[AusNOG] spear phishing attack

Nathan Gardiner ngardiner at gmail.com
Mon Feb 4 12:17:53 EST 2019 

Hi Scott,

The bank account would be controlled by the fraudsters (most likely using a
mule's account). The idea is that with the number of invoices that go
through any organisation on a monthly basis, they can simply slip in an
invoice for a supplier that you may or may not recognise purporting to be
an approved expense from an officer of the company that they've looked up
online.

Another version of this has the fraudster requesting/approving an update to
an existing vendor's BSB and account number, so that all invoices coming
from them from that moment on get paid to the fraudster's account instead,
but that requires a bit more research as they'll need to be aware of
vendors that you are actively working with - that would be more of an
indication that an organisation's email was compromised first (or that they
have some other vector for obtaining this information). In some cases they
may just use industry knowledge to guess at major suppliers.

I would guess (but don't personally know) that the fraudsters engineer
sufficient distance between the account holder and themselves so as to not
be particularly concerned about enforcement action, and I suspect not a lot
of these cases end up getting reported anyway. It's an interesting question
as you'd think bank KYC regulation would help to protect against these
scams.

There's some more information about these schemes here:
https://www.scamwatch.gov.au/types-of-scams/buying-or-selling/false-billing


On Mon, Feb 4, 2019 at 11:42 AM Scott Wilson <siridar at gmail.com> wrote:

> Morning all,
>
> Just got my first ever "live" spear phishing attack - an email slipped
> through purporting to be from our MD to our CFO, asking for a $14k invoice
> to be paid. They've named an australian BSB and account #, so I'm curious
> as to what the attack vector is - is that bank account compromised? Do they
> rely on a bounceback after a few days and then follow up with "oh,
> actually, that should have gone via western union..." or is there something
> more sophisticated at work?
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20190204/e31275b9/attachment.html>

More information about the AusNOG mailing list