Just to kick things off. Here’s an article I noted today describing scammers using phishing techniques netted 11 million Canadian (9 Million US).
https://motherboard.vice.com/en_us/article/yww4xy/a-canadian-university-gave-dollar11-million-to-a-scammer
Article says this is not technically hacking. I don’t agree, but what do you think?
For those with an audit background, it also points out that anti-fraud controls were either not in place, or not effective.
Wade Mackey
I’m going to reference the definition for hacking you brought up in class:
“A hacker explores the difference between how something is supposed to work and how it really works.”
The scammer exploited a lack of, or weak, controls surrounding the vendor payment process. The threat was there (scammer). The vulnerability was there (weak controls). The probability, or risk, of this vulnerability being exploited was certainly there.
To me, hacking isn’t always sitting in front of a laptop and using the command line to exploit things. In this case, I’m sure the university thought that, “Our vendor payment process is supposed to work like this.” The scammer showed them how it actually worked.
In my opinion, I believe that hacking isn’t always used the computer to steal information or use the command line to exploit things. As professor mention in class, a hacker can simply use a cell phone to do hacking and steal your money. In this case, I do believe that it’s a hacker issue. Although it didn’t get involved with the hacker, there are IT control, and bank information breach which causes the hacker can easily make the university send the money. The vulnerability (IT control risk and bank breach) is the issue that increases the risk for both bank and university.
By definition, this was a successful phishing attack. But for the writer to say “this is not technically hacking.” is not an accurate statement.. I think the whole objective of hacking and/or phishing is to gain access to something (money and/or PII, etc.) that does not belong to them. Even though the methodologies of hacking and phishing are different the outcome is still the same. The hacker(s) gained “something” that did not rightfully belong to them
I think I initially posted my comment in the wrong section…
By definition, this was a successful phishing attack. But for the writer to say “this is not technically hacking.” is not an accurate statement.. I think the whole objective of hacking and/or phishing is to gain access to something (money and/or PII, etc.) that does not belong to them. Even though the methodologies of hacking and phishing are different the outcome is still the same. The hacker(s) gained “something” that did not rightfully belong to them
By definition, this was a successful phishing attack. But for the writer to say “this is not technically hacking.” is not an accurate statement.. I think the whole objective of hacking and/or phishing is to gain access to something (money and/or PII, etc.) that does not belong to them. Even though the methodologies of hacking and phishing are different the outcome is still the same. The hacker(s) gained “something” that did not rightfully belong to them.
I placed my comment in the wrong section.
By definition, this was a successful phishing attack. But for the writer to say “this is not technically hacking.” is not an accurate statement.. I think the whole objective of hacking and/or phishing is to gain access to something (money and/or PII, etc.) that does not belong to them. Even though the methodologies of hacking and phishing are different the outcome is still the same. The hacker(s) gained “something” that did not rightfully belong to them.
In my option, it does seem to me like it is hacking. If we use the definition that we were given in class that hacking is looking at how a system works and manipulating it and making it work different then a lot of things that we think are not hacking is hacking. A user goes to a website and thing it works a specific way. However, since the developer changed it to me malicious they changed the perceived way that it works. This is me is hacking even though it is not hacking in the Hollywood sense of a guy behind a desk running a bunch of scripts gaining access. They are still for exampling using social engineering to gain trust and then from that trust extorting it for personal gain.
Lets start with the definition of hacking and phishing. Hacking is “using exploits to gain access to something you do not normally have access to.” Phishing is “masquerading as a trustworthy source in an attempt to bait a user to surrender sensitive information such as a username, password, credit card number, etc.”
Hacking and phishing are related in the sense that they are both ways in obtaining information, but they are different in their methods. In the end, a phishing scam is a hack. A phish is where the hacker baits the users with an email, phone call, text message or the such and tricks them into “voluntarily” giving the hacker their personal information or in this case changing the vendor banking information. A hack is technically the adversary taking over the computer system through brute force and accessing the sensitive data. However, a hacker can use phishing as his method for obtaining the information they seek or getting the user to “voluntarily” do the hacking for them. Overall, there are various methods for adversaries to obtain the information they are seeking. Phishing is no different than hacking except for the fact that the adversary had to do less technical work to exploit the University’s vulnerability.
To me, this case was clearly an example of social engineering / social hacking. This reminds me of the first presentation we had, where Prof. Mackey described how you don’t need a computer to hack, you can use the phone to call a company directory and pretend to be helpdesk with a ticket request. I have also encountered this kind of social engineering while working as a consultant, we would work on behalf of companies to reduce costs and were going through invoices; one client in particular had been paid serious money for a bogus invoice that had been faxed in to their line. Whoever paid it assumed it was valid for some reason and sent a check. It reinforces the notion that you are only as strong as your weakest link.
