The RISK Team collected the accountant’s email archive, a memory dump from the accountant’s laptop, and a forensic image of the laptop hard drive. The RISK Team asked for email web access logs. Verizon reported that numerous external IP addresses had been successfully logging into the accountant’s email using email web access. These logins started about a week prior to the wire transfer requests.
By analyzing activity on the accountant’s laptop at the time of the web email logins, the RISK Team was able to determine the accountant had received a phishing email from someone claiming to have paid a late invoice. The email instructed the accountant to click a link and provide their email domain credentials to authenticate and review the payment receipt.
Apparently, the accountant provided his email account credentials and then forgot to follow up on the fact that he didn’t receive the payment receipt. The threat actor used the accountant’s credentials to log into his email account and study the company’s wire transfer approval process by searching through emails. The threat actor even used previously sent invoices and tax forms to create the fake versions that were used for the fraudulent wire transfers. The threat actor fabricated an approval email chain that was sent to the Wire Transfers Department, according to Verizon’s findings.
The company was told that the link contained in the email was known to be malicious. “I really started to wonder why our tools didn’t block access to the URL,” the said.
It turns out the internal URL filtering tool did block access to that URL from other systems within the network. It didn’t block it in this situation because the accountant had been connected to his personal Wi-Fi network. He was working from home the day the phishing email was received. The IT Security Team said the company’s tools weren’t able to block the URL because the accountant wasn’t using the corporate network.
“To this day, we are still working with law enforcement to figure out what happened to our money,” the CIO said.
Sign up for CIO Asia eNewsletters.