One letter ~= 700K. The taxpayers of DC are sad

This is a common tale. A scammer gets a bit of inside information. Perhaps the name of a supplier. In the case of this Alberta University, $12M was siphoned (details here).

In the case at hand, the city government of Washington DC wired $700K to a fake supplier. An email comes in, it looks right. It says “hey, we’ve switched to online payments from cheques”. Great, one less hassle for me. I’ve dealt with these folks before, I know them. Seems reasonable. Let me just get that done. But, 1 letter was wrong in the domain name.

Many people have fallen for this scam, I know some of them. You can have a set of process a mile long, and it is defeated by intelligent well-meaning team members. You need something to raise their suspicion. In this case, maybe an alert “Warning, you have never corresponded with this person before”. or “Warning, this domain is very similar to one you commonly correspond with”.

But, more likely, once in a while you need to run a campaign where you ‘red-team‘ your company. I proposed earlier we needed to use the invisible hand type method, make it legal to steal up to $5 from a person once. There needs to be a bit of pain, and a means of learning what you did wrong. So you might purposely spearphish your team periodically. And inform people when they act on it. And keep track of who’s not improving. And maybe make them sit in the basement next to that microwave that everyone warms curried fish in.

There are a ton of email ‘DKIM‘ and ‘SPF‘ type things. But sadly, not everyone uses them or listens to them. The technology ‘warns’ that I mentioned above (warning: this person is outside your org, warning: you’ve not corresponded with this person)… They are easy to ignore. Do you know someone who has clicked on the ‘This page has bad SSL, are you ok to continue?” to accept that ‘warning’? Instead it needs to put your speakers on full volume and start shouting something embarrassing. Maybe “Welcome to the dub-step for beginners page”. Or maybe “are you sure you want to see naked pictures of walrus?”. The look of embarrassment on your face as your co-workers started at you would be your punishment, your reason to pay attention next time.






One response to “One letter ~= 700K. The taxpayers of DC are sad”

  1. Jayme Snyder

    One of the companies I worked for sent beautifully crafted fake phishing emails that were DKIM signed with valid signatures…

    I was obviously curious enough to have gotten caught “visiting” the link because obviously I wanted to see what this real domain with valid DKIM setup was up to… I had to take a training course.

    The anti-phishing education company successfully stole lots of money from the company.

Leave a Reply

Your email address will not be published. Required fields are marked *