In case anyone is wondering how spear phishing works, the story of Conde Nast and how it was scammed reads like a cautionary tale.
A scammer
managed to spear phish media giant Conde Nast and walk off with $8 million
after he posed as a legitimate business. With the specter of spear phishing
looming in the post-Epsilon-and-Silverpop world, the Conde Nast incident is a
timely reminder of how easy it is to fall for a scam.
The steps
were fairly straightforward. This scammer created a bank account with a name
similar to that of another business that Conde Nast worked with frequently.
With account details in hand, the scammer sent an email to the publishing
company and requested that all future payments be credited to that bank
account. Conde Nast signed the "Electronic Payment Authorization" form and
faxed it back, essentially giving its bank, JPMorgan Chase, permission to
electronically transfer money into that fraudulent account, no questions asked.
Luckily for
the company, the U.S. Secret Service intervened and froze the money in the
account before the swindler could withdraw the money or transfer it elsewhere.
Just one
email, and Conde Nast was out a little more than $8 million in less than six weeks
last year, according to
court
papers relating to the forfeiture lawsuit filed March 30 by the United
States Attorney's Office. Forbes summarized the
details
of the lawsuit, which tries to retrieve the money for Conde Nast, on April
3.
Phishing
now makes up 23 percent of all attacks in the realm of social media, Paul
Henry, forensics and security analyst at Lumension, told eWEEK. A recent
IBM
X-Force Trend and Risk Report found that while phishing attacks have declined since
2009, there was an increase in spear phishing in 2010. Spear phishing has
become a significant attack vector, according to IBM X-Force.
As for the
scammer, Andy Surface, there wasn't a lot of effort involved for the big
payoff. He opened a bank account at the Alvin, Texas-branch of BBVA Compass
Bank for a business called Quad Graph. Surface, who hasn't been charged with a
crime, allegedly presented paperwork showing the business was registered in a
different county when opening the account. He then allegedly sent an email to
Conde Nast accounts payable in early November with an "Electronic Payment
Authorization" form. The form requested that Conde Nast direct payments for
Quad Graphics, a printer who publishes Conde Nast magazines, to the Quad Graph
account.
Someone in
accounts payable filled out the form and faxed it back to the number provided
in the form. From Nov. 17 to Dec. 30, Quad Graph received regular payments
intended for Quad/Graphics.
The scam
could have continued indefinitely, except on Dec. 30, Quad/Graphics contacted
Conde Nast to find out why the publishing giant had not paid its printing
bills. By this time, Conde Nast had paid $7,870,530.02 into one account
belonging to Quad Graph, and $47,137.91 into another account belonging to Andy
Surface. The court papers linked both accounts.
Conde Nast
alerted the authorities and managed to reverse one transfer of about $36,000.
On Jan. 10, federal law enforcement agencies got a court warrant and froze the
accounts, pending the results of the forfeiture law suit.
While all's
well that ends well, the lawsuit begs the question: how can a major company not
notice funds going to an unknown account and not catch the problem until the
provider complained?
A Cond??« Nast representative said the company could not
comment on a pending investigation.
"What's
most frightening is the fact that this isn't just an unknowing private citizen
being duped by a phony Facebook friend.
This is a multibillion dollar corporation that clearly did not do its
homework," Henry said.
Email
Print
