Cybercrime is on the rise across the globe and will continue to grow at its pace as more citizens and companies utilise internet for their day-to-day business. Companies in the UAE especially are soft targets amongst the cyber criminals due to lack of awareness towards cyber security.
There have been repeated warnings by local authorities including Abu Dhabi police to the businesses on the modus-operandi of cyber criminals against the UAE companies but not much appears to be perceived or practiced. In an interview to a media portal, Colonel Dr. Rashid Borshid, Director, Criminal Investigation Department (CID), said that “Online criminals are hacking into company email accounts to discover when financial claims are due. Attackers then set up fake email accounts in order to lure companies into revealing their bank details and other confidential financial information.”
Torrid Networks, a cyber security consulting firm revealed one of the recent cyber-attack investigations performed for a large trading firm based out of Dubai. Company believes that such revelation should be helpful to other businesses in getting alarmed and prepared to thwart the rising threats. “Knowing is the first step to Securing”, said Syed Ibrahim Anwar, Vice President MENA, Cyber Security Practices, Torrid Networks.
In this particular case, email communication between the trading company’s accounts department and their suppliers was frequently being hijacked convincing them to transfer the invoiced funds to some foreign bank account. At the very first instance the case appeared to be a targeted attack by a former employee or business rival, as the email were literally talking business. As the investigation moved on, it became more evident to be an act of a professional cybercriminal and entire modus-operandi quickly came into visibility.
“Such cases are now frequently being observed in the region where businesses are hacked and then convinced by the hacker to transfer funds to some foreign bank account with no point of return”, added Anwar.
It was observed during the investigation that the hacker firstly lured the accounts department of the company to execute the malware which was sent as an email attachment and compressed as .ace extension, a compressed file format like Winzip. Email was sent from a spoofed email address: fundtransferdpt@hsbc.com with convincing looking content for the accounts department to execute the malware. On execution, malware silently got installed in the attacked system to record user keystrokes, system screenshots and later uploaded the recorded data to the hacker as email messages at every half hour cycle.
Malware can potentially bypass all the security mechanisms including locally running antivirus and other security mechanisms deployed in the network. The hacker then kept monitoring the entire email communication between the company and its buyers or suppliers to gain business knowledge. Whenever an invoice arrives to the email address of accounts department, the hacker used to send another follow-up email within few minutes from similar looking but spoofed email address containing modified bank information and a convincing note for the trading firm to transfer the invoiced funds to the newly mentioned foreign bank account.
Investigation also traced the malware uploading the recorded data as emails to a private mail server hosted with GoDaddy, a well-known web hosting company. Torrid Networks was further able to decipher the passwords being used by the malware for uploading the recorded data as email messages. Deciphered password helped the investigation gaining complete access to the information in possession with the hacker and now there was more to be revealed.
From the information in possession of the hacker, investigation concluded that the hacker is specifically targeting businesses established within UAE and most of his targets are from finance department of the companies. “Fortunately, the victim company in this case got alarmed well ahead of time and engaged us before any business loss could take place. It was scary to see so many net banking passwords, tally screenshots, confidential emails and what not. Looking at plethora of such information, we are certain that many businesses or individuals targeted by this hacker would have lost their hard earned money,” said Dhruv Soi, Founder, Torrid Networks. “Businesses in the region should gear up on cyber security before they end-up losing funds or confidential data to the hackers,” Soi added.
“As we speak, hacker is still active and so is his malware. We have uploaded detailed technical case study on this incident on our website along with hacker’s domain names, IP addresses and malware sample which should be helpful in various aspects.”, concluded Anwar.
