Learning from Financial Fraud Series Episode 9: Payment Server and Network Compromise

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym or wherever you decide to tune in.

Jonathan Jeffery  00:18

Welcome back to the Learning from Financial Fraud series on the Treasury Update Podcast. In this series, we explore multiple major financial fraud cases. We discuss how each one occurred and was kept hidden for a period of time, and we’ll dissect how it was eventually discovered and get insight and guidance on how to prevent this type of situation from happening to you and your organization. I’m Jonathan, media production specialist at Strategic Treasurer, and I’m here with Craig Jeffery, managing partner. Welcome back to the show, Craig.

Craig Jeffery  00:46

It’s good to be back. This is, this is number nine in the series.

Jonathan Jeffery  00:49

That’s correct number nine.

Craig Jeffery  00:50

I’m looking forward to this one as as well as number 10. That’s a that’s a pretty large series. So thanks for, thanks for doing this.

Jonathan Jeffery  00:57

So just to catch you up, back in the last Learning from Financial Fraud series a couple weeks ago, we talked about payment server breach. You want to give a recap on that.

Craig Jeffery  00:59

Yeah, so a company’s payment messaging server and confirmation server had been compromised. The criminals were able to get in, and what they did is they turned off all the financial messaging and confirmation activity, and they installed a Bitcoin mining program to generate a Bitcoin or Bitcoins, and love the fact that they could use all the server capabilities. They didn’t lose dollars, but that triggered and initiated this heartfelt look at what they were doing, from payment security, from messaging, from permissioning, from the principal least privilege, and really tighten things down, put an efficient process in place, and they’re in a far, far better place than they were before.

Jonathan Jeffery  01:52

Yeah, that was an interesting episode, and if you guys want to listen to it, I’ll leave a link down in the show notes. But today, we are talking about something somewhat similar, but also pretty different, a payment server and network compromise. You want to run us through the situation, Craig?

