ict.ken.be

Delivering solid user friendly software solutions since the dawn of time.

Clever money scam

Categories: Security

Story of a security breach that recently happened on large scale in the wild.

  • Company sends invoices by email.
  • Some hackers intercept the smtp and replace bankaccount numbers from invoices that are at least 15K.
  • Customers pay on this wrong bank account.
  • Company decides that because the invoices are from their 'bigger' clients to wait before complaining that they didn't receive the payment.
  • They finally do and notice that their customers have been paying to the wrong accounts.
  • Digital thiefs gone with the wind.

Lessons learned

  • Always check if you are paying to the correct bank account.
  • We should always encrypt smtp.
  • Social engineering tricks are to easy to implement. (they did use a copy of the online accounting tool to make it look more real)

Conclusion

It's 2016 and a lot of the online payments are still using the smtp protocol. How are we going to teach people that this is not a good thing. And what will companies do to spy on those mails once we all start using encrypted mails.

Https comes to mind... we finally got people looking at the green icon and now we are inserting 'invisible' proxies. I guess... I will be member of the last generation that knew privacy and digital security.