Security vendor Symantec has given fresh details of a series of sophisticated cyber attacks targeting mainly French companies in which the criminals combine e-mail with voice calls to steal money.
“These tactics, using an email followed up by a phone call using perfect French, are highly unusual and are a sign of aggressive social engineering,” the company said in a blog post.
Symantec said the attacks, which began in February this year, were financial “and continue to this day.”
It cited various examples, without naming the companies or organisations involved.
“In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service,” Symantec said.
“A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice. The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker.”
The supposed invoice was actually a remote access Trojan (RAT) that was configured to contact a command-and-control server located in Ukraine, the company said.
“Using the RAT, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files.”
In another case described by Symantec, the attacker initially compromised systems within an organization using a RAT. The attacker then retrieved identifying information, including disaster recovery plans, of the organization’s bank and telecom providers, its points of contact with both providers, and its bank and telecom account data.
“Using this data, the attacker was able to impersonate a company representative and called the organization’s telecom provider. They proved their authenticity to the telecom provider, claimed that a physical disaster had occurred and said that they needed all of the organization’s phone numbers to be redirected to attacker-controlled phones.
“Immediately following the phone number redirection, the attacker faxed a request to the organization’s bank, requesting multiple large-sum wire transfers to numerous offshore accounts. As this was an unusual transaction, the bank representative called the organization’s number on record to validate the transaction. This call was redirected to the attacker who approved the transaction.”
Symantec said the funds were transferred to multiple offshore accounts and were subsequently laundered further through other accounts and monetary instruments.
The vendor said it had determined that the attacker was located in Israel or routing attacks through that country. “The originating IP addresses in Israel, however, are unusual as they are within a netblock for mobile customers of an Israeli telecom company. By performing traffic analysis, we were able to determine that the attacks are indeed originating from a mobile network and, crucially, that the attacker is using mobile Wi-Fi hotspots.”
These hotspots, which provide internet access to a computer system through the mobile phone network, “potentially provide anonymity for the attacker if the GSM SIM card for the mobile Wi-Fi hotspot is purchased in cash at a bazaar or private sale.”
Many 3G providers around the world sell prepaid data plans without verifying the identity of the buyer. “As a result, telecom records will not lead to an individual,” Symantec said. “The traffic analysis indicates that the attacker was on the move when they were conducting the attacks. These operational security techniques make the attacker extremely difficult to trace.”
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us