In the security world, it is common to find certain threats with a regionalized approach. Traditionally, that approach was something that would shift from geography to geography after months of targeting specific demographics within that geography. The shifts usually happen no more than a couple times a year, and usually, happen over several months making it easier to follow and mitigate risks. As with everything else in the technology world, things are moving faster and it is becoming harder to predict what will come next.
Several sources around the world are reporting that malware attacks have focused their efforts on unsuspecting Canadians over the past few weeks in what is being called the fastest geographic transition they have ever seen. The shift from other geographies to a global focus on Canada appears to be more organized than sources have seen in the past. “The fact that Canada is being targeted by so many all at once is either a really big coincidence or more organized than we tend to believe” stated Joe Ussia, CEO of Infinite IT. “From `Fake security alerts from Microsoft’ to `Fake Canada Post documents’ to `Fake Security requests from our nation’s leading banks’ are all causing a lot of havoc among Canadians. So far, mostly individuals have been targeted, and successfully swindled of their money. We predict that companies will be next, and it’s important that we communicate to our staff on how to identify and then handle such fake requests”.
Although compromising banking information is not new in Canada, the way that criminals are doing it now has gotten increasingly creative. One of our good business partners owns several retail locations that offer money transfer services, and they had someone target one of their locations so creatively that what happens next will make you cringe.
What happened to this store manager (we will call him Hernan, changed to protect him) happened so fast that he was rendered helpless in stopping it.
Hernan received an email that was perfectly formatted from what appeared to be an accurate source for the email from one of the money transfer services that they use. In it was the typical information notifying him that help desk needs to work on his terminal, and included was a link to the client software to download and set up in preparation for the call.
That afternoon, Hernan received a phone call from “Help Desk” (which is common) with a caller ID that even had the help desk’s company name on their caller ID. Hernan was given an odd set of instructions and what happened next was quite embarrassing.
They first asked Hernan to answer some “security” questions… which ironically were accurate from a list of questions that are typically asked. Hernan answered them as he usually would. For the questions he didn’t have an answer to, he said “that is not on my profile as a question” and the person responded “Excellent, we need to make sure you are who you are, so it’s important for us to ask every question”.
Hernan thought that made sense. After all, he got an email telling him they were calling and even called from the proper caller ID name on the phone.
They then “verified” him as a user (which ironically, he could have made up all the answers, and they would have always told him they correct). They then asked Hernan to log into their remote access software and instantly they had control of his PC. What happened next was incredible.
They asked Hernan to log into the back-end “money transfer portal” to validate his account. Hernan complied. And within (literally) seconds, the “help desk” rep on the phone depleted the entire account over several $1,000 transactions. In total, the person stole over $10,000 from the store over a maximum of 5 minutes.
Hernan tried to stop the theft, but the thief blocked his efforts. Finally, Hernan unplugged the PC and immediately called help desk directly and they (obviously) didn’t know anything about what had just happened. Hernan proceeded to call the police, which have been able to do little to nothing about the theft.
This is how crafty the hackers are getting today, and it is only getting scarier as threats become increasingly more crafty and complex. What is to come tomorrow is only a matter of the hacker’s imagination… so what can companies really do to keep their company safe?
Infinite IT recommends having a strong security strategy to protect your company from malware and ransomware attempts. Having a next generation perimeter solution IS critical, but it isn’t the end of the line. AntiSpam from a reputable source (such as our Infinite Cloud AntiX solution) to scan all emails coming through on “Trusted” ports is also just as important. Having a properly deployed and managed security application layer in the environment is also crucial. AntiVirus and AntiMalware applications on ALL devices in the environment (desktop, laptop, server, virtual endpoints, mobile endpoints and so forth) are becoming more important by the day. Investing in appropriate security technologies to protect your employees from falling prey to these attacks is essential. Businesses are particularly at risk because commercial bank accounts usually have more money in them, which makes them a greater target for criminals. Them ore employees a company has can mean more money going through it, and in return be an easier target.
Then there is the SOCIAL aspect of security. All companies need to communicate to their staff that it is up to individuals to take simple steps to prevent infection and financial losses to the company. Simple things like:
- Be vigilant when reading email messages that contain links or attachments.
- Never enable macros in documents that arrive via email
- Never run executable files linked from an email message
- Authenticate the source manually – if you do get an email that looks 100% legitimate, CALL the person and verify that what they sent is actually legitimate
- Restrict access to only those employees that need the access to do their job, and provide enhanced education to those employees to protect even further.
The only way to protect ourselves is to be educated and have advanced threat security solutions. Without one or the other means you only have half the battle. Protect yourselves and your companies, and hopefully, these attackers will give up on Canada and focus elsewhere.
p.s. for the record, the retail store never did recover their money, and the money transfer service actually initiated a fraud investigation against the company and the individual. Although charges have not been officially laid yet as the investigation is ongoing, we were told that the real criminals in the case will get away since they were actually from another country, and our police have no jurisdiction to enforce the law outside of Canada.