Criminal fraudsters have tricked wireless networking firm Ubiquiti Networks out of roughly $47 million, using a low-tech email scam that is all the rage right now.
The scam, first detected on June 5, involved fake email requests for wire transfers to overseas accounts controlled by the crooks, Ubiquiti revealed in recent regulatory filings first reported by Brian Krebs this week. Ubiquiti notes that it has tightened its internal controls, and has managed to recover $8 million of the stolen funds. A criminal investigation is ongoing.
Importantly, Ubiquiti says that none of its internal accounts were compromised in the attack.
What you can infer here (since Ubiquiti won’t comment) is that the scammers spoofed an employee communication from a fake email account, instructing an employee to wire funds to a “vendor.” In its laziest form, it’s an attack that anyone could mount with an Internet connection and about 5 minutes — the B2B version of the old “Nigerian prince” email fraud, except the prince purports to be your boss.
Laugh all you want, but it could happen to anyone. This type of scam is on track to cost businesses $1 billion this year, Bank of the West security expert David Pollino has predicted.
“Business email compromise is ‘the new black’ amongst soon-to-be-wealthier cybercriminals,” says Patrick Peterson, CEO of email security firm Agari, in an email to SDxCentral. “Criminals are profiting because it works.”
In fact, Peterson tells us that Agari’s own CFO was targeted by a similar scam. A curt message from “firstname.lastname@example.org” — note the extra a — instructed her to “process a wire of $48,750 to the attached account.” (She did not.)
It’s fairly easy to prevent email scammers from spoofing a domain name that a company owns, using security standards like DMARC. But there’s little to stop crooks from cooking up a fake Gmail account, or registering a domain in a spelling variation on a company (the mind boggles at the possibilities for “Ubiquiti”).
In those cases, sharp eyes and internal process are essentially the main defense.
“Until we have solutions that restore trust to email,” says Peterson, “the best cutting-edge-security professionals can offer is ‘be careful!’ and verify information before making wire transfers.”