Craig Jeffery  02:07

Yeah, this one has, this one has large dollars, including large dollar losses. There’s, there’s elements of, how could people let it get that bad? This example is one that also triggered one of the largest payment rails, messaging rails, to establish a minimum standard, an annual standard, for securing the overall platform, but making sure all the endpoints were hardened. So there’s a really significant element here. There’s also lessons to be learned about, you know, knowing how to spell all of those things are part of it. So the situation is, central banks systems had been penetrated grievously to the point of, you know, almost destroying the bank. It would be my, my interpretation of it. The criminals had access, in so many different ways to the payment platform that they were using. So they were able to come in through areas where there were no firewalls. There were places where the company had access to the outside world without firewalls. They had some firewalls. Some of them were there. Some firewalls were not turned on, and there were access points without firewalls. So it’s like we got locks on some doors, some doors we have locks that we didn’t use, and other doors are unlocked or there’s not even doors. They also had other points of vulnerability where they had used some of their servers, modems, routers, some of the switching devices that were used, they were set on the default settings, like admin and admin one, or the ID and password, or whatever it happened to be PA, the A is an at sign, so no criminal is going to figure that one out. And the oh and word is a zero, so it was really what the basic password is. You could query and see what the device was and use the default setting. Many of these were bought used, which is not necessarily a problem, but the passwords weren’t there. Some of the settings for system access when they were in test, they granted much more permissive or promiscuous access to the system during the testing phase, then usually, as you move from tests into production, all of those permissions are locked down, you confirm that those are locked down. Well, not all of those were done, and so gaining access to credentials and IDS now meant you had full reign. There was the principle of least privilege did not exist. It was the principle of full access. The criminals didn’t just say, I want to steal funds. They were like, I want to steal funds and get away from get away with it. They had understood what was going on in the system. There were messages. In this case, it was using a swift messaging server. They had all their internal systems generating payments. How they would move funds and what did the criminals do? They also monitored what was happening. So when a message would go out, a confirmation would come back, would come back to the servers, it would print out, it would show up on a screen, and this information would come back. And then whoever is in banking monitoring in the wire room is like, okay, yes, the wire went out, we got the confirmation number that it’s been sent. It’s delivered the regular acknowledgement activity, and that would alert somebody if payments went out that were not authorized. Hey, we didn’t originate this transfer. Why did it come back? The criminals monitor what was going on. They understood the end to end process, and they also timed everything to wait until right before long weekend, long holiday weekend, when the activity was was lower and slower, and they originated transfers of $951 million so it’s, I mean, it’s less than a billion dollars, but it’s real money. I mean, they initiated transfers for $951 billion $101 million less. Left their bank accounts, was sent out through the banking system internationally. The blocking of $850 million was blocked because of an anti money laundering program at the bank. This was the central bank or the New York Fed. It was like, Hey, there’s this is not tracking with what’s going on. This looks like it could be money laundering. It triggered a hold and a freeze on the accounts until they could get with the the originating entity. The messages for $951 million were sent out. 100 and 1 million left now when messages came back for these transfers, confirmation messages, they were deleted. The criminals had created a program when a message would come back if it identified a certain code which the criminals would put in the messaging like put in the obi field or the messaging field, they put a certain code in there. If that code came back, the program would look for the receipt and delete it before it populated the system, before it sent it out to the originating areas to say, Yeah, this wire transfer went out, or this funds transfer occurred. Well, the purpose of that is to buy them time. I hope kids aren’t. Aren’t listening, but you get caught more if you leave all the if you leave the mess and the evidence of your criminality out. You know being being secretive, the criminal needs, needs time to get money out of the banking system. Time is not their friend. They need to expand time. And so how do they do that? They look at, hey, here’s a long weekend. Now there’s a holiday. They’re gonna be short staffed. People are going to be exiting, and so the time to do it is when you’ve got a long weekend, you’ve got a holiday coming up that provides more time. So that’s a natural advantage, and that’s when you want to be very closely monitoring what’s going on. The second area is confirmations and acknowledgments, things that come back, that say an action has occurred that can trigger someone who may not be particularly intellectually curious, is like, hey, that’s that’s odd that there’s a $20 million transfer. We didn’t initiate a 20, $20 million transfer. Did we fund for that? I don’t remember that. Did you do that? That could occur? Maybe people should be monitoring what’s happening to see if it matches what they had originated. That there’s a cash positioning aspect of it, there’s an accounting there’s a daily view monitoring for fraud. Well, this hit it. The criminals were thorough enough and smart enough to understand the process and eliminated that from the the view. So $101 million went out and it moved. Most of the money moved to Macaw. It came out through casinos and chips and out of the banking system. And since it’s out of the banking system, they never got $81 million back. They did get $20 million back. There’s two reasons for that, and I can give some advice for criminals not to fall prey to these worst in class practices of criminals. But it came back. You know, there was a smart banker who was like this. This foundation should not have received $20 million it’s very small foundation. The criminals again control of the account and the activity there. And so $20 million went in there, there was attempt to be moved out, and then the banker was like, No, we’re not going to prove that. That just seems something’s wrong, that doesn’t make sense, like, why would the foundation get in this much money and send it out? And the instructions that came with it had a misspelling. Spelled it foundation. Now I don’t know what, what the first language was the criminal, but they spelled foundation wrong. You know, instead of foundation, was Foundation, and so that creates additional alerts misspellings, just like you get those phishing emails, it’s like that’s really spelled badly. I don’t even consider serious, because it’s spelled so poorly. This is the case where you. When you’re in school and a teacher tells you spelling’s important, you’re like, I got spell check. It doesn’t matter. And then you make a spelling error on your transfer, and the $20 million is stopped. Maybe it would have been stopped just because the amount, but the idea that it was it was stopped heavily because of a spelling error makes you think, what kind of teasing or ribbing do you get? You couldn’t even spell foundation right? And therefore 20 million you lost $20 million so I don’t know what you get for the Scripps Spelling Bee championship if you win, but I don’t think it’s $20 million so that created a $20 million to be returned, but the $81 million is gone. Those are some of the highlights. There’s a lot in there. You know, it’s easy to say, Well, you always want to change your default password on stuff. And I’ll tell you, we have, you know, our cameras that we have in our building. You know, we add more and more cameras and access points within our office. What’s the login information for those? Yeah, it’s admin, download virus. Here several the cameras. When we added onto the rest of the section of the building we put in, we added some more cameras, and they were connected into the into the system. When we granted our pen test company the right to come in, we granted them access into our network. We didn’t have them sit outside and try to get in. And then if they got in, they can move laterally. We granted them access and permission them into the network. And so they they could discover cameras. They discover cameras. And some of the new cameras set up, the passwords on that set up in the new section, you know, ran through and had another setting. We hadn’t replaced the we hadn’t reset the passwords on those. I mean, that’s embarrassing to say, but that also became another checkpoint of we need to go through regularly and look at those. A pen test, for example, helps discover those things. It probes and finds them just like your regular reviews like, Oh, I thought I had done that. No, that’s not the case. Let’s fix it before there’s a problem. Granted, all you have access to is to be able to see what was on a camera. If someone gained access into the into the company, they could see the hallway. But that’s the same thing that occurred. You know, at this at this bank, routers, stuff, we’re at the with the default password, and if you don’t have vulnerability scanning and penetration testing on a regular basis, you will have lots of those items. You you find these issues, and it’s, and it’s surprising what occurs.

