Anatomy of a SpearPhishing Scam

An unidentified American company was suckered out of $98.9 million over a four-week period late last summer. It was a well-orchestrated spearphishing attack.

The first email simply asked the victim company for its billing history. It was then followed up with an email telling the company that the “vendor's” banking information would be changing and they wished to know who to contact at the victim company to make the change so any payments would go to the correct account. The changes were made by the payment offices.

Payments were then directed to the new bank account.

It was a few days later that the real vendor contacted the company and the payment partner indicating that no payments had been received.

The company then took a closer look at the original emails and found several irregularities. One noticed that the @mail.md domain was used instead of the vendor's corporate domain name. Secondly, it indicated that the domain was hosted in Moldova, far from the vendor's true location in Asia.

The final indicator that something was amiss was that the funds were deposited into a Eurobank facility in Cyprus, and not at a bank in the vendor's home nation.

If any one of these irregularities had been flagged, the scam would have been stopped in its tracks.

A U.S. magistrate working with Eurobank quickly froze the Cypriot account stopping about $74 million of the stolen money from moving out.

The company is still working on recouping the rest of the funds, but the remainder had been wire transferred to various bank throughout Asia.

Source: SCMagazine