Anatomy of the CEO Con Job
How Chinese hackers pulled off one of India’s biggest cyber fraud
The CEO Con job is one of the most daring heists that we have seen in the last few years. The hackers spent months targeting the company, found ways to bypass all the security infrastructure of the company, and ended up conning the regional head of a multi-national corp into
- Believing that he is part of a secretive acquisition bid
- Assuming that the emails and phone calls from the MNC CEO are legitimate
- Transferring millions of dollars to a remote bank, from where it disappeared into thin air.
The scam would’ve been much bigger — money had already been transferred 3 times into the bank. A visit by the CEO to the regional office ended up exposing the scam and a fourth transfer was stopped in the nick of time.
Our analysis shows that the scam operated in the following manner:
First Contact
The scam was initiated when the Regional Head, Avdesh Singh, received an email from the CEO, Mario Botelli, talking about a secret acquisition that needed to be made in China. Except that that email had actually been spoofed — it was only made to appear as if it was sent by the CEO.
The Conferences
First Contact — Phone
Vishing is a scamming tactic that tricks victims using seemingly legitimate call IDs and telephone numbers to persuade unsuspecting individuals to disclose valuable information. Vishing acts just like email spoofing, where the email addresses look like they come from a trusted source. And, because people usually believe the caller ID and the phone service, spoofing phone numbers can be used to disguise the target, by making it seem like the call is actually coming from a legitimate source.
There are different ways that scammers can carry out their vishing schemes — Hosted#, Whitelist#, and Registration# scams are some of the most common techniques that are used to steal information and extort money.
In this scam, Avdesh was asked to join telephone conferences to discuss the acquisition. The hackers used the Whitelist vishing tactic in this case — they hacked the firm’s on-prem UC systems and placed their IP address on the whitelist. Once they were able to do this, the scammers could eavesdrop on phone calls, by participating in conference calls as legitimate participants. This made it easy for them to imitate the accents and conversational gestures of key employees — a critical requirement for the next step.
The Hit
The hackers then arranged a series of conference calls to discuss a possible “secretive” and “highly confidential” acquisition in China. Several people played various roles during these calls, pretending to be the CEO, a top Switzerland-based lawyer, and other senior executives of the company.
On these calls, they convinced Avdesh of a secretive and highly confidential acquisition that could only be pulled off if funds were wired to bank accounts in Hong Kong and that regulatory rules prevented a direct payment from corporate headquarters. Payments were then made in three separate tranches of $5 million, $9 million, and $4 million. A regular year-end visit by the real CEO spared them from losing more money in the fourth and what was supposed to be the last tranche.
Our Analysis
These kinds of scams and techniques are challenging to track; making it tough for authorities to catch the scammers. Complex system architectures also create more vectors of attack. Nonetheless, the best way to avoid these scams is prevention. In the end, if you are aware and secured, you can definitely prevent criminals from making you their next victim.
The right Security Posture ensures that you remain safe and well-protected. It also ensures that any attempts to defraud you are either prevented or quickly and easily detected. To have this right posture, you need to have a proper defense in depth, perimeter defenses are either inadequate or irrelevant.
In the case of UC systems, security often consists of just Session Border Controllers, which are designed to prevent head-on attacks at the border. However, intelligent scams often make SBCs irrelevant — as in this case, the hackers gained access through guile and misdirection. Once inside, they pretended to be legitimate employees, using regular email systems and conference call facilities. An SBC simply does not have the capability to detect and prevent this kind of attack.
Actions:
To prevent such scams, ensure
- That executive bridges only support dial-out feature, so there is no way for anyone, except the host, to dial in
- End-to-end encryption in voice communications
- Access controls for the UC and conference systems
To detect such scams early, ensure that you have controls to detect:
- Impossible Time Travel: That the same login is not used across devices around the world in a short span of time.
- Registered Phone numbers: Through logs, check that all conf participants have joined through their registered phone number as given in LDAP.
Given the nature of these controls, it can be impossible for an organization to manually watch these 24x7 and that is where Assertion can help. Assertion’s CollabSecure is a continuous monitoring system that makes sure that your systems are secured against hackers and criminals. For more information contact us today at expertadvice@assertion.cloud
# In a hosted scam, hackers attack a hosted service provider to access passwords, often because the hosted service provider uses automated systems to provide access to password reset functionality.
# In the whitelist scam, hackers access VoIP accounts and add a scammer’s phone number to an account’s whitelist allowing outgoing calls. From that point on, the hackers can make calls at the victim’s expense.
# Some systems require authentication before allowing calls — but sometimes the authentication systems themselves can be hacked.
