malware needed.

It’s wire transfer fraud. It’s when an attacker tricks an unsuspecting victim, both companies and individuals, into wiring them money. Let’s explore one of the ways attackers do this.

-Jason

p.s. next week, we’ll have another special edition with a deep dive into a security weakness in AI agents. Then, we’ll be back to our normal knowledge meme programming.

As with so many things cyber, this wire transfer fraud attack case study starts with targeted social engineering. The attacker begins with basic reconnaissance to find the finance nerds at a company they’re targeting.

With the target in focus, the attacker uses a phishing kit to craft a phishing email with the one thing that finance people hate…an overdue invoice.

The phishing lure prompts the finance employee to click on a link to view the overdue invoice, which directs them to a phishing website that looks like their Microsoft 365 login page. Like a good finance nerd, they dutifully enter their username and password to view the invoice to ensure it’s paid.

Unbeknownst to the victim, the phishing kit collects their username and password and forwards it to the legitimate M365 service to begin authenticating on their behalf.

Fear not, though, for the company’s IT admin configured app-based MFA with a one-time password (OTP) for these email accounts! Except…the attacker is ready for that.

The phishing kit also collects the OTP and forwards it to the legitimate M365. Had the IT admin set up a passkey, this attack would have been thwarted. Sorry IT team…maybe next time?

After the phishing kit authenticates to M365, Microsoft passes a session cookie back to the phishing kit, which the attacker sends back to the victim. A session cookie is like a hall pass that users show the application to prove they are already authenticated. This avoids having to log in again with every click.

With the session cookie in hand, the attacker pops that into their browser and, voila, they have access to the finance nerd’s M365 email, which makes them so happy they do a cookie dance, whatever the f*ck that is.

The attacker doesn’t waste time after accessing the finance nerd’s email. They start looking for the good stuff. A simple email search for “invoice” usually does the trick.

Now, the attacker can see what vendors are sending the victim’s company invoices and what invoices the company is sending to their customers. It’s the perfect visibility to set the attacker up for the next phase of the attack.

Two paths open to the attacker. Path #1 allows them to create fraudulent invoices from the company’s vendors and send those to the finance employee for payment. This keeps the wire transfer fraud isolated to the finance nerd’s organization.

Path #2 allows the attacker to prepare fraudulent invoices from the victim company and send them to its customers from the finance employee’s email. This opens up more options to steal money but also increases the risk of exposure if one of the customers gets wise. For the sake of this meme write-up, let’s follow that second path.

The attacker begins with a bit of email housekeeping to ensure they stay hidden. They set up email rules in the victim’s email box to auto-forward emails from the victim’s customers to the attacker because they’re busy and can’t monitor just that one email box all day. They also hide those emails from the victim by moving them to a different folder away from the inbox. It’s not sophisticated, but it does the trick.

With the email rules in place, the attacker creates fraudulent invoices that look exactly like the original invoices with one subtle difference…new bank account information. Of course, this bank account is one that the attacker or their friends have access to, so they can withdraw it once the payment hits the account.

The victim’s customers receive the new banking invoices and don’t bother to call the company to verify the updated banking information because you can always trust random banking information changes from your friends. That’s a mistake.

After several months of unpaid invoices, the victim starts to wonder what is happening. They’ve got bills to pay, and those unpaid invoices are cramping their cash flow.

They call their delinquent customers, asking them for the payment status. At this point, their customers inform them they paid the invoices and sent them to the new bank account. Now, the panic sets in for the finance nerds.

By this time, the attacker has already transferred the stolen funds to different bank accounts and sets them up for a nice pay day.

There’s an easy way to avoid this from happening. Any time a vendor asks you to change where their payment is going, and even for new vendors, it’s best to call a known good number for the company to verify their banking details.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!