Hacking operation targeting UAE firms unmasked
Torrid Networks reveals details of attack targeting large trading firm based in Dubai
Torrid Networks, a cyber security consulting firm, has revealed details of a recent cyber-attack investigation performed for a large trading firm based out of Dubai.
In making the results of this investigation known, Torrid said that it hopes the information will be helpful to other businesses by getting them more prepared to thwart the rising threats.
In this particular case, email communication between the trading company’s accounts department and their suppliers was frequently being hijacked, with the attacker attempting to convince the company to transfer invoiced funds to a foreign bank account. The case initially appeared to be a targeted attack by a disgruntled former employee or business rival, as the emails were commercial in nature. As the investigation moved on, however, it became apparent this was the work of a professional cybercriminal.
“Such cases are now frequently being observed in the region where businesses are hacked and then convinced by the attacker to transfer funds to some foreign bank account with no hope of getting their money back”, said Syed Ibrahim Anwar, vice president MENA – Cyber Security Practices at Torrid Networks .
It was observed during the investigation that the hacker initially lured the company’s accounts department to execute the malware, which was sent as an email attachment and compressed as an .ace extension, a compressed file format like Winzip. Email was sent from a spoofed email address - firstname.lastname@example.org - with convincing-looking content aimed at the accounts department. On execution, the malware was silently installed on the attacked system, stealthily recording user keystrokes and system screenshots, later uploading the recorded data to the hacker as email messages at a half hour cycle.
Interestingly, the malware could successfully bypass all the security mechanisms including locally running antivirus and other security mechanisms deployed in the network. The hacker was monitoring email communication between the company and its buyers or suppliers in order to gain business knowledge. Whenever an invoice would arrive to the accounts department email, the attacker would promptly send another follow-up email within few minutes from a similar looking but spoofed email address containing modified bank information and a convincing note for the trading firm to transfer the invoiced funds to the mentioned foreign bank account.
The investigation also traced the malware uploading the recorded data as emails to a private mail server hosted with GoDaddy, a well-known web hosting company. Torrid was further able to decipher the passwords being used by the malware for uploading the recorded data as email messages. The decoded password helped the investigation gain complete access to the information in possession of the hacker, leading to more revelations.
The investigation concluded that the hacker was specifically targeting businesses established within the UAE, and that most of his targets were the finance departments of various companies.
“Fortunately, the targeted company in this case got warned well ahead of time and engaged us before any business loss could take place,” said Dhruv Soi, founder of Torrid Networks.
“It was scary to see so many netbanking passwords, tally screenshots, confidential emails and what not. Looking at the plethora of information, we are certain that many businesses or individuals targeted by this hacker would have lost their hard earned money.”
There have been repeated warnings by local authorities to businesses on the modus-operandi of cyber criminals against UAE targets, but the reaction from organisations seem tepid, at best, Torrid said.
Anwar cited a past media interview with Colonel Dr Rashid Borshid, director of the Criminal Investigation Department (CID) in Abu Dhabi, commenting on cybercrime: “Online criminals are hacking into company email accounts to discover when financial claims are due. Attackers then set up fake email accounts in order to lure companies into revealing their bank details and other confidential financial information."
The assertion by Colonel Borshid was as relevant when he made it as it is now, Anwar said, noting that relevant measures are yet to be applied by local companies to secure their commercial activities online.
Businesses in the region should gear up on cyber security before they end-up losing funds or confidential data to hackers, Soi warned.
“As we speak, the hacker is still active and so is his malware. We have uploaded detailed technical case study on this incident on our website along with hacker’s domain names, IP addresses and malware sample, information that could be helpful to others,” says Anwar.