[BreachExchange] Investment Firm Hit by BEC Scam

Destry Winant destry at riskbasedsecurity.com
Mon May 18 10:28:10 EDT 2020


https://www.databreachtoday.com/investment-firm-hit-by-bec-scam-a-14287

Fraudsters have conned Norfund, a private equity investment firm based
in Oslo, Norway, out of more than $10 million in what the company
calls an "advanced data breach." But the incident bears the hallmarks
of a business email compromise scam.

Scammers spent months within Norfund's internal IT network, gaining
access to emails and other communications between the company
executives and the partners and businesses in which the firm has made
investments, CEO Tellef Thorleifsoon told the Norwegian newspaper
Aftenposten. This provided fraudsters with knowledge of documents and
other data, which enabled them to falsify payment details, he said.

The $10 million theft, which occurred on March 16, went undetected
until April 30, when the fraudsters attempted a second, unsuccessful
scam, according to a company statement.

The incident is now under investigation by Norfund's internal
security, local police and the Norway Ministry of Foreign Affairs. In
addition, the company as hired consulting firm PwC to review its
internal security, Thorleifsoon notes in the company statement.

"The fact that this has happened shows that our systems and routines
are not good enough. We have taken immediate and serious action to
correct this," Thorleifsoon said.

Norfund, which is also known as the Norwegian Investment Fund and is
owned by the country's Ministry of Foreign Affairs, invests in a range
of clean energy, financial services and agribusinesses mainly in
Africa, Asia and Latin America. At the end of 2019, it had invested
over 24 billion Norwegian krone ($2.5 billion) in over 160 projects,
according to its website.

Piecing the Scam Together

Although investigators are still piecing together just how the scam
worked, it appears that after gaining access to Norfund's IT network
and email communications, fraudsters began posing as a legitimate
microfinance institution in Cambodia, sending emails and other
financial and payment documents back to the investment firm, according
to Norfund's statement and the Aftenposten account.

At the same time, the fraudsters sent fake Norfund emails to the
Cambodian firm, telling that company that payments would be delayed
due to the COVID-19 pandemic in Norway, according to the account in
Aftenposten.

Because both Norfund and the Cambodian company believing they were
receiving legitimate emails and documents from each other, Norfund
sent the $10 million, which instead of going to the Cambodian firm was
transferred by the fraudsters to an account in Mexico and disappeared
before Norfund executives realized the payment was missing, according
to the company statement.

"The fact that the defrauders were able to manipulate the
communication between Norfund and the intended recipient was a major
contributing factor in delaying detection," the statement notes.

Since that fraud was uncovered, Thorleifsoon says that no other
fraudulent incidents have been found, according to Aftenposten.

Hallmarks of BEC

While not directly mentioned by Norfund, this incident appears to
involve a business email compromise scheme. These scams typically
start with attackers stealing the email credentials of a top executive
through phishing or other methods before tricking lower-level
employees into transferring funds or making fraudulent payments to
accounts controlled by scammers.

"While details are limited, it appears the same attack patterns appear
in the Norfund case - the interception of emails, diversion of funds,
and obfuscation of the trail by owning email communications," Chris
Pierson, CEO of cybersecurity firm BlackCloak tells Information
Security Media Group. "In most cases, this includes forwarding emails
based on keywords such as wire and ACH to hacker-controlled accounts,
not delivering real emails to their intended parties, and creating a
man-in-the-middle scenario for the transfer of funds."

Pierson notes that the risk of falling victim to this type of scheme
can be mitigated by requiring two-factor authentication for email
communication as well as applying anti-phishing controls and improving
employee training.

Chris Hazelton, director of security solutions at security firm
Lookout, says the incident should serve as a warning call to other
companies that make large digital transactions.

"This speaks to the risks of digital communications and transactions,
particularly where there is an immediate monetary gain for attackers,"
Hazelton says. "As more organizations move to digitization of banking
and all other processes, there is a need to have multiple layers of
security."

BEC on the Rise

Business email compromise fraud is a growing problem. In February, the
FBI issued its annual Internet Crime Report, which reported that the
bureau received over 24,000 complaints about BEC scams in 2019, with a
total loss of $1.7 billion to U.S. citizens (see: FBI: BEC Losses
Totaled $1.7 Billion in 2019).

In April, the FBI also warned of an uptick in BEC schemes, with
fraudsters using COVID-19 as an excuse to request a fraudulent
rescheduling of payments or a change to other plans in order to pilfer
funds (see: FBI: COVID-19-Themed Business Email Compromise Scams
Surge).


More information about the BreachExchange mailing list