People say that it is too hard to stop the bad guys. Well, you can make it a lot harder on them if you don’t just play into their hands.
Ubiquiti Networks, a tech company who makes wireless equipment, is publicly traded and had revenue of $150 million in the quarter ending Sep. 30, 2014, was duped by an age old trick.
Cyber thieves stole $46+ million from Ubiquiti by getting employees to wire money to the hacker’s offshore bank accounts.
While Ubiquiti doesn’t fess up to how exactly this happened, this is the way it usually works. The hackers, pretending to be the CEO, send someone who can wire money an email saying that the CEO is working on this big hush-hush deal and needs the person in accounting to wire $X to a bank account in loo-loo land.
There are hundreds of variants of this basic scam but they all work the same – pretend you are someone in charge, pretend you are working on something secret, tell people not to say anything and get them to send you the money.
They often register similar sounding domains like Ubiquuiti for Ubiquiti. People might not notice the double U. Or maybe Ubiguiti – depending on the font, the g and q might look similar. Or Ubiquit1. Again, depending on the font, the 1 and i would look similar.
Most people get hundreds of emails a day and if the email looks like it came from the CEO, you might look less closely at the details, wanting to make sure that you took care of the big guy.
These crooks made several wire transfers adding up to the $46+ million. They do that to keep the value in a range that won’t raise any red flags.
The authorities were able to recover a little over $8 million, meaning that, an entire quarter’s profit was wiped out. They are trying to recover another $6 million, but have not been successful yet. The company’s 8-K filing with the SEC seems to indicate that they have no insurance that would cover this form of theft.
This fraud technique is so old it has to use a walker to get around, but still, it works quite well. The FBI sent out a notice last January that crooks made off with over $200 million in the last 14 months using different forms of this scam.
Why, exactly, is a publicly traded company with revenues of well over $500 million a year still requesting and approving wire transfers via email?
My mantra for today – fix the simple stuff. For Ubiquiti, that is a $46 million lesson. Not counting legal fees and expenses – they have, according to the form 8-k, filed a number of lawsuits in foreign countries. That is not likely to be cheap.
Information for this post came from Krebs on Security, among other articles.