Article by Bob Olsen, Compass Cyber Security
Background
In late 2016, the CIO of an independent private school received a call from the school’s bank to confirm the transfer of an additional $15,000 to the school’s “new account.” The bank said the request had come via email from the head of school and was a follow-up to another $15,000 transfer request the week prior. The CIO asked the head of school if this was legitimate. The head of school reported that he was not aware of any transfer and did not originate any requests via email to the bank. This sparked an investigation into the school’s email systems to determine how a request was sent from the head of school’s in-box without his knowledge. The findings were eye-opening.
The Investigation
Compass Cyber Security performed a forensic analysis of the school’s email logs, examining each email received and sent by the head of school. It was determined that a phishing email had come from a device in Africa to the head of school months before the incident, and that attack had compromised the head’s email login credentials. Using these credentials, the hacker had logged into the head’s email account and set up a rule to forward all emails from the school’s bank to the attacker’s personal email account, and then immediately delete the record of the email from the head’s inbox. This type of incident, called a “business email compromise,” let the hacker have email conversations with the bank without the head of school’s knowledge.
Using the head’s email account, the hacker then sent the request for a money transfer to the bank, and the bank transferred the first $15,000 to the foreign bank account. It wasn’t until the second request was sent that the bank grew suspicious and followed proper protocol to verify the transfer by phone.
The Response
After identifying the source of the email compromise, Compass recommended the school make the following changes immediately:
- Require all school staff to reset email passwords.
- Reset passwords of anyone, especially the head of school, who used the same login credentials for other applications.
- Reset all individual account email rules within Gmail.
- Reimage the head of school’s laptop.
- Enable two-factor authentication through Google Authenticator for all users.
- Change email filters so users cannot forward incoming messages to personal accounts.
- Enforce a policy that all requests for money transfers be verified over the phone.
Outcome
With the recommended changes in place, along with elevated spam filters, the school has been able to prevent further phishing attacks from reaching end users. The head of school and the rest of the administrative team have further strengthened the school’s network security through employee training, policy development and routine scans of network devices. Luckily for this school, the bank was liable for the loss of the initial $15,000 because it did not follow the documented procedure for money transfers. By identifying the source of this attack, the school was able to address its weaknesses and put mechanisms in place to mitigate its risk of falling prey to a similar attack in the future.