Be aware when travelling – malware is set to strike

Posted: September 19, 2016

Business email compromise - a female executive works on her PC as she flies

As reported in IT News, malware that has a very specific purpose has been found lurking in the Google Play store.

It’s called Overseer, and it’s designed to target business travellers going overseas. It steals lots of information for a very specific purpose.

Once installed on a user’s Android device, Overseer collects and sends back to a command centre all the executive’s contacts with full details, user accounts and the software installed on the Android device. It does so over encrypted communications to hide the transmission from network monitoring and intrusion detection solutions.

Data that identifies the device hardware and its capabilities, the network operator used, location and the cellular base-station it is connected to are also collated and sent, along with information on whether or not the smartphone is rooted and contains “sideloaded” software from unofficial app stores.

It was found hidden in an embassy locator app, two Russian and one European news apps.

Why bother collecting this information?

Why would someone be interested in knowing if you were looking for the Australian embassy in a European country? Is it so they can come around and steal your TV while you’re overseas?

In fact, it’s so that a sophisticated heist can be run. While you’re travelling and you’re the least contactable, your email account (or close substitute) will be used to send a message, purportedly from you to the senior accountant or bookkeeper in your company with an instruction to take care of a large invoice.

The email will explain that you’re in a meeting or you’re on a train or otherwise uncontactable, but that the supplier is urgently waiting on the funds, it was something you meant to do before you left and you expect that the transfer will happen immediately. Right now.

If the heist is well-planned, the invoice from the supplier will match the look and feel of a real invoice from that company, only the bank account or transfer details will be different. The invoice will note some new account details so that the person making the transaction updates your accounts payable system.

Of course, the final destination of your transfer is not to a legitimate supplier but to a very happy hacker.

The scam works by leveraging the authority of the travelling executive. Accounts Payable staff are frequently deferential to instructions from C-level team members, even when those instructions fly in the face of Standard Operating Procedures. Thus the scam works time and again.

What’s the solution?

It’s hard to counter this intrusion with software because it’s a very targeted attack, often with software that has a very short lifetime but a big payoff if executed correctly. Plus, the fact that the apps were hidden in plain sight inside an official app store makes it even harder to detect. Plus, what really makes it work is nothing online – it’s the relationship between the C-suite and other staff members.

There is also more than one way to gather the information that Overseer was targeting. Company and private Facebook accounts, Instagram, news articles, company newsletters, event notifications and more can all paint a pretty accurate picture of when you are travelling.

So instead of technology, the answer lies in setting and following good policy in Accounts Payable and leading the development of a culture that supports employees for questioning out-of-the-ordinary activity rather than attracting criticism. That will go a long way towards reducing the opportunity for CEO fraud in your company.

Consider engaging a network security team to run penetration testing and executive training to ensure that your team is less likely to be caught out.

2021 Update – CEO Fraud Continues To Thrive

In one form or another, CEO fraud has occurred several times since October 2016, relieving the pockets of deceived organisations of millions. Some of the most remarkable cases are presented below.

In 2018, French independent film group Pathé lost 22 million USD in a scam aimed at the firm’s Dutch office. A series of emails were sent from what seemed to be the personal account of Marc Lacan – Pathé’s CEO – to Pathé Netherland’s CEO and managing director Dertje Meijer, asking Meijer to transfer up to 22 million USD to Towering Stars General Trading LLC in Dubai. Meijer was told in the messages that the funds would be used to acquire a company in Dubai.

Malicious groups have also started putting technology into their scams – particularly, deepfakes. Deepfakes are AI-generated replications of a person’s likeness or voice.

In 2019, an unnamed UK-based energy company was stripped of £220,000 thanks to an audio deepfake. The CEO of this firm thought it was his boss – the chief executive of the firm’s German parent company – who asked him to transfer money to a Hungarian supplier. In reality, criminals used artificial intelligence to generate the German CEO’s voice and convince his subordinate of the legitimacy of their request.

Money aside, such attacks have cost CEOs their positions. So if you haven’t considered CEO fraud as a serious threat to your company, you should from now on.

CEO fraud is part of Business Email Compromise (BEC). With BEC, scammers impersonate the company’s CEO or a legitimate vendor to request payment to fraudulent accounts. Any employee in your organisation – starting from a front desk receptionist and ending with a CEO – can fall prey to BEC attacks.