This kind of activity I think is natural for many people, the desire to figure out how things and systems work, how technology works and how it people interact with it…. In the end I like to think that most people wouldnt abuse this knowledge but that may be wishful thinking. I was really surprised that the University was able to recoup some of their loss — I would be interested to see how quickly the whole process took and what kind of systems the RMCP or Canadian Intelligence has to track financial crimes.
A believe that phishing scams are a type of ‘hack’. As discussed in class, there are many types of hacks that have nothing to do with breaking into a computer. A hack is the exploitation of how things really work, instead of just following how they are designed to work. This is a text book example of a social engineering hack, where someone is persuaded to ‘willingly’ hand over information/money. The article mentions that the controls in place surrounding changing the payment information of a vendor were inadequate. The school designed the process to ensure that payments only go to the authorized vendor. The hacker exploited the fact that those who perform the process can be persuaded to circumvent the controls and give a vendor payment to an unauthorized person. While the amount of money is large, it was really only one change that caused this to occur and I am completely unsurprising that it happened. Working in IT audit I’ve become really jaded and annoyed by human’s nature to be agreeable and want to help people as quickly as possible, because that is how things like this happen. The amount of times I’ve had to explain why it is important to go through the proper channels to get things done even when it is ‘easier’ or ‘faster’ to do it another way is astounding.
Amanda,
I understand your frustration. As an auditor, I strongly believe changes should go through the proper channels to mitigate the risk of fraud. However… As you mention, the person you are speaking to is frustrated with the time it takes to get their job done.
The best thing is the proper balance. Imagine this… If an organization has a four tier change management approval process, the time it takes to get the four signatures could cause the change to become irrelevant or possibly obsolete. This process is something the banking industry is going through and the healthcare industry has been dealing with for years.
Now, the changing of a vendors account number may only be a Medium impact on the organization vs. upgrading an MRI machine with a High impact, but my point is the auditors job may also be an arbitrator between corporate policy and employee satisfaction.
my philosophy is very simple. i dont care. If it happened, something wrong. Go fix problems. It’s a lesson. From now on, we know we must be ready to counter attack. Mistake wont happen again. Past is the past.
This attack wasn’t a “technical” hack, however I still would consider it a hack. When most readers think of a hacker they’re picturing a guy with a laptop and ski mask tapping away furiously at some command line looking console with an ACSII skull popping up after execution.
This is not that kind of hack.
A hack, especially as defined in class , involves manipulating or bending a system use against the way it was intended. Here, the university didn’t even have controls in place to prevent this situation from happening. It allowed the attacker to manipulate a gaping hole in the financial transaction process allowing them to do away with millions of dollars. Social engineering a form of a hack, hacking humans or inter-personal interactions.
The technique used to modify account to divert the money here is a form of hacking to me. Phising, scam, social enginering or whatever it called, the purpose is the same. To gain unauthorise access to manipulate /change the original information.
The University should have implemented better access control, or authorization procedure or policies I think.
In my opinion I think this was still hacking but in a less technical way then most people think when they hear the term hacker. This attacked used social engineering in the form of phishing where emails are sent out to employees of a company, in this case a university, trying to pose as a vendor that the university has worked with prior. This scammer was able to reach the right parties and succesfully trick them into trusting he was the vendor. With their trust he was able to exploit the lack of controls in place by the company in regards to paying their vendor and changing vendor banking information. This scammer didn’t compromise any IT systems in the university and he didn’t steal any personal or financial information as this was hack was more of a social hack that relied on user error to help the scammer get what he wants. This is still hacking as we have discussed how hacking is exploiting how things really work instead of following how they are designed to work. The scammer found a way to target his victim (the university), exploit their lack of policy surrounding the change of vendor banking information, and steal a payment of 11 million canadian dollars.
I believe that this is considered as a hack. Although it might not be considered as a hack in the technical sense of using software and computers to break into systems, it is a form of attack by exploiting or social engineering. According to the report, “controls around the process of changing vendor banking information were inadequate.” With phishing attacks, it could be considered as a social engineering attack by being able to convince the targeted staff to transfer the funds. The scammer exploited the universities lack of policy and the victim’s awareness of information security.
I do not think this incident was the result of a hack. Instead it was a phishing attack using social engineering to commit fraud.
A hacker explores the differences of how something is designed to work and how it can work. A hack is us using a computer system to gain unauthorized access to a system.
