Deprecated: Function create_function() is deprecated in /home/hidefide/public_html/blog/wp-content/plugins/wr-pagebuilder/core/core.php on line 127
{"id":42,"date":"2015-04-11T17:39:28","date_gmt":"2015-04-11T17:39:28","guid":{"rendered":"https:\/\/icaruspressblog.wordpress.com\/?p=42"},"modified":"2019-04-17T12:27:06","modified_gmt":"2019-04-17T12:27:06","slug":"spear-phishing-email-nets-8m-from-media-giant-conde-nast","status":"publish","type":"post","link":"https:\/\/hidefideas.com\/blog\/2015\/04\/11\/spear-phishing-email-nets-8m-from-media-giant-conde-nast\/","title":{"rendered":"Spear Phishing Email Nets $8m from Media Giant Cond\u00e9 Nast"},"content":{"rendered":"

$\"phishing-sml\"$ Have you ever stopped to wonder why spammers do what they do? Is it just an irritation that anyone and everyone with an email account has to endure, or is there really a tangible payout at the end? I know I\u2019ve wondered about it, countless times. It seems that every time I look at my inbox there are new reasons to wonder just what these guys think they\u2019re accomplishing.<\/p>\n

And then I come across a story like this one.<\/p>\n

The mammoth media company Cond\u00e9 Nast \u2013 publishers of Vogue<\/em>, Golf Digest<\/em>, GQ<\/em>, Vanity Fair<\/em>, The New Yorker<\/em> and Wired<\/em> magazines, to name a few \u2013 was targeted by a spear phishing attack last November that cost the company $8 million in a series of wire transfers sent over several weeks. Last week, the US Attorney\u2019s Office filed a complaint in Manhattan District Court alleging that the publishing giant got hooked by a single phishing email that was fabricated to appear as if it had come from Quad\/Graphics, a company that prints Cond\u00e9 Nast\u2019s magazines.<\/p>\n

The email came in the form of an attached PDF file. According to one of Cond\u00e9 Nast\u2019s companies, Wired.com<\/a>, \u201cThe e-mail instructed Cond\u00e9 Nast to send payments for its Quad\/Graphics account to a bank account number provided in the e-mail, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer\u2019s name.\u201d<\/p>\n

The alleged spammer \u2013 who has been identified as one Andy Surface of Alvin, Texas \u2013 established a bank account under the name Quad Graph and then sent the mail to the publishing company requesting that future payments be made to the new account. Cond\u00e9 Nast\u2019s accounts payable department had no issues with the request, apparently, because someone from the department signed the Electronic Payment Authorization form and faxed it back to Surface, who is alleged to have shown BBVA Compass Bank in Alvin documents establishing that the company Quad Graph had been registered in a different country.<\/p>\n

When Cond\u00e9 Nast authorized the form, they effectively gave their bank, JPMorgan Chase, permission to deposit funds in the fake account. Between November 17^{th<\/sup> and December 30^{th<\/sup>, they did just that, depositing a little less than $8 million in payables, intended for Quad\/Graphics, into Surface\u2019s account. The scam might have gone on longer, but on December 30^{th<\/sup>, Quad\/Graphics (the real one) contacted Cond\u00e9 Nast to ask why the company hadn\u2019t paid its outstanding invoices. According to}}}eWeek.com<\/a>, \u201cConde Nast had paid $7,870,530.02 into one account belonging to Quad Graph, and $47,137.91 into another account belonging to Andy Surface.\u201d<\/p>\n

Cond\u00e9 Nast was able to recover about $36,000 by reversing one of the wire transfers. The company immediately alerted the authorities and on January 10^{th<\/sup>, the US Secret Service was able to secure a warrant freezing the accounts before the scammer was able to transfer the money elsewhere. A forfeiture lawsuit is pending, and presumably criminal charges that might include wire fraud and money laundering. Surface has not yet been formally charged, but Wired.com reports that, \u201cForbes<\/em> dug up a previous charge against someone with the same name and address who pleaded no contest in December to \u201cterroristic threat of family\/household.\u201d The US Attorney\u2019s office declined comment.<\/p>\n}

\u201cPhishing now makes up 23 percent of all attacks in the realm of social media,\u201d Paul Henry, forensics and security analyst at Lumension, told eWeek.com. \u201cA recent IBM X-Force Trend and Risk Report<\/a> found that while phishing attacks have declined since 2009, there was an increase in spear phishing in 2010. Spear phishing has become a significant attack vector, according to IBM X\u2013Force.\u201d<\/p>\n

As for Cond\u00e9 Nast, it\u2019s not surprising that they\u2019re keeping mum on the whole situation. \u201cA Cond\u00e9 Nast representative said the company could not comment on a pending investigation,\u201d eWeek.com also reports, and Henry raised an interesting perspective on the whole thing. \u201cWhat’s most frightening is the fact that this isn’t just an unknowing private citizen being duped by a phony Facebook friend. This is a multibillion dollar corporation that clearly did not do its homework,” he said.<\/p>\n

It is frightening. One might write this incident off as a very large corporation with so many transactions to fulfill that it might be ripe for the picking in a phishing scam like the one that netted Cond\u00e9 Nast. But Cond\u00e9 Nast got bilked out of $8 million off of one email. If it is that easy, then are there other incidents like this one \u2013 successful scams of other major corporations, scams that we\u2019re not hearing about? Or is this just a blip, a random case of the one that didn\u2019t get away?<\/p>\n

The answer is unclear. However it happened, this much is clear: if a big fish like Cond\u00e9 Nast can fall victim to a simple spear phishing scam, what does that say for the state of enterprise wide security to protect against these types of schemes? With phishing schemes becoming more sophisticated (relatively speaking), is anyone safe?<\/p>\n

I must make a confession. In 2006, I awoke one morning and while I enjoyed my first cup of coffee of the day, I read my email when I noticed what appeared to be a message from PayPal. The email asked me to update my account information, and without thinking (it was 6:15 AM and it was my first cup of coffee), I clicked the link provided by the email and was routed to a page that looked authentic enough. I proceeded to enter my username and password and after clicking \u2018Enter\u2019 I was shown a big \u2018Thank You!\u2019 and nothing else. It was only then that I remembered: I had recently changed my PayPal password, but the site had accepted the old one. I got off easy that morning, but as an IT professional, the revelation shook me to the core. Coffee or not, big corporation or not, we\u2019re only one click away from financial mayhem.<\/p>\n","protected":false},"excerpt":{"rendered":"