Who
A Palmerston North-based professional services business (Victim A, Supplier), where users routinely use their computers for eight hours a day. The business had up to date anti-virus software, an enterprise-grade firewall, and systems running the latest version of Microsoft Windows and Office.
What
A business (Victim B, Customer) that Victim A does business with frequently had their own systems compromised. This enabled the hackers to send e-mails to Victim A masquerading as Victim B. As the e-mails came from the Victim B’s e-mail systems they had a higher degree of authenticity.
How
Once the hackers had successfully established their credentials as an authorised sender, they were able to request that a legitimate invoice payment be directed to a new account.
Impact
Victim A paid the overdue invoice of over $50,000 to a bank account that had previously been compromised by the hackers. The mis-paid invoice was not identified until further overdue account invoices were sent by Victim B. By this stage the money had been shipped offshore and was unrecoverable.
Over six months of review by the insurance company and security analysts were required to establish fault.
This required significant internal investment by both companies as well as untold stress on the staff members involved.
Analysis
The victim's systems were never compromised, though Victim B’s systems were. This added an air of legitimacy to the e-mail exchanges requesting the change of account details.
There were however key indicators that should have raised alarm bells with the staff concerned. This included:
- Victim B was New Zealand based; though they were requesting payment be made to an international bank account.
- The staff needed to ask the hackers multiple times (over 3) for clarification of important account information