A hacker committed the attack but did not gain access to the university’s computer systems. They sent an email and employees of the university changed payment accounts.
This is a perfect example where technology cannot solve all cyber security problems. Processes that consider checks and balances is critical to prevent cyber attacks.
In my opinion, this is a “hack” because the fraudster exploited a weakness in the system. The weakness was the change management process in the supply chain management department. The personnel responsible for the vendors / suppliers should have the proper policies in place to have a multiple authorization approvals. The policies should include the proper segregation of duties in mind when assigning authorizing officials. This will help against internal fraud.
The policies should also include emergency policies for change management, but they must be specific and detailed to explain changing bank account information for a vendor. The article doesn’t mention what product / service the vendor provides, but a policy to include a verification process (Call to verify vendor account change request) should be included for all business processes.
These polices may have been in place, because the University is very vague in providing information about how they handle data changes, but it is clear that the event is a “hack” and should hire a student from the ITACS program to properly audit the change management policies and procedures…
Great post, Fred!
I find your post very informative especially for someone like me that does not have a IT Audit background. You provided a thorough analysis of the case and was able to suggest few areas where the company could have improved their policies. Great post again very informative to see someone else point of view from a different background.
I believe this is a huge scam because phishing is usually done via emails, messages, and or phone calls when a perpetrator is trying to steal money, However hacking is when there is unauthorized intrusion into a computer or a network.
I totally agree with your statement, phishing should be considered hacking. The only difference is the method used to obtain the information. However, I do not agree with the statement phishing is considered an authorized method. I believe the difference between the two methods is the following: phishing – is voluntary, hacking is involuntary.
In my opinion, phishing attacks should be considered hacking. First, let’s define what hacking means: “A hacker explores the difference between how something is supposed to work and how it really works” – class discussion, “Hacking is using exploits to gain access to something you do not normally have access to” – google search. Second, let’s define what phishing means: “Phishing is masquerading as a trustworthy source in an attempt to bait a user to surrender sensitive information such as username, password, credit card number etc.” – google search. Finally, if we look at the two definitions for phishing and hacking we can come to the conclusion that both are methods of obtaining information but the choice of methods is different. When a hacking attack occurs, the attacker is trying to obtain information involuntarily, whereas when a phishing attack occurs the attacker is trying to obtain information by baiting the victim. In conclusion, phishing attacks should be considered hacking as the method of choice is different but the end goal is the same.
http://www.zdnet.com/article/1-4-million-phishing-websites-are-created-every-month-heres-who-the-scammers-are-pretending-to-be/
1.4 million phishing websites are created every month: Here’s who the scammers are pretending to be
This article talks about the following: criminals are replacing phishing websites every few hours in order to avoid detection – thus allowing them to scam more victims out of personal data, google is the most common company to impersonate accounting for 35 percent of all phishing attempts, Chase, Dropbox, PayPal, and Facebook made up the remaining five most popular disguises for phishing email, total number of phishing websites created per month range from 761,000 in February to 2.3 million in May, high number of websites signifies the evolution in the methods used by attackers, 90 percent of the data breaches occur as a result of credentials stolen using phishing attacks.
In my opinion, companies need to do a better job at preventing phishing attacks. One way to accomplish prevention from phishing attacks is to start training their employees. Also, the reason why this crying has gone so long is because no one cares enough to do something about it. It will be interesting to see if companies will start doing something about it soon.
https://thejournal.com/articles/2017/09/19/users-getting-better-at-identifying-phishing-attacks.aspx
End Users Getting Better at Identifying Phishing Attacks
This article talks about the following: according to data from Wombat Security Technologies users are getting better at recognizing phishing attacks, users performed better this year on questions around phishing attacks, answering incorrectly only 24 percent of the time compared to 28 percent in 2016, there is year over year results that reinforcement and practice are critical to learning retention, as with any skill organization need to work on cybersecurity awareness and knowledge to see continual improvements.
It will be interesting to see how things unfold in the future. Will companies continue to reinforce the importance of cybersecurity threats? Will companies increase awareness and train employees on the subject of cybersecurity threats and more specific phishing attacks?
I would have to say that this is indeed a successful hack in the sense that they were able to use both social engineering and phishing attacks in order to get the information they need to get all of the funds transferred to their accounts This wasn’t a simple thing to do and took a well coordinated attack on a major system to get what all they needed accomplished.
This is definitely a hack and the author is wrong. based on what we leraned in class this was a phishing attacks. It does not matter if its phishing, social engineering, web services injects: these all have the same principal or desired outcome. That outcome is to hack in some form only one is direct harm and the other is disquised.