Spear Phishing Email Nets $8m from Media Giant Condé Nast

phishing-smlHave you ever stopped to wonder why spammers do what they do? Is it just an irritation that anyone and everyone with an email account has to endure, or is there really a tangible payout at the end? I know I’ve wondered about it, countless times. It seems that every time I look at my inbox there are new reasons to wonder just what these guys think they’re accomplishing.

And then I come across a story like this one.

The mammoth media company Condé Nast – publishers of Vogue, Golf Digest, GQ, Vanity Fair, The New Yorker and Wired magazines, to name a few – was targeted by a spear phishing attack last November that cost the company $8 million in a series of wire transfers sent over several weeks. Last week, the US Attorney’s Office filed a complaint in Manhattan District Court alleging that the publishing giant got hooked by a single phishing email that was fabricated to appear as if it had come from Quad/Graphics, a company that prints Condé Nast’s magazines.

The email came in the form of an attached PDF file. According to one of Condé Nast’s companies, Wired.com, “The e-mail instructed Condé Nast to send payments for its Quad/Graphics account to a bank account number provided in the e-mail, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer’s name.”

The alleged spammer – who has been identified as one Andy Surface of Alvin, Texas – established a bank account under the name Quad Graph and then sent the mail to the publishing company requesting that future payments be made to the new account. Condé Nast’s accounts payable department had no issues with the request, apparently, because someone from the department signed the Electronic Payment Authorization form and faxed it back to Surface, who is alleged to have shown BBVA Compass Bank in Alvin documents establishing that the company Quad Graph had been registered in a different country.

When Condé Nast authorized the form, they effectively gave their bank, JPMorgan Chase, permission to deposit funds in the fake account. Between November 17th and December 30th, they did just that, depositing a little less than $8 million in payables, intended for Quad/Graphics, into Surface’s account. The scam might have gone on longer, but on December 30th, Quad/Graphics (the real one) contacted Condé Nast to ask why the company hadn’t paid its outstanding invoices. According to eWeek.com, “Conde Nast had paid $7,870,530.02 into one account belonging to Quad Graph, and $47,137.91 into another account belonging to Andy Surface.”

Condé Nast was able to recover about $36,000 by reversing one of the wire transfers. The company immediately alerted the authorities and on January 10th, the US Secret Service was able to secure a warrant freezing the accounts before the scammer was able to transfer the money elsewhere. A forfeiture lawsuit is pending, and presumably criminal charges that might include wire fraud and money laundering. Surface has not yet been formally charged, but Wired.com reports that, “Forbes dug up a previous charge against someone with the same name and address who pleaded no contest in December to “terroristic threat of family/household.” The US Attorney’s office declined comment.

“Phishing now makes up 23 percent of all attacks in the realm of social media,” Paul Henry, forensics and security analyst at Lumension, told eWeek.com. “A recent IBM X-Force Trend and Risk Report found that while phishing attacks have declined since 2009, there was an increase in spear phishing in 2010. Spear phishing has become a significant attack vector, according to IBM X–Force.”

As for Condé Nast, it’s not surprising that they’re keeping mum on the whole situation. “A Condé Nast representative said the company could not comment on a pending investigation,” eWeek.com also reports, and Henry raised an interesting perspective on the whole thing. “What’s most frightening is the fact that this isn’t just an unknowing private citizen being duped by a phony Facebook friend. This is a multibillion dollar corporation that clearly did not do its homework,” he said.

It is frightening. One might write this incident off as a very large corporation with so many transactions to fulfill that it might be ripe for the picking in a phishing scam like the one that netted Condé Nast. But Condé Nast got bilked out of $8 million off of one email. If it is that easy, then are there other incidents like this one – successful scams of other major corporations, scams that we’re not hearing about? Or is this just a blip, a random case of the one that didn’t get away?

The answer is unclear. However it happened, this much is clear: if a big fish like Condé Nast can fall victim to a simple spear phishing scam, what does that say for the state of enterprise wide security to protect against these types of schemes? With phishing schemes becoming more sophisticated (relatively speaking), is anyone safe?

I must make a confession. In 2006, I awoke one morning and while I enjoyed my first cup of coffee of the day, I read my email when I noticed what appeared to be a message from PayPal. The email asked me to update my account information, and without thinking (it was 6:15 AM and it was my first cup of coffee), I clicked the link provided by the email and was routed to a page that looked authentic enough. I proceeded to enter my username and password and after clicking ‘Enter’ I was shown a big ‘Thank You!’ and nothing else. It was only then that I remembered: I had recently changed my PayPal password, but the site had accepted the old one. I got off easy that morning, but as an IT professional, the revelation shook me to the core. Coffee or not, big corporation or not, we’re only one click away from financial mayhem.

Leave a Reply