Fake Invoice Scams, How do They Work?

A quite common scam in the United States has come to Australia this year, already fleecing some unwitting businesses for over half a million dollars.  The scam, listed here on the government's ScamWatch site involves businesses receiving very realistic looking fake invoices from scammers, usually stating a change of bank details and directing payment to a different bank account.  This highlights the importance of taking due care when paying invoices, and having appropriate verification processes in place.

"Scammers hack into vendor and/or supplier email accounts and obtain information such as customer lists, bank details and previous invoices"

The scam has been reported extensively, particularly in non-tech news media, but it was a little light on the detail for me, so I've done some further digging.  The reports I'd seen had referred to the scammers sending very realistic invoices to their targets by 'hacking' the email accounts of suppliers and vendors, others used words like 'intercepted email', but gave no further detail.  On asking the question of a few colleagues, some told me of first hand experience with a version of the scam, dubbed a BEC (Business Email Compromise) scam.  They'd seen the simplest implementation, which involved creating free email accounts to send the fake invoices, and matching the account name as closely as possible to the actual supplier account.  But that's pretty simple, and most businesses would be quite suspicious if email that was coming from accounts@davescatering.com started coming from accounts_davescatering@yahoo.com.  Admittedly, they might not pick it up if the real business was using a free email account in the first place, but although that happens, it doesn't seem to represent enough businesses for this scam to be so successful.

Then I stumbled across this page from the IC3 (Internet Crime Complaint Center), that sheds some more light on the situation.  It details three methods of attack, the first being very much the method described above.  The other two methods are far more serious and actually do involve email accounts being hacked.  In both these cases, accounts (or the PC's of account holders) are compromised and invoices issued from them.  In the cases where the hacked account is a senior company executive, no invoice is sent, rather a request for a funds transfer is made to other staff within the company (who presumably dutifully processes it because the request comes from their boss).

So that confirms that the media reports about 'hacking' weren't the usual poor reporting (like the iCloud 'hacking' scandal).  I assume the reports of 'intercepted emails' were similarly reliable.  It's certainly plausible enough to assume that by using hacked accounts, compromised PC's or servers, hackers could have emails surreptitiously forwarded to another party, or be 'intercepted' from the server.

I was still curious about the method used to compromise these accounts though.  I had assumed they were the the result of some successful phishing expeditions - and some were - but further reading suggested at least some were genuine system compromises, particularly this from the article linked above - "Businesses and personnel using open source e-mail are most targeted".  What does that mean exactly?  Properly secured OSS email shouldn't be more vulnerable than any other system.  But that's where the trail I was following ended.  The internet doesn't seem to have any more information about this, and in particular what the role of Open Source systems would or could be.  Even the venerable Steve Gibson of GRC and Security Now didn't have any idea why OSS would matter in this case, telling me that he couldn't see why OSS would be implicated.

So that just leaves my theories, and the theories I've seen in forums and in comments around the interwebs, which is that some poorly maintained servers running Open Source mail software were compromised, or simply used as an open relay.  Not exactly conclusive, but better than what I started with, and we certainly know of other cases where hackers have taken control of systems and used them to do their bidding.

One final note is that the lack of actual published information on this is a cause for concern.  I should be able to find out how these attacks have occurred and the mechanisms used.  How can we in the IT community protect ourselves and our users against criminal activity if we don't actually know how it's perpetrated?  If anyone has any more information on this, please post it in the comments, I'd appreciate it.

Google Says Google's Stats Show What Google Want Them to Show.

Last week at a digital advertising conference, Google announced that most searches are now coming from mobile devices.  Or at least they are in 10 regional markets, two of which are the US an Japan, the other 8 Google won't identify.  That rather weak headline was picked up by all the major tech news sites, and a number of non-tech outlets.  But it seems a little weak to me.  Google didn't disclose the figures, sources, methodologies for collection or even the other 8 markets they referred to, which are apparently 'key' markets, but that's very much open to interpretation.

Interestingly, it comes on the back of Google trying to force people to make their websites mobile ready, by changing the relevant search algorithms.

So, what's going on here?  Well, my theory is that in short - Google's abusing it's search monopoly.  Trying to force people to make their sites mobile ready sounds really forward-thinking and just acknowledging the way of the world nowadays, and I don't disagree that more searching is happening on mobile.  But with Google being the only major player here, and them telling us what we have to do with our websites, then telling us they have statistics to back it up, just we can't see them.  Well, we've got no choice but to believe what they say, what are we going to do, ask Bing for a second opinion?  Design our sites for desktop and feel safe in the knowledge they'll still be listed at the top of Duck-Duck-Go searches?  We have no choice.

You're probably still wondering how this is abusing a monopoly?  As far as I'm aware it's illegal in a number of countries to use a monopoly position to influence other markets, and it just so happens that Google have virtually no presence in desktop and laptop PC's.  Chromebooks are a thing, but accounted for 1% of worldwide PC sales last year in Q2 (.95 million).  Meanwhile in the same period Android accounted for 250 million units shipped.
So, it's CLEARLY in Google's interest to ensure they push us toward the thinking that most web activity is on mobile platforms, then we design our websites for mobile, then we put more advertising on mobile, then Google make more money.  Because after all, Google sell advertising, that's what they do, and they need you on the platforms they control to make more money from it.  So in this case, Google are using search as a way to drive us further toward mobile and mobile advertising - two non-search markets.

Can we all say "anti-trust investigation"?  I hope not, that was so very painful last time around.

Time for a Change

Well, this blog has gotten stale hasn't it? In the words of this 90's commercial for an alternative Cola nobody wanted, it's time for a change.  This blog was about technology in the education sector, but I'm broadening it to cover science and technology in the everything sector.  Why not?  It's time for a change and the change is me writing about what I'm interested in, so here goes!

UPDATE: - Come to think of it, how about a site redesign?  It's time for a new look as well.  Just a facelift (maybe some botox and collagen, nothing huge). Stay tuned!