Posted by David Harley on February 9, 2015.
A very effective piece of social engineering as targeted phishing has been reported by Omaha.com. Over a few days in 2014, it seems that the corporate controller at commodities trader Scoular transferred three large payments adding up to $17.2 million to Shanghai Pudong Development Bank, to be held on behalf of a company called Dadi Co. Ltd. Keith McMurtry believed he was acting on the instructions of chief executive Chuck Elsea, even though the messages didn’t come from Elsea’s normal email address.
The article relates that the scammer wrote “This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.” It seems that the scammer went to some lengths to allay suspicions: according to the FBI, McMurtry also received instructions that appeared to come from the company’s accounting firm, including a phone number on which to contact the accounting firm staff member, whose name had previously been included in mail from the fake chief executive. And the messages arrived at a time when Scoular apparently really was considering expanding into China.
I don’t know if that last point was coincidence or the result of careful targeted research by the scammers: what does seem likely is that a culture of secrecy was a major factor in the effectiveness of the scam, impairing the day-to-day communication between executives that might otherwise have alerted them to the issue. There is a strong echo here of those 419s/Advance Fee Frauds that commonly use the ‘need for secrecy’ and an appeal to authority (in this case the Securities Exchange Commission as well as Scoular’s own chief executive) to direct communications between scammer and victim into channels controlled by the scammer. It’s certainly a cut above those classic scams involving invoices for services that haven’t actually been supplied, which tend to be for relatively small amounts that won’t raise an immediate red flag.
David HarleyShare This: Submitted in: David Harley | Tags: corporate scam, FBI, Scoular, social engineering, targeted phishing
Top 100 Information Security Blogs
Independent news and views on the confluence of cybersecurity, politics and gaming.
We take neither advertising nor sponsorship so we can guarantee our independence.