A bunker company in Malaysia claims it has been the victim of a phishing scam.
The owner of the company has told police that it has been defrauded of RM4.5 million (US$ 1 million).
The Malaysian National News Agency (BERNAMA) quoted the police chief in the north-western Malaysian state of Kedah as saying the company made two reports to the police, one on June 8 and another two days later on June 10.
It claimed it had been deceived into making two transactions to a bank in Greensboro in the United States on May 31 and June 2. “We believe [a] spam email was sent to the company by an international syndicate, which set up an email account that is similar to the Singaporean company where it gets its oil supply from,” the police chief, Datuk Asri Yusoff, was quoted as telling a news conference.
“The complainant only realised he had been cheated after the real supplier contacted him for payment.”
Assessment and Analysis
Malaysian police believe Spyware was embedded in the victim’s computer allowing the perpetrators of the fraud to read email exchanges between the bunker company and its fuel supplier.
“After obtaining the information between the two companies, a [crime] syndicate member would create a fake email masquerading as the supplier to invoice the victim for payment into a bank account,” said the police spokesman.
He urged companies to check with their counterparties before making payments to accounts that differed from the usual number.
He said police were still investigating the incident and would cooperate with the International Police Organisation (INTERPOL).
This case is illustrative of how criminal groups are becoming increasingly sophisticated in conducting advanced and persistent cyber operations. It is indicative of a targeted attack campaign rather than an opportunistic ‘drive by’ – the company was compromised via a combination of techniques comprising spear-phishing, spoofing, and social engineering. While the losses are high, the largest reported amount of money stolen using similar methods was £18 million.
Regardless, this amalgamation of threats is difficult to mitigate against, not least because it is reliant on human error rather than a technical solution. In many cases a comprehensive education and awareness campaign will bolster company defences. Policies should be place that require additional checks preventing any one person signing off on a large transfer of funds. Extra vigilance is required at key times –phishing emails and fraudulent invoices are often purposely sent late on a Friday or just prior to public holidays when attackers know attention levels are likely to be at their lowest. Finally, employees of all levels should be reminded of the dangers of sharing too much information online, be that on social media or personal blogs.