Torrid Networks FZE reveals its cyber attack investigation carried out for a Dubai based organization
Dubai Silicon Oasis – Dubai, January 12, 2016 – Cybercrime is on its rise across the globe and will continue to grow at its pace as more citizens and companies utilize internet for their day-to-day business. Companies in the UAE especially are soft targets amongst the cyber criminals due to lack of awareness towards cyber security.
There have been repeated warnings by local authorities including Abu Dhabi police to the businesses on the modus-operandi of cyber criminals against the UAE companies but not much appears to be perceived or practiced. In an interview to a media portal, Colonel Dr. Rashid Borshid, director of the Criminal Investigation Department (CID), stated that “Online criminals are hacking into company email accounts to discover when financial claims are due. Attackers then set up fake email accounts in order to lure companies into revealing their bank details and other confidential financial information”.
This not so old interview was found to be important enough to be plugged into the context, as the statement is still applicable and the relevant measures are awaited to be applied by the local companies to secure their business activities.
Torrid Networks FZE, a well-established cyber security consulting firm today revealed one of the recent cyber-attack investigations performed for a large trading firm based out of Dubai. Company believes that such revelation should be helpful to other businesses in getting alarmed and prepared to thwart the rising threats. “Knowing is the first step to Securing”, said Mr. Syed Ibrahim Anwar, Vice President MENA – Cyber Security Practices at Torrid Networks FZE, while briefing the media.
In this particular case, email communication between the trading company’s accounts department and their suppliers was frequently being hijacked convincing them to transfer the invoiced funds to some foreign bank account. At the very first instance the case appeared to be a targeted attack by a former employee or business rival, as the emails were literally talking business. As the investigation moved on, it became more evident to be an act of a professional cyber criminal and entire modus-operandi quickly came into visibility.
“Such cases are now frequently being observed in the region where businesses are hacked and then convinced by the hacker to transfer funds to some foreign bank account with no point of return”, added Anwar.
It was observed during the investigation that the hacker firstly lured the accounts department of the company to execute the malware which was sent as an email attachment and compressed as .ace extension, a compressed file format like winzip. Email was sent from a spoofed email address:firstname.lastname@example.org with convincing looking content for the accounts department to execute the malware. On execution, malware silently got installed in the attacked system to record user keystrokes, system screenshots and later uploaded the recorded data to the hacker as email messages at every half an hour cycle.
Interestingly, malware could successfully bypass all the security mechanisms including locally running antivirus and other security mechanisms deployed in the network. Hacker then kept monitoring the entire email communication between the company and its buyers or suppliers to gain business knowledge. Whenever an invoice would arrive to the email address of accounts department, hacker used to send another follow-up email within few minutes from similar looking but spoofed email address containing modified bank information and a convincing note for the trading firm to transfer the invoiced funds to the newly mentioned foreign bank account.
Investigation also traced the malware uploading the recorded data as emails to a private mail server hosted with GoDaddy, a well-known web hosting company. Torrid Networks was further able to decipher the passwords being used by the malware for uploading the recorded data as email messages. Deciphered password helped the investigation by providing complete access to the information in possession with the hacker and now there was more to be revealed.
From the information in possession of the hacker, investigation concluded that the hacker is specifically targeting businesses established within UAE and most of his targets are from finance department of the companies. “Fortunately, the victim company in this case got alarmed well ahead of time and engaged us before any business loss could take place. It was scary to see so many netbanking passwords, tally screenshots, confidential emails and what not. Looking at plethora of such information, we are certain that many businesses or individuals targeted by this hacker would have lost their hard earned money.”, said Mr. Dhruv Soi, Founder at Torrid Networks FZE. “Businesses in the region should gear up on cyber security before they end-up losing funds or confidential data to the hackers.”, Soi added.
“As we speak, hacker is still active and so is his malware. We have uploaded detailed technical case study on this incident on our website along with hacker’s domain names, IP addresses and malware sample which should be helpful in various aspects.”, added Anwar, to conclude the media briefing.
Company’s technical case study is available at: http://www.torridnetworks.com/case-studies/hackers-tricking-uae-companies-make-payment-foreign-bank-accounts-real-world-case-study
About Torrid Networks
Founded in 2006, Torrid Networks is an information security consulting and management firm working with over 500 global brands on their cyber security needs. Company is headquartered in London with its offices in Dubai, Florida and Delhi. For more information, please visit the corporate website: www.torridnetworks.ae