Jonathan Jeffery  12:31

You see that a lot with the videos where there’s, they’re exposing those scam companies, where they’ll get into their security system, and the videos.

Craig Jeffery  12:41

Yeah. So it’s like, okay, you’re scamming people. But you didn’t. You didn’t lock down your security cameras. People keep, people kept whether it was brute force or otherwise. They got into the system and then they left the default password. Like, who would care about what’s on the camera? Who would well, you want to lock all that stuff down. That’s not what you want to see. Just like if they had access to your computer camera, and they’re like, I’m going to do something on the computer. I don’t want to do it when you can see the screen go live or something happening, right? If they don’t, if they don’t put it to sleep or freeze it, then someone can act on it when they’re not around, right? The light’s off there. You’re in another room. Yeah.

Jonathan Jeffery  13:18

Interesting. So what actions were taken after this happened?

Craig Jeffery  13:22

Well, there was someone who got to retire. We’ll put quotes on that. I know they added the processes for things like pen testing. They had to support and comply with the Swift customer security program and the Swift security protocols about being part of it, part of that network. There was a activity to set up a we don’t it wasn’t described as much in the news, but the opportunity to set up a payment rail standard security process that not only supported the Swift customer security program activity, but also made sure they were checking and validating. They added limits on transfers, looked at all that activity and then updated and confirmation of permissions and access for firewalls, routers and systems. So that’s something they they moved on quickly to eliminate doors missing, locks not locked. Locks missing.

Jonathan Jeffery  14:21

So aside from actions, what else can we learn from this?

Craig Jeffery  14:24

Yeah, there was a lot this. There’s there’s a lot that can be learned from this one. I think one of the key areas of learning is the criminals have a pretty significant playbook. They will attack you, to steal money, to steal information, to spoof you into giving money, and they have different ways of going about that, and they’ll be relentless, and every point of exposure is a potential point of failure and point of fraud and criminality. And so our security has to take into account the principle of least privilege, limiting what what somebody can get. If they gain access to some credentials, but also how you can respond to those situations if something you know one layer has been compromised now you can, you can shut it down. They haven’t compromised two or three layers of security. So I think that’s a that’s another key learning point for everybody, is we have to know what the criminals are doing. We have to understand how our payment processes work and think like a criminal. How would I compromise this system? What information would I need? How could I delay having this found out? What could I take? Can I move money? Can I provide instructions to move money? Can I monitor and see what the operating method is in the organization, so I can maximize my time to discovery, right? If I just send, if I send $100 million wire out, and two minutes later, the company discovers it was bad. They call their bank. It gets frozen. It’s not moved to another bank and hasn’t moved offshore, they’ll be able to catch it. Even though these things are pretty instant, if you call quick enough, you can usually stop some of these transfers if it’s almost immediate, especially for large, large sums. That does not mean you shouldn’t block it in the front end, but the idea that rapid discovery and rapid follow up, as opposed to being embarrassed, can put a freeze on these thefts before it leaves the banking system. Once your money’s left the banking system, it’s left the country, it’s coming out in the form of casino chips, or however it’s exiting the banking system, you’ve pretty much lost your money. Now there’s been some interesting enforcement actions by US and other Western country, I think other countries as well, law enforcement that has, you know, found where, you know, ransomware has collected significant money, usually the form of digital currency, and then they put pressure on the digital currency wallet holders to claim the funds that they had taken by theft, and so that puts a damper on the crime. Pays really, really well for the criminals. So those are a few of the key areas. The other one, I know, the last example we talked about, was adding employee training and testing for payment security. I think that’s extremely crucial, that everyone should be doing cybersecurity training. There’s just too many points of exposure for a company, but anyone and everyone involved in the payment process at some point, needs to have regular payment security training and testing on that your point of exposure. You need to know and understand how your organization can have money stolen, or you can lose money for them, and having that, you know, drilled into you. And there’s a testing component, you know, we see a strong correlation between those who are trained and those who suffer less losses, so they’re more impervious to the attempts, not invulnerable completely, but the level of losses and the number of losses is significantly lower than their Non, non trained, non tested from a payment security perspective.

Jonathan Jeffery  18:13

Well, thanks for sharing all your insights on this payment server and network compromise case.

Craig Jeffery  18:18

Yeah, it was my pleasure.

Announcer  18:22

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.