A global charity, responsible for distributing hundreds of millions of dollars in aid, appeared to be the victim of a computer intrusion in which an attacker intercepted two wire transfers and re-directed them to a bank associated with terrorist financing. Stroz Friedberg voluntarily deployed its digital forensics team, forensic accountants and security advisors to investigate the wire fraud and help prevent further occurrences.
No Stone Left Unturned. On site at the charity, our technical experts forensically imaged and analyzed the computer that had generated the tampered wire transfers. We preserved and analyzed system firewall logs and assessed the timeline of access-control logs acquired from the charity’s banking institution. Thorough interviews of the charity’s accounting and IT personnel were also conducted. Stroz Friedberg synthesized this information and presented the bank with its investigative findings and recommendations to improve controls and help prevent further such incidences.
Unraveling the Cybercrime. The intrusion occurred when a staff accountant, while working on her office computer, unknowingly opened a spear phishing e-mail from her personal webmail and clicked on a link purported to be a United Parcel Services’ tracking receipt. Alas, her work computer was instantly contaminated with a powerful malware known as “man in the browser” attack. Once downloaded, this malicious software enabled the attacker to hijack the employee’s open wire-transfer sessions, change details of electronic payments, and ultimately, re-route the charitable funds to the attacker’s destination of choice. (Definitively proving there is no honor among thieves!)
The charity’s bank immediately alerted the goodwill organization that it might be the victim of malware. Unfortunately, the charity’s IT department did not have the proper suite of remediation tools, nor did it institute one of the most critical processes of a cyber incident response plan—disconnect a potentially infected machine from the network (with its power on) before attempting to conduct a full and effective remediation.
The intrusion began on a Friday prior to a three-day holiday weekend. It was two business days after the long weekend when the bank reported that two of the charity’s sizeable wire transfers had been re-directed to an unintended account. By then, the money was irretrievably lost.
Some Stroz Friedberg Recommendations Delivered to the Charity:
- Ban webmail use for accounting employees and executives
- Eliminate administrative rights on desktop and laptop computers to help prevent the execution of downloaded malware
- Strengthen the anti-virus platform
- Filter executable files at the firewall level
- Create an incident response plan with better escalation policies
- Enhance controls by mandating a two-person review of each wire before final authorization
- Shorten the reconciliation of paid wire transfers to one day
All of the above should significantly help the charitable organization avoid a future similar intrusion and theft of outgoing aid.