News spread fast about a recent security breach at Eagle Mountain City that may end up costing taxpayers $1.13 Million Dollars. Limited information about the attack is available. There are a lot of things that could have been done to prevent it.
What We Know
KSL News reported on the breach.
EAGLE MOUNTAIN, Utah– Officials with Eagle Mountain City say they lost $1.3 million to an unknown cyber criminal in August.
Tyler Maffitt, Communications Manager with the city, tells KSL Newsradio’s “Dave and Dujanovic” they became aware of the crime on August 31.
“Within minutes we were on the phone with the Utah County Sheriff’s Office and the Federal Bureau of Investigation,” Maffitt said.
Maffitt said the criminal posed as a vendor the city was working with for an infrastructure project, and set up a money transfer to their account, rather than the actual vendor’s.
“Through communication with the vendor who was supposed to receive the payment…we realized…we were the victim of a cyber crime,” Maffitt said.
Maffitt said the city is now ramping up money transfer policies and are working with the FBI to find out who took the money.
“[Eagle Mountain] is interested in pursuing this to the end and bringing these criminal perpetrators to justice,” Maffitt said.
Luckily, there is no current evidence to believe anyones personal information was compromised. The city said in a statement, “No resident, client or vendor information was compromised in any way as a result of this incident.”
The city is currently working with their insurance company to hopefully get the money reimbursed.
Moffitt said the loss of the money will not delay the infrastructure project in question.
Likely Attack Vector
This is most likely a very common attack called Business Email Compromise. An attacker, through nefarious means gains access to a business email account. This can be from a compromised password they bought off the dark web, or they can simply brute force a password. Accounting emails are frequently targeted for this attack.
Once they gain access to the account, they monitor email. In many cases they have access for months. They see who the person communicates with and how often. They see what vendors they correspond with, and what bills they pay. This knowledge is used to then dupe their victim.
The attacker impersonates a vendor that the city corresponds with frequently. Requesting a payment doesn’t arouse suspicion. It’s common for them to make large payments to this vendor. They let accounting know that their banking information has changed, and they need the deposit sent somewhere else. The trap is set.
How to Stop BEC
It’s frustrating to see this kind of breach happen as an IT guy. There are so many things that could have helped protect them. Here are some things that would have helped.
- Password Policy Enforcement – This one is as old as time. Passwords are like underwear. Change them regularly. Never Share them with anyone. Don’t leave them on your desk. Old, reused, simple passwords are asking for problems.
- Multifactor Authentication on Email – This one is HUGE! Every business should have their email secured with multifactor authentication. In most major email platforms such as Office 365 and Gmail this is a built-in feature that is free. IT can simply turn it on and configure it for your users.
Multifactor authentication is especially effective against BEC attacks because even if the attacker manages to get your password somehow, they still can’t get access without also defeating your MFA. That extra step is difficult enough that many bad actors simply move on to the next target if they find you have MFA enabled.
- Cyber Security End User Training – The people in your organization are often the weakest link for security. This is a difficult problem to solve but offering cyber security awareness training to those users can help raise their security IQ and protect your organization. These programs teach you how to spot a phishing attack and BEC compromise scams like this one.
- Policies and Procedures – This isn’t an IT solution, but it’s critical to your security. Every organization should have a rigorous internal policy around wiring money. There should be internal checks with team members, phone calls to verify with the vendor etc. If there is a change in banking information on either side, there should be a process to verify that as well. This attack could have been defeated with 1 phone call to the vendor to verify.
- Advanced Spam Filtering – Sometimes an email is compromised by an attacker sending an email with a malicious attachment. Once clicked on it executes code on your machine that can do various things like keystroke logging. This allows an attacker to get your password without your knowledge.
Solutions like advanced spam filtering can offer additional protection from this kind of attack. Key features like sandboxing will quarantine any unknown attachment and “detonate” it in a sandbox on the filter. If the attachment is benign, it is allowed be delivered. If it’s malicious it is quarantined and destroyed. This offers overall protection but could block another attack vector for this type of BEC.
- SIEM (Security Information and Event Management) – Another thing that would have helped the city a bunch was to have more visibility into the attack itself. SIEM solutions offer log management, event correlation and analytics, and incident monitoring. Essentially it gives you a much more detailed record of everything that happens on the network.
While this would not have defeated the attackit would have made incident management and cleanup much easier afterwards. It would also give them confidence about whether the attacker has gotten into any of their other systems, or simply email.
I attended a recent conference where one of the speakers was a retired FBI agent that worked in the cyber crimes division for 20+ years. His outlook on crimes like this was bleak. He told us that they very rarely made a collar. TV shows about the FBI being able to track a hacker to their physical location in minutes are nonsense. Its only in very rare cases when any of the defrauded party’s money is recovered.
The city did the right thing by contacting the FBI so they can investigate. However, they shouldn’t expect to get their money back. The odds are low. They also shouldn’t expect the bad guy to get caught.
Will the city be able to recover this enormous loss via a claim on their insurance? I talked with a local insurance expert to get their thoughts. The answer seemed to be that it depends on the specific coverages the city has and the insurance carrier. Essentially, maybe.
“Wire fraud can be covered under a cyber program but with limitations, generally wire fraud is under a Crime policy. But this isn’t wire fraud. They voluntarily separated from the money due to Social Engineering and a Phishing attack. A Social Engineering claim could be covered under a strong cyber program but only up to about $250,000.
I doubt the city’s cyber policy (if they have one) will pay due to the lack of expertise. But a properly structured program would cover this situation, trigger, and pay out full limits.”
It’s important that you work with an insurance company that can build out a risk management program that fits your organizations needs. For the sake of the taxpayers in Eagle Mountain I hope that the city does have coverage, or this bill will likely get passed on to them.
The tragedy here is that this attack is super preventable. There are numerous security solutions that would have help to provide protection. Proper policies and procedure would have blocked this attack as well. Any business or organization that wires money needs to take notes, put the right solutions in place, and train their employees.
In the security world attacks only seem to be escalating year over year. Businesses and organizations that don’t put the proper controls in place are falling farther behind and increase their risk daily. Don’t let something that is easily preventable sink your business. If you have questions about the IT solutions you need to protect your business, i.t.NOW can help. Give us a call today.