Phishing attack

Client's business card

A Bulgarian company operating on world markets. Customer of Geletron for 5 years.

In the specific case, a representative of the "Business Development and Commercial Activity" department of the company participated. The action takes place in the process of negotiating an order with a counterparty - a large manufacturer of specific products. The contracting parties have maintained a commercial relationship for years.

IT the problem

During the ongoing communication, a hacker intercepts the email communication and starts corresponding with both parties, trying to deceive them. The goal is financial - to benefit by receiving the transaction amount - 10,000 euros. The hacker uses a feature in the specific situation – the manufacturer currently does not have the desired amount of finished product. Therefore, he offers the Bulgarian company, which has already paid for the goods in advance, two options - to make the delivery as soon as it produces the products or to return the transferred amount. Because of the trust built up over the years between the two parties, a mutual time tolerance has been left in the communication until the next development with one of the partners.

After some time, the Bulgarian company receives an email with information that the goods are already available and the order can be fulfilled. From that point on, communication takes place within 5 emails. The details of the goods are specified, and the financial conditions are changed: a larger amount is required from the Bulgarian company, and the contractor is required to return the previously transferred money. Messages include messages of urgency.

At some point, the partners notice differences in the usual spelling of the other party's email. Meanwhile, both parties receive financial documents with altered data. They conduct a telephone conversation and it becomes clear that they did not correspond with each other, but with a third party - an unwanted intermediary who intercepted the conversations of both parties and tried to abuse them. In IT parlance, this is called a man-in-the-middle attack.

The solution

Of course, the Geletron team started with email analysis. We found elements characteristic of phishing attacks – various email addresses, financial documents with changed data directing payment, phrases imputing urgency, emotional messages with the aim of each party taking irrational actions.

It was important for us to try to establish from which side the breach occurred so that we would know exactly what to do. Subsequently, it turned out to be from the manufacturer - the email of the employee involved in the communication was hacked.

On a technical level, we did an audit - we looked at all the logs on the server itself and logs to see if the mail was accessed through untrusted IP addresses or from foreign countries. We talked to the company employee who was directly involved in the communication, because in such an investigation every detail is important - whether there was suspicious behavior on the computer, whether there were calls that would lead to social engineering. We basically reviewed the employee's computer - processes, settings, parameters. In such a case, it is crucial to determine the possible presence of spyware - whether the computer has been hacked and from which the email communication can be accessed, as well as whether the passwords for the mails and the computer have been hacked.

We made sure that there is no breach at the server level as well as in the computer. We received the green light from the leadership to act on 2 levels – protection in the specific situation and prevention.

In terms of security, we went through all the systems, servers, network devices, as well as each employee's computer, helping to change passwords and settings. This took us quite a while, but it was definitely worth it as we got a full understanding of the problem from the entire company team.

Our client was using Microsoft 365 and email Exchange server of Microsoft and we have enabled the highest login protections when using mail through multi-step verification and sending sms to the employee's phone.

We have prepared a security policy and rules to raise the level of digital culture of employees and make them informed, responsible and motivated to comply with the new requirements. We described specific steps for each action, for current, new and departing employees, so that there are no prerequisites for compromising IT security - from the selection and storage of passwords to the introduction of separate internet network for guests, without access to corporate servers and systems that people can connect to from their personal devices. Twice a year we also organize trainings for all employees in the company to familiarize them with security innovations.

Things of life

the team of Geletron has many years of experience in the construction, maintenance and management of IT systems. For us, each solution is not just a sequence of technical steps, but a carefully selected mix of services, which will provide the needs of the specific client in the future and in the future.

From our everyday and very diverse work, we choose to present to you a series of iconic cases, so that you can better imagine what it is "IT decisions'. If you recognize yourself by the lines, then it is time for a positive change. We are at your disposal to do it together.