Seite - 248 - in The Future of Software Quality Assurance

248 K. Yorkston In 2018, the US FBI estimated global losses between October 2013 and May 2018 from this attack alone cost organisations US$12.5 billion.1 This attack uses spear phishing. Find out details of the senior staff, then send an email to accountspayable@[insert organisation name]. Spoof it to come from that senior staff member, with a message like “An invoice is coming from Acme Corp, can you please process this payment quickly, as it is part of Project Merlin”. It’s especially useful if the attacker knows a project name within the organisation, but it’salsosurprisinghowmany“ProjectMerlins”actuallyhappen.Then,acallcomes throughtothegeneralorganisationphonenumber—“CanIpleasespeaktoAccounts Payable?” The call is put through, and it’s Tom Jefferson2 from Acme Corp, asking about the invoice. He seems such a nice chap, and is very apologetic about the rush for payment.He’s also very helpful, givingAcme Corp’s bank details to the Accounts Payable staff. The call adds legitimacy to the spoofed email, and that $12 billion loss justgota bitbigger. Once again, there are most probably processes that should be followed by staff. Theseniorstaffmember’semailwasspoofed.And,theaccountstaffwereconvinced to be helpful to solve a problem by the email “from the Boss”, and the call they received. But, says you,don’t we know the account the moneywas paid to? Surely if this information was passed to the Local Constabulary, they could stake out the bank branch, looking for the suspicious individual who, while wearing sunglasses and a false moustache, withdraws the money from the account? Perhaps, but another aspect of the attack is another vulnerable victim. A lonely person who struck up a conversation with a social media connection, and due to [an unexpected tax bill/a sickrelative/awindfallfromarecentlydepartedrelative]theyrequireabankaccount in the target’s country.And, if the target opens this account on the basis that “Afta this is dun, I cn get my viza to meat my luv”, the attacker now has an account that bears a striking resemblance to the Acme account number (so close, in fact, it’s the same). Or the attacker might identify a like-minded person in that country who opens the account for a percentage of the money passing through it. And the consequence? Maybe a possibly innocent (or not so innocent) person could be chargedwithmoney laundering.And thehuntgoesonfor themoney. Andthemost targetedbusinesssectorforBEC?Whichdoyouthink?Sometimes the target can be unexpected. You must think like an attacker. With the prevalence and reliance on online services today, we can do almost anythingonline. Including finalising thepurchaseofproperty.The real estate sector is a lucrativearea targeted by the attackers. Think of all those involved in purchasing a home—solicitors, surveyors, real estate agents, buyers and sellers. How many of these could be vulnerable? If you’re buying a home and get a mail for the final purchase from the “real estate” giving the account details for the transfer. Or from the “solicitor” 1https://www.ic3.gov/media/2018/180712.aspx 2No relation to the third President of the United States.