Last week the United States Department of Justice (DOJ) issued a press release announcing the arrest of a cyber-criminal that had stolen $750,000 from the University of California San Diego (UCSD) through a carefully executed spear-phishing campaign. As reported by Naked Security-Sophos, the criminal Amil Hassan Raage, worked in partnership with co-conspirators in Kenya to execute the cyber-heist.
In late July 2018, a UCSD employee received an email from Dell requesting the University direct it’s outstanding payments owed to Dell to a specific bank account; the email seemed legitimate and UCSD did have a payment due to Dell, so the transfer was initiated. Unfortunately, the email requesting payment was not sent by Dell, it was sent from a fake account masquerading as a real Dell email domain. It should come as no surprise then that the bank account numbers provided did not belong to Dell, they were Amil’s personal Wells Fargo bank account details.
UCSD was not the only school Amil and his crew hit. Another undisclosed school in Pennsylvania was taken for $123,643.77 adding up to a total of over $870,000.00 in stolen funds. Instances such as these illustrate that phishing attacks are still a major concern for all organizations and that phishing can be used for more than just stealing credentials and installing malware. In this case, a specially-crafted email was all that was required to swindle two higher education organizations out of hundreds of thousands of dollars. While there is constant news of sophisticated attackers finding novel ways of breaking into organizations, its critical to remember the serious risks associated with spear-phishing and other social engineering attacks because now, as always, an organization’s users often represent the biggest attack surface.
Also, note in the DOJ press release: If your organization falls victim to an email-comprise scam the FBI recommends you immediately call your bank to see if they can freeze your funds before it’s too late.
Colleges and universities in the U.S. invest millions of dollars into security solutions (like firewalls, two-factor authentication, and SEM/SIEM solutions). For the security experts here at OCD Tech, this most recent incident with UCSD points to a reoccurring truth: security solutions are only as effective as the people using them allow for. Why purchase and install firewalls only to implement insufficient security-controls on that equipment? Should senior executives (privileged account holders) really be given the option to disable two-factor authentication? A SEM/SIEM solution in and of itself merely provides a data report. Utilize an experienced IT-auditor to glean valuable insight and actionable intelligence from your SEM/SIEM tool.
Contact OCD Tech today to learn how your organization can start implementing the best-practices in security awareness training.
