[BreachExchange] Save the Children Federation Duped in $1M Scam

[Destry Winant]

https://threatpost.com/save-the-children-federation-duped-in-1m-scam/139925/

A business email compromise campaign cost the Save the Children
Federation $1 million.

Hackers scammed the Save the Children Federation out of almost $1
million in a business email compromise (BEC) scam.

Save the Children is a well-known U.S.-based non-profit group that
offers charity services like fundraising and sponsorships. According
to the company’s 2017 income tax returns, obtained by the Boston Globe
and reported this week, in April 2017 an unknown hacker posing as a
Save the Children employee tricked the firm into transferring $997,400
to a fraudulent entity in Japan.

“This crime was committed and investigated in 2017, and reported in
our 2017 990,” a spokesperson told Threatpost on Friday. “We have
improved our security measures to help ensure this does not happen
again. Fortunately, through insurance, we were ultimately reimbursed
for most of the funds that were stolen.”

The scam stemmed from hackers who were able to compromise the email
account of an employee of the charity in 2017. They then utilized that
access to send several documents and fake invoices within the
organization.

These fake documents, which utilized social engineering tactics, asked
for a sum of money to help install solar panels onto several health
facilities in Pakistan. The charity was tricked into sending one
million dollars to scammers in Japan.

The fraud was discovered in May 2017, after which the organization
coordinated with the FBI and Japanese law enforcement to investigate
the incident. While the transferred funds could not be recalled at
that time, the charity was able to recover all except for $111,616.

Holiday Scams

Save the Children is not the first charity organization to become the
target of cybercriminals – In November, the Make-A-Wish Foundation
website fell victim to a cryptojacking attack. It’s a good reminder
that scams and hacks in general are on the rise this holiday season,
as more shoppers flock to the web hunting for gifts.

BEC-style email attacks that deliver malware targeting point-of-sale
systems are booming this holiday season, as are phishing scams
perpetrated via social media.

For instance, researchers reported a spate of Black Friday-themed
email spam, often taking advantage of recipients’ desire to cash in on
increasingly attractive deals. These emails created tempting clickbait
for users or contained enticing messages with attachments that
delivered malware, not holiday cheer.

BEC emails have proved dangerous enough to catch the eye of the FBI –
earlier this year in June, the agency said that since the Internet
Crime Complaint Center began formally keeping track of BEC, there has
been a loss of over $3.7 billion reported.

The FBI suggested that to defend against BEC scams, companies should
identify potential targets within their organization, increase
education around the nature of BEC emails, and verify any payments or
transfers.