Financial fraud on an industrial scale

August 2, 2018

Our researchers have discovered another phishing campaign aimed at stealing money from corporate accounts. This time, the criminals primarily targeted manufacturing companies. Usually, attacks on such enterprises are connected with cyberespionage or sabotage. But not in this case — it seems some cybercriminals have remembered that such companies are in fact sitting on loads of money.

Good old phishing

These attacks aren’t carried out using fancy tools. Rather, standard phishing techniques are employed: Harmful software is distributed through e-mails disguised as commercial offers and other financial documents.

The main distinguishing feature of these attacks is the high level of preparation, in that the scam artists address an employee by first and last name, they know the position the person occupies and the company’s area of focus, and all the information on the source of the offer looks legitimate.

In some cases, the phishers send out malicious attachments, and in others, they send links to sites, but all of the e-mails incite the victim to download tools used by the hackers on his or her own initiative. For example, at least one recipient was informed that their company had been selected to participate in a сall for bids. To enter, the employee had to install Seldon 1.7, a legitimate application. The e-mail attachment did contain an archived execution file for the software, but malware was installed on the device along with it.

Another e-mail contained a car sale payment order in a malicious PDF file. The message was very detailed, mentioning real companies with real tax IDs, as well as a VIN that corresponded to the specified model.

Legitimate software

The criminals used legitimate remote administration applications for their attacks — either TeamViewer or Remote Manipulator System (RMS). These programs were employed to gain access to the device, then scan for information on current purchases, as well as financial and accounting software. The attackers then used different ploys to steal the company’s money, for example, by replacing the banking details.

To retain access to the system for as long as possible, hackers use several methods of hiding suspicious information from both device owners and security solutions.

Additional arsenal

When necessary, additional tools are uploaded to the compromised device, for example, to get higher-level permissions and collect additional information. These applications can steal data (from login information to any file stored on the device), take screenshots, record video from the screen, listen to what is happening in the office using the device’s microphone, collect login data from other devices on the local network, and so on.

Thus, malefactors are in theory capable of more than just stealing company funds. They can obtain confidential information about the firm, its clients, and partners; spy on staff; record audio and video of whatever is going on around the infected computer; or use a compromised system for further attacks, including DDoS.

Who is at risk?

At the time of this writing, malefactors have attempted to infect about 800 computers belonging to at least 400 organizations in a wide array of industries: manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining, and logistics. This phishing campaign has been ongoing since October 2017.

How do you avoid becoming a victim?

This phishing campaign again demonstrates that even legitimate tools can be dangerous. Protection solutions are not equal in taking this fact into account. Even experienced employees can fall prey to the combination of a carefully thought out phishing attack with such software. To protect your organization, we recommend the following:

  • Your staff should be very well acquainted with information security. Kaspersky Lab offers educational and training courses that not only deliver knowledge, but also help to form new behavior patterns.
  • Use modern protection technologies that evaluate the behavior of not only suspicious but also legitimate programs — for example, Kaspersky Endpoint Security for Business.