Imagine that you work in a company, and you sit and wait for an invoice from another company that has done a job for you. You have discussed and agreed on a price by e-mail. When the bill arrives, you log into the company’s payment system, use two-factor authentication, and pay out the amount as agreed. All is well and good. The problem is that the person you emailed and paid out to was someone other than the person who did the work. You emailed and paid money to a criminal scammer. The account number you just paid into belongs to the fraudster. – Yes, it is something along these lines that we have been exposed to, says Pål Nedregotten, director of technology at news. – This has been such an advanced attack that it is difficult to detect, and it is very serious in terms of society, he says. Pål Nedregotten is director of technology at news. Photo: NTB – Cat and mouse play with criminals So what is it about this attack that is so advanced? Passwords are often insecure, we use bad passwords like our children’s first names, and we often reuse them. Therefore, in recent years most companies have used what is called two-factor or multi-factor login. This means that you have to go through two or more steps to authenticate – or confirm – your identity. Payment in online banking, for example, now takes place with two-factor login. – Security and protection of private or business assets is a cat and mouse game with criminal networks. The threat actors are constantly at the forefront of developments, they never give up. NSM sees both internationally and in Norway examples of threat actors getting around multi-factor authentication. Either by exploiting human or technological vulnerabilities, says NSM director Sofie Nystrøm. Sofie Nystrøm is director of the National Security Authority. Photo: Oda Hveem / Oda Hveem Gained access to news employee’s e-mail So what exactly happened, when news was duped for 80,000 euros, over NOK 950,000? news sat and waited for a bill from Iceland’s answer to news, RUV, the state broadcaster on Sagaøya. – The bill was for the right to show a new season of the Icelandic series “The Minister”, says news’s head of drama Marianne Furevold. This email is from the fraudster to two employees of news. The fraudster pretends to be an employee of Icelandic broadcasting. The domain name of the Icelandic broadcaster also looks quite forgivable. The criminal had gained access to the e-mail of an news employee, and saw that this process of payment for drama rights was underway. The fraudster saw that news had to pay a bill of a certain amount. The fraudsters have managed to copy the communication and the real bill, which news was waiting for. Then they have replaced the account number of the Icelandic broadcaster with their own account number. news has paid out a correct amount, but to the wrong account. – The fraud affected a specific news employee, and the methods used appear to be advanced, says director of technology Pål Nedregotten. – They have pretended to be someone other than what they are in e-mail exchanges. The e-. The mail exchange is very reliable. They have taken it upon themselves to be an employee of RUV, Icelandic broadcasting, says Pål Nedregotten. There were rights to show the Icelandic series that the Minister news had to pay for. Photo: RUV, Icelandic Broadcasting Have managed to capture the two-factor process These attackers are now becoming so advanced that it is very challenging for us, he says. – We use two-factor or multi-factor authentication when we log in. It’s the most important thing we do to make sure we are who we say we are. In our case, it seems that someone has managed to intercept and trick them into viewing the session where our employee performs a two-factor authentication. This is what worries us, says Nedregotten. The criminal tricked the news employee into logging in somewhere else, where you think you have logged in to do something legitimate. It is not new, the new thing here is that the criminal managed to capture the two-factor process, according to news. – Vulnerability surfaces increase, complexity increases, and the resources used against us are greater, and increase more, than the security work keeps up. That is why all companies and enterprises must make logging into their systems more secure, says Nystrøm in NSM. She says it is disturbing, but unfortunately it is still the case that many people have far too weak routines linked to weak passwords. For ungraded ICT systems, we strongly recommend, as a minimum, to follow NSM’s basic principles for ICT security, says the director of NSM. The actual payment was made in September. The criminal probably got into news’s systems in August. news believes that they have not been attacked several times. – We are quite sure of that. But it is clear that we have launched a major operation to find out what happened. But we find no signs that there is anything other than this one attack, says Nedregotten. He emphasizes that the news employee cannot be blamed for this. news does not know whether this was done by a criminal person or a criminal network. The case has been reported to the police, and reported to NSM. news is now initiating measures to reduce risk, but Nedregotten does not want to go into detail about what news is now doing. – The human factor NSM believes that multi-factor authentication makes it more difficult for an attacker, but believes that we must not believe that it provides guaranteed protection against attacks. – We must never forget the human factor. In the violent safety-related developments we are now experiencing, managers have a great responsibility for ensuring personnel safety. The threat actors go after individuals in the businesses. Therefore, daily safety management is one of the most important things we do. During security month, we have focused on social manipulation. Businesses must spend resources on training to help employees and users to detect manipulation, continues Nystrøm. news comes out with this to warn other companies about how advanced criminal networks have become. – Here we are describing a threat that any company can be exposed to, and which most companies would also be deceived by. So this should worry most companies in Norway, says Pål Nedregotten, news’s director of technology.
ttn-69
news defrauded for close to a million kroner – news Norway – Overview of news from various parts of the country
