SS&C Technologies just had a very, very bad day.
According to a court filing dated September 16, 2016, a member of their staff “facilitated an amateurish fraudulent wire transfer request scheme and disbursed almost $6 million in cash” from one of their limited partner’s accounts.
In other words, they fell for a so-called business email compromise attack — and as of this morning they were suspending operations in light of the legal action and tremendous financial loss that followed.
It’s just another of what seems like an unstoppable chain of attacks, but we wanted to peel back the covers a bit and look at why these kinds of attacks keep happening…and what you can do to protect your company.
Just Another Email
According to CSO Online, “over twenty-one days, SS&C processed six fraudulent transactions, draining the Tillage fund of $5.9 million.” The deception relied on a single factor: a look-alike domain, sent from tilllage.com, instead of tillage.com – notice the extra ‘l’?
The emails themselves were short, asked directly for a wire, and most importantly were received and acted upon in violation of the firm’s policies and controls:
Despite being clients of a well-known email security provider (Barracuda Networks, according to their MX records), this kind of attack reached the inboxes of staff, and from there it was a classic case of social engineering: urgency (“confirm…that the wire will go out today”) coupled with a hard-to-spot domain name spoof.
Not Uncommon, But Not Unstoppable
Analyzing a representative sample of the GreatHorn Data Cloud for threat metrics, the stats are sobering: In the past 6 months alone, we’ve seen a return to form on attempted domain spoofs, which dropped off earlier this year in favor of a more basic form of spoofed “return path” emails:
This is troubling, as look-alike / spoofed domains tend to be highly targeted attacks that zero in on user’s ability to differentiate mail from trusted vendors, business partners, or even their colleagues from very visually similar source addresses.
Considering that for every one of those spoofs, there was a potential multi-million dollar wire transfer fraud attack, it’s easy to understand why so many organizations are falling victim to these types of attacks.
What Can You Do?
Relying on old-school technology – designed to catch generic malware and spam – to protect against these kinds of attacks won’t work. Attackers know how to bypass email gateways, and even when strong security tools are in place, a significant number of attacks will find their way into user mailboxes.
Once there, even regular security training (SS&C’s internal policy was that wires required four authorized approvals!) isn’t sufficient. Human psychology is a classic security vulnerability, and users fall victim to these types of attacks because criminals know how to manipulate their targets into doing things they should not.
Stopping business email compromise is only possible when your security is embedded inside of the business email flow. GreatHorn can be connected to a Google Apps or Office 365 domain in just minutes, and provides automated, comprehensive protection from name spoofing, domain look-alike, wire transfer fraud, and other forms of highly targeted attacks.